I only use the Curve448 algorithm for X.509 Root CA, ECC-P384 for Intermediate CA, and Curve25519 for OpenPGP keys.
SafeCurves
Use the latest version of OpenSSL. Currently, I use 3.2.1.
Install from package manager:
pkg install -y openssl32The certificate located at ca.pub is same as SPMZT SSH CA with hash id of cf922970.
It will not be used until this commit become available from other operating systems.
So, I will simply use GPG, and PIV Auth.
Only ED25519 and ECDSA host keys will be signed.
cert-authority,principals="spmzt" ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJfFCnQU76qxJiuGfoqYzVeWg8PUyApxV5dCiXp4VqdS9NogT2NWMYtQB0KXCDA1D8RcfBw1fE4rNSIWggOPXa5MCrqqX4uHJ0t1J38tMaMVn04qhKgbJ3EEk1ywJEUnzw==The main certificate with hash id of 53bc2f23 is self-signed and is the one that will be used.
For backward compatibility is there another certificate with hash id of c742685f which is signed by old CA.
9C: cRLSign, digitalSignature, keyCertSign
This certificate is signed by SPMZT Root CA with hash id of c0c9a60f.
You can check the attestion certificate by Yubico at bb2ecbbb.
This mean the private key is generated by yubikey and it's not extractable.
9A (Attest): keyEncipherment, dataEncipherment, digitalSignature, nonRepudiation
This certificate is signed by SPMZT Intermediate CA with hash id of 3654b90d.
You can check the attestion certificate by Yubico at 221f2a4a.
This mean the private key is generated by yubikey and it's not extractable.
9D: nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
This certificate is signed by SPMZT Intermediate CA with hash id of 58cff29f.
You can check the attestion certificate by Yubico at deb27caf.
This mean the private key is generated by yubikey and it's not extractable.
9E (Attest): dataEncipherment, keyAgreement
This certificate is signed by SPMZT Intermediate CA with hash id of 461f1c06.
You can check the attestion certificate by Yubico at c9f4cebf.
This mean the private key is generated by yubikey and it's not extractable.
83: digitalSignature, keyCertSign
This certificate is signed by SPMZT SSH CA with hash id of cf922970.
export CN=host.spmzt.net
OPENSSL_ENGINES=/usr/lib/x86_64-linux-gnu/engines-3/ openssl ca -config templates/openssl.conf -engine pkcs11 -keyform engine -extfile templates/host.conf -notext -md sha256 -in requests/$CN.csr.pem -out newcerts/$CN.crt.pem -extensions host_extssh-keygen -i -m PKCS8 -f ssh.key.pemssh spmzt.net -i ssh.key.pemEnable SSH support in GnuPG Agent by adding the corresponding option in the agent configuration file, ~/.gnupg/gpg-agent.conf:
enable-ssh-support
echo 'EF767EB287D6D7B8953A56BA8932BBC9AC476181' > ~/.gnupg/sshcontrolWhile GnuPG programs can start the GnuPG Agent on demand, starting explicitly the agent is necessary to ensure that the agent is running when a SSH client needs it. The two lines below, to be inserted into a ~/.xprofile script, are sufficient:1
unset SSH_AGENT_PID;
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi;
export GPG_TTY=$(tty);
gpg-connect-agent updatestartuptty /bye >/dev/nullWith the GPG agent running, you can start using it with your existing SSH keys, exactly like you would use ssh-agent. For example, to load your default ~/.ssh/id_rsa key into the agent, just run as usual:
ssh-addTo tell the agent that the authentication subkey can be used with SSH, extract the keygrip of that subkey and write it into the ~/.gnupg/sshcontrol file:
# List of allowed ssh keys. Only keys present in this file are used
# in the SSH protocol. The ssh-add tool may add new entries to this
[…]
ECF4591CC28EC303BB12D1E866C8B8AFFB675C7D
You may then verify that the key is indeed available for SSH by querying the agent for available identities:
$ ssh-add -l
2048 e3:40:d5:eb:ef:b1:3a:37:87:3d:a8:44:1d:81:ed:6a (none) (RSA)Finally, extract the public key from the agent in a form suitable for inclusion into a ~/.ssh/authorized_keys file:
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAA[…truncated output…]KhJHfdIcCMRF (none)