Support SSHSIG and SK verification.

This adds support for OpenSSH SSHSIG signatures, used for signing
arbitrary payloads.

This also adds support for public-key verification from -SK algorithms
so that signatures from security keys can be verified. This enables
using security keys for SSHSIG, as well as using security keys as
SSH-cert CAs.

.editorconfig

@@ -0,0 +1,8 @@
+root = true
+
+[*]
+insert_final_newline = true
+
+[*.rb]
+indent_size = 2
+indent_style = space

.github/workflows/ruby.yml

@@ -20,5 +20,5 @@ jobs:
       run: |
         gem install bundler
         bundle install --jobs 4 --retry 3
-        chmod 600 ./spec/fixtures/*
+        find ./spec/fixtures -type f -exec chmod 600 -- {} +
         bundle exec rspec

lib/ssh_data.rb

@@ -34,3 +34,4 @@ require "ssh_data/certificate"
 require "ssh_data/public_key"
 require "ssh_data/private_key"
 require "ssh_data/encoding"
+require "ssh_data/signature"

lib/ssh_data/encoding.rb

@@ -3,6 +3,19 @@ module SSHData
     # Fields in an OpenSSL private key
     # https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
     OPENSSH_PRIVATE_KEY_MAGIC = "openssh-key-v1\x00"
+
+    OPENSSH_SIGNATURE_MAGIC = "SSHSIG"
+    OPENSSH_SIGNATURE_VERSION = 0x01
+
+    OPENSSH_SIGNATURE_FIELDS = [
+      [:sigversion,    :uint32],
+      [:publickey,     :string_public_key],
+      [:namespace,     :string],
+      [:reserved,      :string],
+      [:hashalgorithm, :string],
+      [:signature,     :string],
+    ]
+
     OPENSSH_PRIVATE_KEY_FIELDS = [
       [:ciphername, :string],
       [:kdfname,    :string],
@@ -313,6 +326,21 @@ module SSHData
       [key, str_read]
     end
 
+    def decode_openssh_signature(raw, offset=0)
+      total_read = 0
+
+      magic = raw.byteslice(total_read, OPENSSH_SIGNATURE_MAGIC.bytesize)
+      unless magic == OPENSSH_SIGNATURE_MAGIC
+        raise DecodeError, "bad OpenSSH signature"
+      end
+
+      total_read += OPENSSH_SIGNATURE_MAGIC.bytesize
+      offset = total_read
+      data, read = decode_fields(raw, OPENSSH_SIGNATURE_FIELDS, offset)
+      total_read += read
+      [data, total_read]
+    end
+
     # Decode the fields in a certificate.
     #
     # raw    - Binary String certificate as described by RFC4253 section 6.6.
@@ -680,6 +708,32 @@ module SSHData
       [value].pack("L>")
     end
 
+    # Read a uint8 from the provided raw data.
+    #
+    # raw    - A binary String.
+    # offset - The offset into raw at which to read (default 0).
+    #
+    # Returns an Array including the decoded uint8 as an Integer and the
+    # Integer number of bytes read.
+    def decode_uint8(raw, offset=0)
+      if raw.bytesize < offset + 1
+        raise DecodeError, "data too short"
+      end
+
+      uint8 = raw.byteslice(offset, 1).unpack("C").first
+
+      [uint8, 1]
+    end
+
+    # Encoding an integer as a uint8.
+    #
+    # value - The Integer value to encode.
+    #
+    # Returns an encoded representation of the value.
+    def encode_uint8(value)
+      [value].pack("C")
+    end
+
     extend self
   end
 end

lib/ssh_data/public_key/skecdsa.rb

@@ -35,7 +35,33 @@ module SSHData
       end
 
       def verify(signed_data, signature)
-        raise UnsupportedError, "SK-ECDSA verification is not supported."
+        read = 0
+        sig_algo, raw_sig, signature_read = Encoding.decode_signature(signature)
+        read += signature_read
+        sk_flags, sk_flags_read = Encoding.decode_uint8(signature, read)
+        read += sk_flags_read
+        counter, counter_read = Encoding.decode_uint32(signature, read)
+        read += counter_read
+
+        if read != signature.bytesize
+          raise DecodeError, "unexpected trailing data"
+        end
+
+        self.class.check_algorithm!(sig_algo, curve)
+
+        application_hash = OpenSSL::Digest::SHA256.digest(application)
+        message_hash = OpenSSL::Digest::SHA256.digest(signed_data)
+
+        blob =
+          application_hash +
+          Encoding.encode_uint8(sk_flags) +
+          Encoding.encode_uint32(counter) +
+          message_hash
+
+        openssl_sig = self.class.openssl_signature(raw_sig)
+        digest = DIGEST_FOR_CURVE[curve]
+
+        openssl.verify(digest.new, openssl_sig, blob)
       end
 
       def ==(other)

lib/ssh_data/public_key/sked25519.rb

@@ -24,7 +24,38 @@ module SSHData
       end
 
       def verify(signed_data, signature)
-        raise UnsupportedError, "SK-Ed25519 verification is not supported."
+        self.class.ed25519_gem_required!
+
+        read = 0
+        sig_algo, raw_sig, signature_read = Encoding.decode_signature(signature)
+        read += signature_read
+        sk_flags, sk_flags_read = Encoding.decode_uint8(signature, read)
+        read += sk_flags_read
+        counter, counter_read = Encoding.decode_uint32(signature, read)
+        read += counter_read
+
+        if read != signature.bytesize
+          raise DecodeError, "unexpected trailing data"
+        end
+
+        if sig_algo != self.class.algorithm_identifier
+          raise DecodeError, "bad signature algorithm: #{sig_algo.inspect}"
+        end
+
+        application_hash = OpenSSL::Digest::SHA256.digest(application)
+        message_hash = OpenSSL::Digest::SHA256.digest(signed_data)
+
+        blob =
+          application_hash +
+          Encoding.encode_uint8(sk_flags) +
+          Encoding.encode_uint32(counter) +
+          message_hash
+
+        begin
+          ed25519_key.verify(raw_sig, blob)
+        rescue Ed25519::VerifyError
+          false
+        end
       end
 
       def ==(other)

