openssh_cert - adding signature_algorithm option (#277)

* Initial Commit * Update supported OpenSSH versions for RSA SHA-2 signed certs * Updating 'regenerate' documentation
2026-05-06 05:12:54 +00:00 · 2021-09-15 02:53:53 -04:00
parent 8521c96e8a
commit eea7bfc6bf
5 changed files with 113 additions and 4 deletions
--- a/plugins/module_utils/openssh/backends/common.py
+++ b/plugins/module_utils/openssh/backends/common.py
@@ -160,7 +160,8 @@ class KeygenCommand(object):
        self._run_command = module.run_command

    def generate_certificate(self, certificate_path, identifier, options, pkcs11_provider, principals,
-                             serial_number, signing_key_path, type, time_parameters, use_agent, **kwargs):
+                             serial_number, signature_algorithm, signing_key_path, type,
+                             time_parameters, use_agent, **kwargs):
        args = [self._bin_path, '-s', signing_key_path, '-P', '', '-I', identifier]

        if options:
@@ -178,6 +179,8 @@ class KeygenCommand(object):
            args.extend(['-U'])
        if time_parameters.validity_string:
            args.extend(['-V', time_parameters.validity_string])
+        if signature_algorithm:
+            args.extend(['-t', signature_algorithm])
        args.append(certificate_path)

        return self._run_command(args, **kwargs)
--- a/plugins/module_utils/openssh/certificate.py
+++ b/plugins/module_utils/openssh/certificate.py
@@ -555,6 +555,11 @@ class OpensshCertificate(object):
    def signing_key(self):
        return to_text(self._cert_info.signing_key_fingerprint())

+    @property
+    def signature_type(self):
+        signature_data = OpensshParser.signature_data(self.signature)
+        return to_text(signature_data['signature_type'])
+
    @staticmethod
    def _parse_cert_info(pub_key_type, parser):
        cert_info = get_cert_info_object(pub_key_type)
--- a/plugins/module_utils/openssh/utils.py
+++ b/plugins/module_utils/openssh/utils.py
@@ -201,8 +201,9 @@ class OpensshParser(object):
        signature_blob = parser.string()

        blob_parser = cls(signature_blob)
-        if signature_type == b'ssh-rsa':
+        if signature_type in (b'ssh-rsa', b'rsa-sha2-256', b'rsa-sha2-512'):
            # https://datatracker.ietf.org/doc/html/rfc4253#section-6.6
+            # https://datatracker.ietf.org/doc/html/rfc8332#section-3
            signature_data['s'] = cls._big_int(signature_blob, "big")
        elif signature_type == b'ssh-dss':
            # https://datatracker.ietf.org/doc/html/rfc4253#section-6.6