2023-04-13
OpenSSH's (signed) certificates are not TLS X.509 certificates
Recently I wrote about learning about the extra hazards of mutual TLS in web server programs, where the extra hazard is that your Apache or other web server program must now parse TLS X.509 certificates and understand ASN.1 encoding and so on, which is a lot of code that it probably doesn't currently run. When writing that entry, it occurred to me to wonder if (Open)SSH had the same problem, since OpenSSH supports user authentication through signed certificates (instead of personal keypairs). It turns out that the answer is no.
(I found out the answer more or less without looking for it, because Matthew Garrett mentioned this in We need better support for SSH host certificates, written in the wake of Github exposing their RSA private key.)
The specifics are covered in PROTOCOL.certkeys, and the important quote is:
[...] The certificates used are not traditional X.509 certificates, with numerous options and complex encoding rules, but something rather more minimal: a key, some identity information and usage options that have been signed with some other trusted key.
The certificate format reuses the encoding scheme from the SSH protocol, as covered in RFC 4251 section 5. This isn't just clever code reuse; since all of these encodings are used in the protocol, handling all of them is already security critical in a SSH server and having to parse them in the context of certificates should add minimal new attack surface.
(The actual certificates themselves are just a set of fields in a fixed order; each field uses an already defined encoding from RFC 4251.)
One simplification over X.509 certificates is that OpenSSH doesn't support certificate chains. Your SSH certificate is signed directly by some key, and the OpenSSH server either trusts that key or it doesn't. This simplifies the life of the OpenSSH server at relatively low cost for SSH client certificates, since you probably already want to be able to distribute new SSH Certificate Authority keys to all of your servers.
(Where it hurts more is for SSH host certificates, where a change in your CA key will require all your clients to update their copy of it.)