lib/ssh_data/signature.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+module SSHData
+  class Signature
+    PEM_TYPE = "SSH SIGNATURE"
+    SIGNATURE_PREAMBLE = "SSHSIG"
+    MIN_SUPPORTED_VERSION = 1
+    MAX_SUPPORTED_VERSION = 1
+
+    # Spec: no SHA1 or SHA384. In practice, OpenSSH is always going to use SHA512.
+    # Note the actual signing / verify primitive may use a different hash algorithm.
+    # https://github.com/openssh/openssh-portable/blob/b7ffbb17e37f59249c31f1ff59d6c5d80888f689/PROTOCOL.sshsig#L67
+    SUPPORTED_HASH_ALGORITHMS = {
+      "sha256" => OpenSSL::Digest::SHA256,
+      "sha512" => OpenSSL::Digest::SHA512,
+    }
+
+    PERMITTED_RSA_SIGNATURE_ALGORITHMS = [
+      PublicKey::ALGO_RSA_SHA2_256,
+      PublicKey::ALGO_RSA_SHA2_512,
+    ]
+
+    attr_reader :sigversion, :namespace, :signature, :reserved, :hashalgorithm
+
+    # Parses a PEM armored SSH signature.
+    # pem - A PEM encoded SSH signature.
+    #
+    # Returns a Signature instance.
+    def self.parse_pem(pem)
+      pem_type = Encoding.pem_type(pem)
+
+      if pem_type != PEM_TYPE
+        raise DecodeError, "Mismatched PEM type. Expecting '#{PEM_TYPE}', actually '#{pem_type}'."
+      end
+
+      blob = Encoding.decode_pem(pem, pem_type)
+      self.parse_blob(blob)
+    end
+
+    def self.parse_blob(blob)
+      data, read = Encoding.decode_openssh_signature(blob)
+
+      if read != blob.bytesize
+        raise DecodeError, "unexpected trailing data"
+      end
+
+      new(**data)
+    end
+
+    def initialize(sigversion:, publickey:, namespace:, reserved:, hashalgorithm:, signature:)
+      if sigversion > MAX_SUPPORTED_VERSION || sigversion < MIN_SUPPORTED_VERSION
+        raise UnsupportedError, "Signature version is not supported"
+      end
+
+      unless SUPPORTED_HASH_ALGORITHMS.has_key?(hashalgorithm)
+        raise UnsupportedError, "Hash algorithm #{hashalgorithm} is not supported."
+      end
+
+      # Spec: empty namespaces are not permitted.
+      # https://github.com/openssh/openssh-portable/blob/b7ffbb17e37f59249c31f1ff59d6c5d80888f689/PROTOCOL.sshsig#L57
+      raise UnsupportedError, "A namespace is required." if namespace.empty?
+
+      # Spec: ignore 'reserved', don't need to validate that it is empty.
+
+      @sigversion = sigversion
+      @publickey = publickey
+      @namespace = namespace
+      @reserved = reserved
+      @hashalgorithm = hashalgorithm
+      @signature = signature
+    end
+
+    def verify(signed_data)
+      key = public_key
+      digest_algorithm = SUPPORTED_HASH_ALGORITHMS[@hashalgorithm]
+
+      if key.is_a?(PublicKey::RSA)
+        sig_algo, * = Encoding.decode_signature(@signature)
+
+        # Spec: If the signature is an RSA signature, the legacy 'ssh-rsa'
+        # identifer is not permitted.
+        # https://github.com/openssh/openssh-portable/blob/b7ffbb17e37f59249c31f1ff59d6c5d80888f689/PROTOCOL.sshsig#L72
+        unless PERMITTED_RSA_SIGNATURE_ALGORITHMS.include?(sig_algo)
+          raise UnsupportedError, "RSA signature #{sig_algo} is not supported."
+        end
+      end
+
+      raise AlgorithmError, "Unsupported digest algorithm #{@hashalgorithm}" if digest_algorithm.nil?
+
+      message_digest = digest_algorithm.digest(signed_data)
+      blob =
+        SIGNATURE_PREAMBLE +
+        Encoding.encode_string(@namespace) +
+        Encoding.encode_string(@reserved || "") +
+        Encoding.encode_string(@hashalgorithm) +
+        Encoding.encode_string(message_digest)
+
+      key.verify(blob, @signature)
+    end
+
+    def public_key
+      PublicKey.from_data(@publickey)
+    end
+  end
+end

spec/certificate_spec.rb

@@ -281,6 +281,22 @@ describe SSHData::Certificate do
     SSHData::PublicKey::RSA                 # ca key type
   ]
 
+  test_cases << [
+    :rsa_leaf_for_skecdsa_ca,               # name
+    "rsa_leaf_for_skecdsa_ca-cert.pub",     # fixture
+    SSHData::Certificate::ALGO_RSA,         # algo
+    SSHData::PublicKey::RSA,                # public key type
+    SSHData::PublicKey::SKECDSA             # ca key type
+  ]
+
+  test_cases << [
+    :rsa_leaf_for_sked25519_ca,             # name
+    "rsa_leaf_for_sked25519_ca-cert.pub",   # fixture
+    SSHData::Certificate::ALGO_RSA,         # algo
+    SSHData::PublicKey::RSA,                # public key type
+    SSHData::PublicKey::SKED25519           # ca key type
+  ]
+
   test_cases.each do |name, fixture_name, algo, public_key_class, ca_key_class|
     describe(name) do
       let(:openssh) { fixture(fixture_name).strip }

spec/fixtures/gen.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 generate_security_keys=0
-read -p "Generated security key-backed keys (Requires key and user interaction)? [yN] " -n 1 -r
+read -p "Generate security key-backed keys (Requires key and user interaction)? [yN] " -n 1 -r
 echo
 if [[ $REPLY =~ ^[Yy]$ ]]
 then
@@ -15,6 +15,18 @@ ssh-keygen -tdsa -N "" -f ./dsa_ca
 ssh-keygen -tecdsa -N "" -f ./ecdsa_ca
 ssh-keygen -ted25519 -N "" -f ./ed25519_ca
 
+if [[ $generate_security_keys -eq 1 ]]
+then
+    ssh-keygen -ted25519-sk -N "" -f ./sked25519_ca
+    ssh-keygen -tecdsa-sk -N "" -f ./skecdsa_ca
+
+    ssh-keygen -trsa -N "" -f ./rsa_leaf_for_sked25519_ca
+    ssh-keygen -s sked25519_ca -z 123 -n p1,p2 -O clear -I my-ident -O critical:foo=bar -O extension:baz=qwer -O permit-X11-forwarding rsa_leaf_for_sked25519_ca.pub
+
+    ssh-keygen -trsa -N "" -f ./rsa_leaf_for_skecdsa_ca
+    ssh-keygen -s skecdsa_ca -z 123 -n p1,p2 -O clear -I my-ident -O critical:foo=bar -O extension:baz=qwer -O permit-X11-forwarding rsa_leaf_for_skecdsa_ca.pub
+fi
+
 ssh-keygen -trsa -N "" -f ./rsa_leaf_for_rsa_ca
 ssh-keygen -s rsa_ca -z 123 -n p1,p2 -O clear -I my-ident -O critical:foo=bar -O extension:baz=qwer -O permit-X11-forwarding rsa_leaf_for_rsa_ca.pub
 

