Announce: X.509 certificates support in OpenSSH (version 6.0-International)



Today, I released a new version of "X.509 certificates support in
OpenSSH" ( http://roumenpetrov.info/openssh/ ).


Version 6.0 add following enhancements:

- Printable X.509 name attributes compared in UTF-8
Printable attributes are converted to utf-8 before to compare. This
allow distinguished name in "authorized keys" file to be in UTF-8.

- "Distinguished Name" with escaped symbols or in UTF-8 codeset(charset)
File "authorized keys" can contain "distinguished Name" (subject) with
escaped symbols or in UTF-8 charset. If unescaped certificate subject
contain characters with code above 127(us-ascii) it is handled always as
UTF-8 string.

- LDAP queries in conformance to [RFC2254]
In validation process "X.509 store" lookup for certificates and CRLs in
files stored on file system. If is enabled (at configure time) this
lookup can query LDAP server too. Attributes in query should be escaped
and the versions before current escape attributes as is described in
[RFC2253]. Now attributes are escaped in addition as is recommended in
[RFC2254].

- Restored support for openssl 0.9.6
OpenSSL EVP_MD structure that handle so called "dss-raw" signatures can
be compiled with openssl 0.9.6.

- Resolved cross-compilation issue
Test for "Email" in "Distinguished Name" (openssl 0.9.6 and earlier) in
file configure.ac is modified to handle cross-compilation.

- Certificates for RSA keys size greater than 2048
Limitation for big RSA keys is resolved.

- Regression tests with multi-language "distinguished name" in utf-8
To enable uncomment #SSH_DN_UTF8_FLAG='-utf8' in
"[SOURECDIR]/tests/CA/config", go in "[BUILDIR]/" and run tests. If test
certificates are created, before to run tests again with flag enabled,
go in "[BUILDIR]/tests/CA/", run make clean (this will remove created
test certificates), return to "[BUILDIR]/" and run tests again.


On download page http://roumenpetrov.info/openssh/download.html
you can found diff for OpenSSH versions 4.5p1 and 4.6p1.


Roumen



Relevant Pages

  • Re: X500Principal and UTF-16 encoded certificates
    ... I have a java application that parses certificates. ... for certificates that have their fields encoded in UTF-8. ... It doesn't work well for UTF-16 encoding. ... The String returned by this method is the Unicode ...
    (comp.lang.java.security)
  • Re: X500Principal and UTF-16 encoded certificates
    ... I have a java application that parses certificates. ... for certificates that have their fields encoded in UTF-8. ... It doesn't work well for UTF-16 encoding. ... it's objective as "UTF-8 String Representation of Distinguished ...
    (comp.lang.java.security)
  • Re: utf-8 decoding algorythm for TCL 8.0
    ... JavaScripts encodeURIParameter which first converts the string from ... iso8859.1 to utf-8 then escapes the utf-8 char sequence with html ... I need to first unescape the `&#nn;` escape sequences ... Convert these utf-8 encoded sequences back to unicode ...
    (comp.lang.tcl)
  • Re: Querystring encoding utf-8
    ... encodeURIComponent instead of escape on client side does the trick. ... Manso ... > The spec for URLs mandates 8 bit character encoding, IIRC, so no unicode. ... >> response encoding set to utf-8. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: CfV: Xchar wordset
    ... The Wikipedia.en page on UTF-8 also indicates why someone might be ... protocols to identify the encoding used for character data, ... second recommendation would require an ability to cope with UTF-8. ... storage medium or to escape literal bytes in ASCII7. ...
    (comp.lang.forth)