Expand description
Host SSH key primitives shared by agent enrollment, CP enroll/renew, and
mint_token. Kept pure-rust (no ssh-key dep) so the boundary-contract crate
stays lean - the canonical bridge from “OpenSSH host key bytes on disk” to
“rcgen-usable keypair” and bootstrap-token fingerprints.
Enums§
Functions§
- ed25519_
pkcs8_ der_ from_ seed - Wrap a 32-byte ed25519 seed in PKCS#8 v1 DER (RFC 8410, OID 1.3.101.112).
The 16-byte prefix is the fixed PKCS#8 envelope for an ed25519 seed:
SEQUENCE(46) { INTEGER(0); SEQUENCE { OID 1.3.101.112 }; OCTET STRING(34) { OCTET STRING(32) <seed> } }. - ed25519_
pkcs8_ pem_ from_ seed - PEM-armoured form of
ed25519_pkcs8_der_from_seed, for callers that need to hand a string torcgen::KeyPair::from_pem. - ed25519_
pubkey_ raw_ from_ openssh - Parse a 32-byte ed25519 raw public key from an OpenSSH-format pubkey
line (
"ssh-ed25519 <base64> [comment]"). Errors when the line isn’t ed25519, the base64 doesn’t decode, or the inner SSH-wire-format (RFC 4253 §6.6:string "ssh-ed25519" || string <32-byte pubkey>) is malformed. - ed25519_
pubkey_ raw_ from_ spki_ der - Extract the 32-byte raw ed25519 pubkey from a SubjectPublicKeyInfo DER
blob (RFC 8410, what
rcgen::PublicKeyData::der_bytes()returns). Validates the fixed 12-byte SPKI prefix so callers reject non-ed25519 CSRs cleanly instead of silently slicing. - fingerprint_
openssh_ pubkey base64(SHA-256(raw_pubkey))- same shape as the bootstrap-token’sexpected_pubkey_fingerprintfield. Accepts an OpenSSH pubkey line directly so callers don’t double-parse.- read_
ssh_ 🔒string