spec/fixtures/rsa_leaf_for_skecdsa_ca

@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAxzIj0SZz5rXQdCys5Z4A8m7EQ3AIoXm0CGJ8yjgITB0M8HtvM4aV
+BeDe/u+nzU1D24CfLqRFvMUQRhWAERJcla+zwSMmBg1qz92SNa+QYOttiuBhWwgzramO1F
+7TUoJu+1mIS/U7CE2WNJp+TaX5IHLtrPmgQ1yBkGSsW5chHqsYX0V7yp//whDGUCdFWTvB
+/q7VWms4dqrl2Q+IyJtYgpgBOg2DhELnO/1umLx/dLYyyLLfwkWKszBM12tktD0dKbnouZ
+0prxgKt0XUtIOV9ROXXhAJe9T3XWquTjulT2E5FiHtJ3ZGWdnXWFPzmmNlzfkMHj+YqEEa
+oPiOEDgXnYeszaHH6adVuzqwqEt1Wm9Zz5sqpZVaN5pZOK4w6bAFg76lNQG6FM3wyiVgOp
+IddZRJu0ELNC+ZeQ4LRRc+5HOwbptqIMdsjJ4YY55FnmxT7/7dPMDf9Iz7aVm3f7K2wNR0
+nHE5rCGCRItwg/ODjTC+HH2jrV2Uw8xUDeWviuW/AAAFkHgl/vF4Jf7xAAAAB3NzaC1yc2
+EAAAGBAMcyI9Emc+a10HQsrOWeAPJuxENwCKF5tAhifMo4CEwdDPB7bzOGlQXg3v7vp81N
+Q9uAny6kRbzFEEYVgBESXJWvs8EjJgYNas/dkjWvkGDrbYrgYVsIM62pjtRe01KCbvtZiE
+v1OwhNljSafk2l+SBy7az5oENcgZBkrFuXIR6rGF9Fe8qf/8IQxlAnRVk7wf6u1VprOHaq
+5dkPiMibWIKYAToNg4RC5zv9bpi8f3S2Msiy38JFirMwTNdrZLQ9HSm56LmdKa8YCrdF1L
+SDlfUTl14QCXvU911qrk47pU9hORYh7Sd2RlnZ11hT85pjZc35DB4/mKhBGqD4jhA4F52H
+rM2hx+mnVbs6sKhLdVpvWc+bKqWVWjeaWTiuMOmwBYO+pTUBuhTN8MolYDqSHXWUSbtBCz
+QvmXkOC0UXPuRzsG6baiDHbIyeGGOeRZ5sU+/+3TzA3/SM+2lZt3+ytsDUdJxxOawhgkSL
+cIPzg40wvhx9o61dlMPMVA3lr4rlvwAAAAMBAAEAAAGBAIa90OKKOz4lYEMlcTLFJWjYKm
+RfpUbtFy3QyQ7UxjAOOpF1PWxCLg3S5aTXIc/K4wrYv1SChDXDq1Vs97sUi5IpTtNnXjIb
+41OGUn+EKYqV1fxp+RDlxGdFWbsoBZQ7bK0TDBItaOgd62vb0XHewl0DwOgP1yuZqH6uyr
+QNz7Z6D7tqOel/Pzbbt/nCBrPsqzYGt4U5H/GNenrQejsQcdes0K+fMoZF5zp6HNSuNR0S
+ndmKvbcg6Uh6dJAHMhCFgUHwuHib+VyZvMTFZd6VFGiP9g5z8tU3xpIUrkiBTkloy+2XLJ
+MkyWPW9KTgwxiHaY4+txbipdzLSoE7MhkGnP+0Gfev3s6v5wfJgpL/wMvSOyMbHKzZBVgX
+7tx0obfoNFRDsZpS8LB+DOsTJphbFeJFBfTlKRWcdJ+SIy6teI2hrC2Dm6Rc3DM1kpePvv
+hihi1etMalZKsiZBsm8X9HL0Yw9yGn3ehm3C/VuE1uGcrytAvySGvF1YOtxFcjgge3mQAA
+AMEAuf3pctrqSazBFt2Adnq0aQHJhzbKQMfrYeJU1pEX5Jykfz867ZWQfTKmUqZHTc4yv/
+dngezh9rgVeiE+kNgVkRoJujhXjt51tS2F2hX7vBiuj26jMjsub4g2zi9H29EOub2fLeAL
+07AlE9qOuEAGCcx6k7Eh2tM1SC4JuKlTtZySykeHMarm/dg89q9f1XVQcBDXlOVYtQOcrf
+UFi9t31dWFmC0ZFn+b0OD8emXIXBUz2yawESSq5g7Eo09CbUHoAAAAwQDo64oZwoZizfBP
+UUIkKIs0eeJWBOjiI4tLaeMs59+XGdvZKw+pCRhzCy9ygE5SQmumFatqVWyxWX27EXBAh8
+ywaViFrKu6Oc88NGGUcP7qMEsDHbmdujbFByxj5GNjUp79kSArqtpDs01LBjI6m1lT3Vzi
+nLzFxlHIAK8AEOIgqZSs8QOF233R1rRarnHMtXL8zQYq6sGKqNftpNKbIsXzd06B7kwdvd
+TScNRWWJcUu8YL+1iTuM4B0RzlaU1GzIUAAADBANrvHx+coP8QNBbUsrHVBCAAtSZ57+sY
+ls9cdC3JJSejbFTBcqpEJwgkkFltzW6NDoT/oDc3bXtsLo6dEiIrwaiqBCzUI6YWv/8/53
+DtwdpunO+w/m/d2fsMOD7hBCsJq9F8bqjFYS+RmgltKecTnwJ2UmVBjXsxgxQxviKdfGjn
+w0fXy422PdTjRbj3XbyPAy7pdWws6sdU9s6EH2gwELGky088HWX8HxmirfI3JX7tcosANx
+idQYsG+n67hKLOcwAAABN2Y3Nqb25lc0BLZXZpbnMtTUJQAQIDBAUG
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/rsa_leaf_for_skecdsa_ca-cert.pub

@@ -0,0 +1 @@
+ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgzkt8R6EX7iCu4+5Fr1Dt4UqYAREilnmKsBX90/2EEUUAAAADAQABAAABgQDHMiPRJnPmtdB0LKzlngDybsRDcAihebQIYnzKOAhMHQzwe28zhpUF4N7+76fNTUPbgJ8upEW8xRBGFYARElyVr7PBIyYGDWrP3ZI1r5Bg622K4GFbCDOtqY7UXtNSgm77WYhL9TsITZY0mn5Npfkgcu2s+aBDXIGQZKxblyEeqxhfRXvKn//CEMZQJ0VZO8H+rtVaazh2quXZD4jIm1iCmAE6DYOEQuc7/W6YvH90tjLIst/CRYqzMEzXa2S0PR0puei5nSmvGAq3RdS0g5X1E5deEAl71Pddaq5OO6VPYTkWIe0ndkZZ2ddYU/OaY2XN+QweP5ioQRqg+I4QOBedh6zNocfpp1W7OrCoS3Vab1nPmyqllVo3mlk4rjDpsAWDvqU1AboUzfDKJWA6kh11lEm7QQs0L5l5DgtFFz7kc7Bum2ogx2yMnhhjnkWebFPv/t08wN/0jPtpWbd/srbA1HSccTmsIYJEi3CD84ONML4cfaOtXZTDzFQN5a+K5b8AAAAAAAAAewAAAAEAAAAIbXktaWRlbnQAAAAMAAAAAnAxAAAAAnAyAAAAAAAAAAD//////////wAAABIAAAADZm9vAAAABwAAAANiYXIAAAAwAAAAA2JhegAAAAgAAAAEcXdlcgAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAAAAAAH8AAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBvcGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEEqtXuPt8YlfvCd9SNupUrv0RcqseUbzFkiNEttrSCZuD1KKDuDluU/g4t/42YJKPbsBc6/8w2U8urlsg0IZPRvAAAAARzc2g6AAAAdwAAACJzay1lY2RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAASAAAACAoTZ3DnZY5pDal5IIk3wF0T62keDPE120XADZOD6bR9AAAACBdNq4i61BbTncPBPlRrW/MwxiCLYVCrClYwUEwoPTH2gEAAAAO vcsjones@Kevins-MBP

spec/fixtures/rsa_leaf_for_skecdsa_ca.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHMiPRJnPmtdB0LKzlngDybsRDcAihebQIYnzKOAhMHQzwe28zhpUF4N7+76fNTUPbgJ8upEW8xRBGFYARElyVr7PBIyYGDWrP3ZI1r5Bg622K4GFbCDOtqY7UXtNSgm77WYhL9TsITZY0mn5Npfkgcu2s+aBDXIGQZKxblyEeqxhfRXvKn//CEMZQJ0VZO8H+rtVaazh2quXZD4jIm1iCmAE6DYOEQuc7/W6YvH90tjLIst/CRYqzMEzXa2S0PR0puei5nSmvGAq3RdS0g5X1E5deEAl71Pddaq5OO6VPYTkWIe0ndkZZ2ddYU/OaY2XN+QweP5ioQRqg+I4QOBedh6zNocfpp1W7OrCoS3Vab1nPmyqllVo3mlk4rjDpsAWDvqU1AboUzfDKJWA6kh11lEm7QQs0L5l5DgtFFz7kc7Bum2ogx2yMnhhjnkWebFPv/t08wN/0jPtpWbd/srbA1HSccTmsIYJEi3CD84ONML4cfaOtXZTDzFQN5a+K5b8= vcsjones@Kevins-MBP

spec/fixtures/rsa_leaf_for_sked25519_ca

@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAuDxsZAjV3QkUVhrYF78JRt7e/kDAQLlcmuLNN/GcvD3R1d0r0eV1
+RnDrWtt8kT3WcDxHxVeyyvAa3S1VAUhQOnXbAmc6klEvhf8kd9r/KJbsqKdcyEOhSTlT69
+gg+fopqRa9O+SY+P2mz0Zm6JdVrdmniFVyYq1GKHnlfqUGELhda4URLW53mVa2ahKjFg1o
+QZf+e0zoDVuO6gcZs1bSIYos5BkAER0FSJ+r1UZL+rSYy+mFBXaQ6mDIiWl0/3sqaVRrNl
+qKhCdiffDlp53GBU4u32b8h+BqbS619NC87XbXS9igwu6/+WqG2klrHvYXd2oPjqTnAl4D
+nrCfxyABBkUqh07trJZPqBldrYaogzwUL1LYCdYI5yQGqKivL4uINy9DyZetLFvkPN5mak
+xwADE5n9dSf37tMoQxM7krUoUxrPJ7Y8BCzQ2LRkP51MG9h4JTMQge1FZfBjhlbf5IagoX
+WOfKNwggBBODJvZReW4rpzTLK4ktBVeX6+sdeELXAAAFiO4sBWXuLAVlAAAAB3NzaC1yc2
+EAAAGBALg8bGQI1d0JFFYa2Be/CUbe3v5AwEC5XJrizTfxnLw90dXdK9HldUZw61rbfJE9
+1nA8R8VXssrwGt0tVQFIUDp12wJnOpJRL4X/JHfa/yiW7KinXMhDoUk5U+vYIPn6KakWvT
+vkmPj9ps9GZuiXVa3Zp4hVcmKtRih55X6lBhC4XWuFES1ud5lWtmoSoxYNaEGX/ntM6A1b
+juoHGbNW0iGKLOQZABEdBUifq9VGS/q0mMvphQV2kOpgyIlpdP97KmlUazZaioQnYn3w5a
+edxgVOLt9m/Ifgam0utfTQvO1210vYoMLuv/lqhtpJax72F3dqD46k5wJeA56wn8cgAQZF
+KodO7ayWT6gZXa2GqIM8FC9S2AnWCOckBqiory+LiDcvQ8mXrSxb5DzeZmpMcAAxOZ/XUn
+9+7TKEMTO5K1KFMazye2PAQs0Ni0ZD+dTBvYeCUzEIHtRWXwY4ZW3+SGoKF1jnyjcIIAQT
+gyb2UXluK6c0yyuJLQVXl+vrHXhC1wAAAAMBAAEAAAGAKts7Z4W6ogEzrtftvpBcyxSbEM
+/lKOk1hn4NuN7GU++ZeUNKpzfWMP2hcfAuqOaWlGMhWuGMoLJ7vUmHRZYZu4+g041JzbF+
++Y+hXxQdWMbK5GySI6+/u/XO9MTA3wV3XXMBsAX8I6d1fy/kTmSttJQ16Xve8N9Xu6CnZu
+9iWs9YQ+OfXE8fGRdXtZMCRuX1g5SkyO/Z5wmOVBg0vUgL92taB/Fc155FlWA3K5R/piEO
+jhiTLfMnwK2k2Hokki2HCfD/t7qgQhm76Y412HIXVRZZMiiB5sFvGnT76rBZrcusTgebX0
+2m4XIWAwXgInthen6xn3tV/EqShYo3YBJeTSJle0osZ8M41hJZkQB7IqAwhAdDXIhhbrXt
+BJXnun6Ho0OF+l0qrvgxUq8Adbc50X4Sw7zg4zjdALxPix03i58CMBY+WYGKoC72D2hy39
+k6g7JzA9ba3lPbGcUIN2QSwk0iBTFfTld+lvNhbkkJZOaiwU8tZn4J8Sv84vWFlwLRAAAA
+wDm1mGbDUmJJ9hfWMf1KxDAEqJKXV0W4sPBlF/2kcu86zQsZcE9LwBwcPWvsJXYmo+5Qiq
+vlgtOIVd1e+YfBbvZs+pOFvPDt6mOyTwD46sDOKpqbRk2SPg70aaGmf4+vPTGvonozbzMO
+uGgzrSfRK3BTMfvna3M8jZCWC9v3vo7Nh114fZfUYfg6uF1diy7IEdHmY95QcCLY3QzKPd
+9ndpJ8xVuII3w9OXiPckSzhK/1t/S4jT03WC11SSdYMu8yaAAAAMEA5F9bnNpqzON4TrqD
+uVhEklhNBgGvexcdqof7BFygW3KvG3pMA91ed/z0U6HnGsWW1GVjDzZc9K0H/9RAm+lU+V
+K/Vj+qmJbI+Qp94CAB1C+n0AWASID31J2FYPh6UTeJhi9ULoXQmF7a4PBOyAf0Nd2aP5E+
+Aj+7QhUKPnNO/laaFFWDE+opLQLVjnHlvd3Gxjl8fk/NYHbXKssPQwH5z5eaP3hxY6brpd
+ZSfhjkWMcx5SKlwt5HclFOyOnT0py5AAAAwQDOhityKrwbpnxkEqQ/6swBGL0MbsmlI1fP
+w8IMRilUhD9mqOY4aMg9YsRlxtj/JKGEtIFFbnsl6dQJ++AuDke1JQVIrO5PqvMXL0GLgc
+BxB13PQr2A9GBughOMylA7vWYEuVHkvE25EW80//T+8zMM6Ql07zPWxXJLXBaPxFRykSIU
+1gXvSCspOc7zaIRKispKPm6lysLZPJZBJzY4wB7ff9VN55J2RO1lYFSEWbZPUVtj1UdReE
+tD95dj4kvntA8AAAATdmNzam9uZXNAS2V2aW5zLU1CUA==
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/rsa_leaf_for_sked25519_ca-cert.pub

@@ -0,0 +1 @@
+ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgL6EcAFjD1fjsU4Tzx4Gb0kMQGjrYQDe2FJrYP8kM8C8AAAADAQABAAABgQC4PGxkCNXdCRRWGtgXvwlG3t7+QMBAuVya4s038Zy8PdHV3SvR5XVGcOta23yRPdZwPEfFV7LK8BrdLVUBSFA6ddsCZzqSUS+F/yR32v8oluyop1zIQ6FJOVPr2CD5+impFr075Jj4/abPRmbol1Wt2aeIVXJirUYoeeV+pQYQuF1rhREtbneZVrZqEqMWDWhBl/57TOgNW47qBxmzVtIhiizkGQARHQVIn6vVRkv6tJjL6YUFdpDqYMiJaXT/eyppVGs2WoqEJ2J98OWnncYFTi7fZvyH4GptLrX00LztdtdL2KDC7r/5aobaSWse9hd3ag+OpOcCXgOesJ/HIAEGRSqHTu2slk+oGV2thqiDPBQvUtgJ1gjnJAaoqK8vi4g3L0PJl60sW+Q83mZqTHAAMTmf11J/fu0yhDEzuStShTGs8ntjwELNDYtGQ/nUwb2HglMxCB7UVl8GOGVt/khqChdY58o3CCAEE4Mm9lF5biunNMsriS0FV5fr6x14QtcAAAAAAAAAewAAAAEAAAAIbXktaWRlbnQAAAAMAAAAAnAxAAAAAnAyAAAAAAAAAAD//////////wAAABIAAAADZm9vAAAABwAAAANiYXIAAAAwAAAAA2JhegAAAAgAAAAEcXdlcgAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAAAAAAEoAAAAac2stc3NoLWVkMjU1MTlAb3BlbnNzaC5jb20AAAAgHRksgHwd+cfdg1asRsUSrNuyaT4qCWcbl+TtPWCRttwAAAAEc3NoOgAAAGcAAAAac2stc3NoLWVkMjU1MTlAb3BlbnNzaC5jb20AAABAL/DReFMJ7RkpYRhYCzYc56wDXRFeqkBdUvLu2DFUQbnu8Boa7QWAjxBq00uyFOTBGILJMGfcXRCX0QeVoICRBwEAAAAM vcsjones@Kevins-MBP

spec/fixtures/rsa_leaf_for_sked25519_ca.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4PGxkCNXdCRRWGtgXvwlG3t7+QMBAuVya4s038Zy8PdHV3SvR5XVGcOta23yRPdZwPEfFV7LK8BrdLVUBSFA6ddsCZzqSUS+F/yR32v8oluyop1zIQ6FJOVPr2CD5+impFr075Jj4/abPRmbol1Wt2aeIVXJirUYoeeV+pQYQuF1rhREtbneZVrZqEqMWDWhBl/57TOgNW47qBxmzVtIhiizkGQARHQVIn6vVRkv6tJjL6YUFdpDqYMiJaXT/eyppVGs2WoqEJ2J98OWnncYFTi7fZvyH4GptLrX00LztdtdL2KDC7r/5aobaSWse9hd3ag+OpOcCXgOesJ/HIAEGRSqHTu2slk+oGV2thqiDPBQvUtgJ1gjnJAaoqK8vi4g3L0PJl60sW+Q83mZqTHAAMTmf11J/fu0yhDEzuStShTGs8ntjwELNDYtGQ/nUwb2HglMxCB7UVl8GOGVt/khqChdY58o3CCAEE4Mm9lF5biunNMsriS0FV5fr6x14Qtc= vcsjones@Kevins-MBP

spec/fixtures/signatures/create-signatures.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+filedir=`dirname $0`
+pushd $filedir
+
+message=$filedir/message
+
+if [ ! -f "$message" ]; then
+    dd if=/dev/urandom count=1 bs=64 | base64 > $message
+fi
+
+create_key_and_sign() {
+    local alg=$1
+    local keysize=$2
+    local key=$filedir/$alg-$keysize.key
+    yes | ssh-keygen -q -N "" -t $alg -b $keysize -C "" -f $key
+    cat $message | ssh-keygen -Y sign -n file -f $key > $message.$alg-$keysize.sig
+}
+
+create_key_and_sign "rsa" 2048
+create_key_and_sign "ecdsa" 256
+create_key_and_sign "ecdsa" 384
+create_key_and_sign "ecdsa" 521
+create_key_and_sign "ed25519" 256
+
+generate_security_keys=0
+read -p "Generate security key-backed keys (Requires key and user interaction)? [yN] " -n 1 -r
+echo
+if [[ $REPLY =~ ^[Yy]$ ]]
+then
+    create_key_and_sign "ed25519-sk" 256
+    create_key_and_sign "ecdsa-sk" 256
+fi
+
+popd

spec/fixtures/signatures/ecdsa-256.key

@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQTkKAxi+7mnAzaQPnO+xPMVEI7WdZ8+
+Tj0r1WXib7od+ej6H5eXInlH4CF8HZvqOpk8+Wk1KwXXfJvFD21XhQdaAAAAoLiMlKW4jJ
+SlAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOQoDGL7uacDNpA+
+c77E8xUQjtZ1nz5OPSvVZeJvuh356Pofl5cieUfgIXwdm+o6mTz5aTUrBdd8m8UPbVeFB1
+oAAAAhALUq9AgkV1MDJNzxQ4zm1mawBoA19l+GJCN4XnR5b+NYAAAAAAECAwQFBgc=
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/signatures/ecdsa-256.key.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOQoDGL7uacDNpA+c77E8xUQjtZ1nz5OPSvVZeJvuh356Pofl5cieUfgIXwdm+o6mTz5aTUrBdd8m8UPbVeFB1o= 

spec/fixtures/signatures/ecdsa-384.key

@@ -0,0 +1,10 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAiAAAABNlY2RzYS
+1zaGEyLW5pc3RwMzg0AAAACG5pc3RwMzg0AAAAYQSzFqfqbQRq+bNApN3otjDR6mmal8tZ
+wkOB0lP/H5/pWKdq2Mxxyq9t4x1M/zBvY+xfo0xjGheaOERP6GRcBNsntgA7VFZ9B35Ujf
+pyIAGz5AzndcVVIQM27kzgo2VBHJQAAADII8whciPMIXIAAAATZWNkc2Etc2hhMi1uaXN0
+cDM4NAAAAAhuaXN0cDM4NAAAAGEEsxan6m0EavmzQKTd6LYw0eppmpfLWcJDgdJT/x+f6V
+inatjMccqvbeMdTP8wb2PsX6NMYxoXmjhET+hkXATbJ7YAO1RWfQd+VI36ciABs+QM53XF
+VSEDNu5M4KNlQRyUAAAAMFYlo7mBX43tYzygVhtlwdmCHyAZjwfKZwrZPajz3N/cPopsdN
+o9ajUQQtoi3NN1sAAAAAA=
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/signatures/ecdsa-384.key.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLMWp+ptBGr5s0Ck3ei2MNHqaZqXy1nCQ4HSU/8fn+lYp2rYzHHKr23jHUz/MG9j7F+jTGMaF5o4RE/oZFwE2ye2ADtUVn0HflSN+nIgAbPkDOd1xVUhAzbuTOCjZUEclA== 

spec/fixtures/signatures/ecdsa-521.key

@@ -0,0 +1,12 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAArAAAABNlY2RzYS
+1zaGEyLW5pc3RwNTIxAAAACG5pc3RwNTIxAAAAhQQBTqIGKF5+kaZFLt2ETYan7Wy2PNPY
+a8m2bE89xuTwN/GGB0QYQM9H5YhgK4WZGllCw7h9upS8RTpvH9TmEfxgHo0ASsfqz5/wui
+UvGvQU7MQl6fK+1hxl6v6gAB8EXr5jaVCPhNWhCOSjMAmPgqgcNYZUXZG/qWg1bPwoGkJG
+OmLc9PgAAAEAK/PNRivzzUYAAAATZWNkc2Etc2hhMi1uaXN0cDUyMQAAAAhuaXN0cDUyMQ
+AAAIUEAU6iBihefpGmRS7dhE2Gp+1stjzT2GvJtmxPPcbk8DfxhgdEGEDPR+WIYCuFmRpZ
+QsO4fbqUvEU6bx/U5hH8YB6NAErH6s+f8LolLxr0FOzEJenyvtYcZer+oAAfBF6+Y2lQj4
+TVoQjkozAJj4KoHDWGVF2Rv6loNWz8KBpCRjpi3PT4AAAAQWh55sQ+fBI4LQLUDN5RLT4C
+LubO51jTCIVDkykksnNHfyZB0CNlxSbpAwKUjbchT7DuF9h8TeZ94EKb3a8GWUkXAAAAAA
+ECAw==
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/signatures/ecdsa-521.key.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFOogYoXn6RpkUu3YRNhqftbLY809hrybZsTz3G5PA38YYHRBhAz0fliGArhZkaWULDuH26lLxFOm8f1OYR/GAejQBKx+rPn/C6JS8a9BTsxCXp8r7WHGXq/qAAHwRevmNpUI+E1aEI5KMwCY+CqBw1hlRdkb+paDVs/CgaQkY6Ytz0+A== 

spec/fixtures/signatures/ecdsa-sk-256.key

@@ -0,0 +1,10 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAfwAAACJzay1lY2
+RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQRE7ETUY6t4
++fiDnVI5Vs3jAh4oaiQ8IWof2H+o3zpVebQf+7qNosSnYOGDxN0xednWrSddWjSFHYhsB5
+9thXSQAAAABHNzaDoAAADYB2rdHAdq3RwAAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBv
+cGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEEROxE1GOrePn4g51SOVbN4wIeKGokPCFqH9
+h/qN86VXm0H/u6jaLEp2Dhg8TdMXnZ1q0nXVo0hR2IbAefbYV0kAAAAARzc2g6AQAAAEDE
+1Wdgu/Rt+nqEddM9XVIvZgNwC3bgu0xLH1kiOqPkUi/ZFkC2MHx+16coYegqlgZMreBP8+
+jKvGQysdwE+PchAAAAAAAAAAABAgME
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/signatures/ecdsa-sk-256.key.pub

@@ -0,0 +1 @@
+sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBETsRNRjq3j5+IOdUjlWzeMCHihqJDwhah/Yf6jfOlV5tB/7uo2ixKdg4YPE3TF52datJ11aNIUdiGwHn22FdJAAAAAEc3NoOg== 

spec/fixtures/signatures/ed25519-256.key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCheCDZeB6kTAGvcJDOQdeKDLxPy6+zr0O+jHl+CcaA8wAAAIi66rVYuuq1
+WAAAAAtzc2gtZWQyNTUxOQAAACCheCDZeB6kTAGvcJDOQdeKDLxPy6+zr0O+jHl+CcaA8w
+AAAEAylVdyV3Kct67/xo1exqxiMqVaB3Zcji+s5VB7PQ7S5qF4INl4HqRMAa9wkM5B14oM
+vE/Lr7OvQ76MeX4JxoDzAAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/signatures/ed25519-256.key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKF4INl4HqRMAa9wkM5B14oMvE/Lr7OvQ76MeX4JxoDz 

spec/fixtures/signatures/ed25519-sk-256.key

@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAASgAAABpzay1zc2
+gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACC5TzTioebDxDVFQicHX1JSKLhoGgLBi/f/qkCD
+XaXBUAAAAARzc2g6AAAA4CjqYlwo6mJcAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY2
+9tAAAAILlPNOKh5sPENUVCJwdfUlIouGgaAsGL9/+qQINdpcFQAAAABHNzaDoBAAAAgENU
+XbPTSRo6B9x8UzfEjRpdp4wZrhLAphZPVGi1qZIdZ9mSWjW4II11Fv9F8h5QtP9dmUTeKb
+Azr07lTcy92cGLngr5PjHM904yLBCg61zQL75YNZ3FReVG8SZhg7YD7MER1thy1t7ItWR0
+vQf65700K+QGBF7WhtznGms0A6oXAAAAAAAAAAAB
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/signatures/ed25519-sk-256.key.pub

@@ -0,0 +1 @@
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILlPNOKh5sPENUVCJwdfUlIouGgaAsGL9/+qQINdpcFQAAAABHNzaDo= 

spec/fixtures/signatures/message

@@ -0,0 +1 @@
+Z0dzRu/AfSjNd7H1LlEk/vxw/tuGVeY3NSzb8wxSw6lAN9o+nefDntF9Ij3u9oj6Jhis6aQP6iCv3YHHcKfd9A==

spec/fixtures/signatures/message.ecdsa-256.sig

@@ -0,0 +1,7 @@
+-----BEGIN SSH SIGNATURE-----
+U1NIU0lHAAAAAQAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAE
+EE5CgMYvu5pwM2kD5zvsTzFRCO1nWfPk49K9Vl4m+6Hfno+h+XlyJ5R+AhfB2b6jqZPPlp
+NSsF13ybxQ9tV4UHWgAAAARmaWxlAAAAAAAAAAZzaGE1MTIAAABkAAAAE2VjZHNhLXNoYT
+ItbmlzdHAyNTYAAABJAAAAIQCV+yVd666huw+0MMotdB+b00loaCYY8yWVU3KuVgHe3AAA
+ACBYDwDWqTlIMFJZBCyu61VVAxJzp2A/v1iYQ0vzp4x7mA==
+-----END SSH SIGNATURE-----

spec/fixtures/signatures/message.ecdsa-384.sig

@@ -0,0 +1,8 @@
+-----BEGIN SSH SIGNATURE-----
+U1NIU0lHAAAAAQAAAIgAAAATZWNkc2Etc2hhMi1uaXN0cDM4NAAAAAhuaXN0cDM4NAAAAG
+EEsxan6m0EavmzQKTd6LYw0eppmpfLWcJDgdJT/x+f6VinatjMccqvbeMdTP8wb2PsX6NM
+YxoXmjhET+hkXATbJ7YAO1RWfQd+VI36ciABs+QM53XFVSEDNu5M4KNlQRyUAAAABGZpbG
+UAAAAAAAAABnNoYTUxMgAAAIUAAAATZWNkc2Etc2hhMi1uaXN0cDM4NAAAAGoAAAAxAJXR
+bcuPoyo2MeNmFZsgusb2J2NQRPRmVV4xg1zMMN45THkiSasC3KVxXpSCe6GWYgAAADEA4L
+utlhNdNB5r19u9unohEnJuWJh9F07tDcFwnux0MCmiQHSo6R06q4W0/BZVqrsI
+-----END SSH SIGNATURE-----

spec/fixtures/signatures/message.ecdsa-521.sig

@@ -0,0 +1,10 @@
+-----BEGIN SSH SIGNATURE-----
+U1NIU0lHAAAAAQAAAKwAAAATZWNkc2Etc2hhMi1uaXN0cDUyMQAAAAhuaXN0cDUyMQAAAI
+UEAU6iBihefpGmRS7dhE2Gp+1stjzT2GvJtmxPPcbk8DfxhgdEGEDPR+WIYCuFmRpZQsO4
+fbqUvEU6bx/U5hH8YB6NAErH6s+f8LolLxr0FOzEJenyvtYcZer+oAAfBF6+Y2lQj4TVoQ
+jkozAJj4KoHDWGVF2Rv6loNWz8KBpCRjpi3PT4AAAABGZpbGUAAAAAAAAABnNoYTUxMgAA
+AKcAAAATZWNkc2Etc2hhMi1uaXN0cDUyMQAAAIwAAABCAa+hJCcamPsA0jIzbb+OMmL047
+II6+6SaD/zcjSwSELgvI0uf7ogyjYl04/7VHWJZqOHpgGKS5UmlBB1Pe+njGxQAAAAQgCm
+Z1H5TH+KyimsHGn+ibpLcjjYGiRKwFDW/Rred8Isukja6DFf/X1iNTpMKYxCNXYsYPHbj4
+cnClYpIovywgiA5A==
+-----END SSH SIGNATURE-----

spec/fixtures/signatures/message.ecdsa-sk-256.sig

@@ -0,0 +1,8 @@
+-----BEGIN SSH SIGNATURE-----
+U1NIU0lHAAAAAQAAAH8AAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBvcGVuc3NoLmNvbQ
+AAAAhuaXN0cDI1NgAAAEEEROxE1GOrePn4g51SOVbN4wIeKGokPCFqH9h/qN86VXm0H/u6
+jaLEp2Dhg8TdMXnZ1q0nXVo0hR2IbAefbYV0kAAAAARzc2g6AAAABGZpbGUAAAAAAAAABn
+NoYTUxMgAAAHgAAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBvcGVuc3NoLmNvbQAAAEkA
+AAAgHiBNWuPpUEMyt2bz8vn3ehtbaHVPDeyDornotDMuY2AAAAAhAPTzwayZ2djj+Xjplc
++t9+mKd8xZH5teyTyeEtzVlfstBQAAAAg=
+-----END SSH SIGNATURE-----

spec/fixtures/signatures/message.ed25519-256.sig

@@ -0,0 +1,6 @@
+-----BEGIN SSH SIGNATURE-----
+U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgoXgg2XgepEwBr3CQzkHXigy8T8
+uvs69Dvox5fgnGgPMAAAAEZmlsZQAAAAAAAAAGc2hhNTEyAAAAUwAAAAtzc2gtZWQyNTUx
+OQAAAECRxENUPwmbRveDvNFOc36EuyMIa6jXWbCVkEQ2dtORyFAnChmr1kHMFX4B9TQm6U
+ssvYRRUo6ePL5DuAjLP+kD
+-----END SSH SIGNATURE-----

spec/fixtures/signatures/message.ed25519-sk-256.sig

@@ -0,0 +1,7 @@
+-----BEGIN SSH SIGNATURE-----
+U1NIU0lHAAAAAQAAAEoAAAAac2stc3NoLWVkMjU1MTlAb3BlbnNzaC5jb20AAAAguU804q
+Hmw8Q1RUInB19SUii4aBoCwYv3/6pAg12lwVAAAAAEc3NoOgAAAARmaWxlAAAAAAAAAAZz
+aGE1MTIAAABnAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAQDecacfTcsDHHy
+ijGxCojJhUbT+KMznT868J7BQy/FQPL3adiFTiuhJnOcd7d3fPp7ZGl5IAykn01vHN/qk4
+KwkFAAAABg==
+-----END SSH SIGNATURE-----

spec/fixtures/signatures/message.rsa-2048.sig

@@ -0,0 +1,14 @@
+-----BEGIN SSH SIGNATURE-----
+U1NIU0lHAAAAAQAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBALAgJpJCy7h57ymyD+SwZk
+MhN5QYjXo7eLKRLfIEcKhtaQdbzsXXbJM1K1vxU4L0wpfj1qcwzmbBwAZwnKeWyjOLtMFe
+FBd491SnnDjeGL8UdLE4ny4rK6lJvra0n+2u91/+SVl51aAkSsmffm4InKuve44Bi33rYK
+FtJ5bqOha77HxopBP22JwMJT9pgISxoeL7yvlmj67RJmBmBWi3zP345f2gW3+Q22APy6HZ
+LtEWF3AwalShRecswGqCho4M9eZ2zxkosAs+8KPXWlaflM2cdJXM8D62scmm7Jujc5KZsl
+V2kWgS4sNo+Kqg5otFajJvVGK2Csm2IQJKw1qidysAAAAEZmlsZQAAAAAAAAAGc2hhNTEy
+AAABFAAAAAxyc2Etc2hhMi01MTIAAAEAfIoJi0dM+uHYlQ9wtMy0vc9acZo2EcC/GWeInK
+Rc2IXEn/kyFlR9uiOaHAPzLAbiWefVYHqZbwaL+DBm0rrPmDoZdXbB7W/h/ebQgYWRAnmf
+1PNOkv8554xCnqoaaqqaXHRpDyIQZvTqkaR4I5DmVIDEDZoWIxGpgF8Qvj0CtK+TcubDy7
+DmU7CGFxeZ4bYjc215Ra8D6KhjX4pjhm8gf0eQlCMZwnWy8zFIEceAjyrx3151fe00OTuI
+bO/nP6tYaAD1y5l4uydzkBu5BxHL/sJQKkPVTEuez7ImWdL7FTXlyaq/YipBGt+HW2W0N5
+rlcgCZG4ddB2RtywHZYargJg==
+-----END SSH SIGNATURE-----

spec/fixtures/signatures/rsa-2048.key

@@ -0,0 +1,27 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAQEAsCAmkkLLuHnvKbIP5LBmQyE3lBiNejt4spEt8gRwqG1pB1vOxdds
+kzUrW/FTgvTCl+PWpzDOZsHABnCcp5bKM4u0wV4UF3j3VKecON4YvxR0sTifLisrqUm+tr
+Sf7a73X/5JWXnVoCRKyZ9+bgicq697jgGLfetgoW0nluo6FrvsfGikE/bYnAwlP2mAhLGh
+4vvK+WaPrtEmYGYFaLfM/fjl/aBbf5DbYA/Lodku0RYXcDBqVKFF5yzAaoKGjgz15nbPGS
+iwCz7wo9daVp+UzZx0lczwPraxyabsm6NzkpmyVXaRaBLiw2j4qqDmi0VqMm9UYrYKybYh
+AkrDWqJ3KwAAA7jBNsoEwTbKBAAAAAdzc2gtcnNhAAABAQCwICaSQsu4ee8psg/ksGZDIT
+eUGI16O3iykS3yBHCobWkHW87F12yTNStb8VOC9MKX49anMM5mwcAGcJynlsozi7TBXhQX
+ePdUp5w43hi/FHSxOJ8uKyupSb62tJ/trvdf/klZedWgJErJn35uCJyrr3uOAYt962ChbS
+eW6joWu+x8aKQT9ticDCU/aYCEsaHi+8r5Zo+u0SZgZgVot8z9+OX9oFt/kNtgD8uh2S7R
+FhdwMGpUoUXnLMBqgoaODPXmds8ZKLALPvCj11pWn5TNnHSVzPA+trHJpuybo3OSmbJVdp
+FoEuLDaPiqoOaLRWoyb1RitgrJtiECSsNaoncrAAAAAwEAAQAAAQBptbJQ4QRzIcRZK0V8
+xh9qtTotihsIPT+xNY/1DZMslBaQ0xqlBiplpGj000CDfjJ5hcdlK9cGN83wT5DGyattCr
+IfyT6X5APW7I7IVw1VSorLf6eSx1h6UAfGk1zWBMj29aHCsWx1pLK6lx8EHeki5r1quySl
+HCwwV1qGqujYkU1xr8kxEiiH9mdDE95gMMREVadHUitMnykVshvtA3oow9V+gzid2b58BE
+HL2hIKycNlNyuC7vTouviN80FwyqWlEIhjeAMYGs6svI1SR5f4yZ9vAXjbjXjT7AKnBSx5
+AIovLVQPEarpmIB3TXKzIMK4bpFb6X+cfMRl9+ah3U5pAAAAgFQ2bqjGts5/3cJ64xVsil
+BS5HCgWHhiGWVFxrber4z2zM141TaEDK4pmmrE4wX1QrBcGjMIBFNGT/7+nlMgo6KgSYKc
+7tOE4pdBI2Br0UGyEg1s0A27PO9V0q2iojvJMESWCNcxgKVysbX02uh15EQP2s1y9+TEs8
+3DhopvEpA7AAAAgQDXJuAHyvcDbATV5XpRr9M+cY4Eswahc7fW2z9gV7MbcxpI2XS+KLiX
+IA6eOVKjD3vHH3gJOqDg8jfkSpfE24HozmnjVVv6mQ9DUSfSwEwsZHDSe+ZOp5CGdBv7Vv
+6Y1yJwZiBnmYU96HWSJY6SBMRQbMiQMqCEFmQgl19ww2uMfwAAAIEA0ZB2wLZktLeo64uB
+o/c30jZDZvMRHmfpTTKX23y7n/ZVQAa3U0TakX2qOqOF9FFiGD9QSfiDiRyoQ1ULcDHode
+Jjo8cTwU9KOAqtbwHALYCsl3tyR01RZO3clzAeRKbusd8LEExzHd30cqisCMd8VMYu5/4p
+HnPFlNu+UIQer1UAAAAAAQID
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/signatures/rsa-2048.key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwICaSQsu4ee8psg/ksGZDITeUGI16O3iykS3yBHCobWkHW87F12yTNStb8VOC9MKX49anMM5mwcAGcJynlsozi7TBXhQXePdUp5w43hi/FHSxOJ8uKyupSb62tJ/trvdf/klZedWgJErJn35uCJyrr3uOAYt962ChbSeW6joWu+x8aKQT9ticDCU/aYCEsaHi+8r5Zo+u0SZgZgVot8z9+OX9oFt/kNtgD8uh2S7RFhdwMGpUoUXnLMBqgoaODPXmds8ZKLALPvCj11pWn5TNnHSVzPA+trHJpuybo3OSmbJVdpFoEuLDaPiqoOaLRWoyb1RitgrJtiECSsNaoncr 

spec/fixtures/skecdsa_ca

@@ -0,0 +1,10 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAfwAAACJzay1lY2
+RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQSq1e4+3xiV
++8J31I26lSu/RFyqx5RvMWSI0S22tIJm4PUooO4OW5T+Di3/jZgko9uwFzr/zDZTy6uWyD
+Qhk9G8AAAABHNzaDoAAADoeklfLnpJXy4AAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBv
+cGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEEqtXuPt8YlfvCd9SNupUrv0RcqseUbzFkiN
+EttrSCZuD1KKDuDluU/g4t/42YJKPbsBc6/8w2U8urlsg0IZPRvAAAAARzc2g6AQAAAECE
+3HUalOjXfOTrfIRFnJIzVmj1Oq1o5vaGZdevL12Ue8oy01QAMvDLhu7tenBtwzXb65N6aH
+n21rJShWK/Nc6EAAAAAAAAABN2Y3Nqb25lc0BLZXZpbnMtTUJQAQ==
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/skecdsa_ca.pub

@@ -0,0 +1 @@
+sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBKrV7j7fGJX7wnfUjbqVK79EXKrHlG8xZIjRLba0gmbg9Sig7g5blP4OLf+NmCSj27AXOv/MNlPLq5bINCGT0bwAAAAEc3NoOg== vcsjones@Kevins-MBP

spec/fixtures/sked25519_ca

@@ -0,0 +1,10 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAASgAAABpzay1zc2
+gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACAdGSyAfB35x92DVqxGxRKs27JpPioJZxuX5O09
+YJG23AAAAARzc2g6AAAA+DJHBAkyRwQJAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY2
+9tAAAAIB0ZLIB8HfnH3YNWrEbFEqzbsmk+KglnG5fk7T1gkbbcAAAABHNzaDoBAAAAgDKR
+R3sjWdfZ4HVt6ZDoCzSuoF24bmrztloIUdysTpc/LQWjeH/fS5ob6glvnSNVF+ilFd2nct
+hvUvDSemVXYBVc54je/gsTzTCRpnQ/557G3ABOXCYvH/C3w0D8Ogkh2e7JTrpYIJjkurlG
+Ctg2SteEN1Mms/5fQXmK0nwW3rB1AAAAAAAAABN2Y3Nqb25lc0BLZXZpbnMtTUJQAQIDBA
+UG
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/sked25519_ca.pub

@@ -0,0 +1 @@
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0ZLIB8HfnH3YNWrEbFEqzbsmk+KglnG5fk7T1gkbbcAAAABHNzaDo= vcsjones@Kevins-MBP

spec/public_key/skecdsa_spec.rb

@@ -109,10 +109,6 @@ describe SSHData::PublicKey::SKECDSA do
         expect(round_tripped).to eq(openssl_sig)
       end
 
-      it "can not verify signatures" do
-        expect { subject.verify(msg, sig) }.to raise_error(SSHData::UnsupportedError)
-      end
-
       it "blows up parsing malformed keys" do
         malformed = [algo, Base64.strict_encode64([
           SSHData::Encoding.encode_string(algo),

spec/public_key/sked25519_spec.rb

@@ -57,10 +57,6 @@ describe SSHData::PublicKey::SKED25519 do
     expect(subject.ed25519_key.to_bytes).to eq(verify_key.to_bytes)
   end
 
-  it "can not verify signatures" do
-    expect { subject.verify(msg, sig) }.to raise_error(SSHData::UnsupportedError)
-  end
-
   it "can be rencoded" do
     expect(openssh_key.rfc4253).to eq(fixture("sked25519_leaf_for_rsa_ca.pub", binary: true))
   end

spec/signature_spec.rb

@@ -0,0 +1,81 @@
+require_relative "./spec_helper"
+
+describe SSHData::Signature do
+  describe "end to end" do
+    it "can verify an Ed25519-SK git signature" do
+      message= "tree ed9f16d32a89e48289d9d4becc4ff47cbd11f58c\nparent 7c6364502eceecc87b276d8b49d8eb0ae96fd9e3\nauthor Kevin Jones <octocat@github.com> 1638815753 -0500\ncommitter Kevin Jones <octocat@github.com> 1638815828 -0500\n\ntest\n"
+      signature = <<~SIG
+      -----BEGIN SSH SIGNATURE-----
+      U1NIU0lHAAAAAQAAAEoAAAAac2stc3NoLWVkMjU1MTlAb3BlbnNzaC5jb20AAAAgnXUo8l
+      URoToCMzr+Rxeia/9yy+Rn+VwTTOqXdIgf7TUAAAAEc3NoOgAAAANnaXQAAAAAAAAABnNo
+      YTUxMgAAAGcAAAAac2stc3NoLWVkMjU1MTlAb3BlbnNzaC5jb20AAABAud+P+aC7yCEcgy
+      smyAyN5iokI0T+dKuhl7Ml7XB/wPBlefSamMXoHE7k3BbAXBNXJQH0TtHo/aX0gZxLy44D
+      DgUAAAAG
+      -----END SSH SIGNATURE-----
+      SIG
+
+      subject = described_class.parse_pem(signature)
+      expect(subject.verify(message)).to be(true)
+    end
+
+    it "can verify an RSA git signature" do
+      message = "tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904\nparent 339ca5fd2a41e29236ea793772308bb054b9d81b\nauthor Kevin Jones <vcsjones@github.com> 1637774236 -0500\ncommitter Kevin Jones <vcsjones@github.com> 1637774236 -0500\n\nWHAT\n"
+      signature = <<~SIG
+        -----BEGIN SSH SIGNATURE-----
+        U1NIU0lHAAAAAQAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBANEwkDjsYE02vY+bTFXAL9
+        xaGDFRwpAYutfhl7eL1Qn6dziGnokqMz1FnwPbRkPUOtdwXbojK0W45DS8rODLhvwyEJjj
+        sY2L9pKX/6hKDgb1RjtNAv57OHnfW3qyZWM/Nyd5js9K+43JN1ECoWCTVqtAaJcyfNXY8Y
+        FeR6x5ARkBZf+tgPA2+xIdmDf0jxyZ+hr6LRnE6/N9WsrCURnwx3u8XE8kusudBXDD4XKp
+        F/AqptHwi6OML+9kRQmyXXYs1dvPaJi4TGAGlPPD7mQaWT9fsKXJZa3jl6ckzq6D7SDDPh
+        CF2e/ZpzIJuusMQrx2snhKgKYh+G4WS/FpLcan+HG+/bv91lzNBXufJSLs5oo0B13L6ZaK
+        CJMkzG4zo/evDiomkXv9Fg8f2bIw2Ayh56Cd4Dcc2MYfziG3yLiVQrDu2eCTuILYzYdcFw
+        hzxkS8V6Ep+9U4ct0Zt+hTpyloSnQ7AEX/FKHAT7xdQxVoYaY7cVRyOWMROQ6ArxiNbPnk
+        JQAAAANnaXQAAAAAAAAABnNoYTUxMgAAAZQAAAAMcnNhLXNoYTItNTEyAAABgKE+f+H3D1
+        +kgPGi1TulPivysng0PIUthoVHSpJ5OKd2VrbdiH5B/XK1DmhpxCFVy6WAKD/x7a6Qpjd2
+        VSVsKdtJeBLfniTWB/LJQD/5miEVBG10F9V5EaEl4uRiQrTTGEAznBg3k0yIUVBdWWjoJh
+        5dLw+NQNWf9yw+/hNbtcCjkMeeZLvLwZNhsFxhRiIi5cy5m6O/eSSekaXe4sj0HxmuSIwh
+        8bFRlU+JQwmJ5P1tsnyhwaSSs5qnJ0MXiDeLD5MOt9PGDJhnNarMqYkA61slhhq1XkQu1E
+        FXdurNLkKaTpViSlFXqjFGXgoyB8yWB9DuqoZm69xGtCh1TmKkyE3M2R6hqXTqc90Szkxr
+        POr3R0OsJrYu1VOc//AKz7AHp1DGHOTNZkpfYVzm76wrkPS9LMVieZkelcr75/az+w6kev
+        qi1HNSYwD+pWej8+oCw6jri/ulGHDYyARR4ZSIR2AgBP5QZ0B0aLNr5F9ufbJvkGEpUvQH
+        rfqicASU/vCBEQ==
+        -----END SSH SIGNATURE-----
+      SIG
+
+      subject = described_class.parse_pem(signature)
+      expect(subject.verify(message)).to be(true)
+    end
+  end
+
+  describe "#verify" do
+
+    Dir["spec/fixtures/signatures/message.*.sig"].each do |path|
+      name = File.basename(path)
+
+      describe name do
+        let(:signature) { File.read(path) }
+        let(:data) { File.read("spec/fixtures/signatures/message") }
+
+        it "verifies with data" do
+          subject = described_class.parse_pem(signature)
+          expect(subject.verify(data)).to be(true)
+        end
+
+        it "does not verify with tampered data" do
+          bad_data = data + "bad"
+          subject = described_class.parse_pem(signature)
+          expect(subject.verify(bad_data)).to be(false)
+        end
+
+        it "parses correctly" do
+          subject = described_class.parse_pem(signature)
+          expect(subject.sigversion).to eq(1)
+          expect(subject.namespace).to eq("file")
+          expect(subject.reserved).to be_empty
+          expect(subject.hashalgorithm).to eq("sha512")
+        end
+      end
+    end
+
+  end
+end