upstream: sshsig: lightweight signature and verification ability

for OpenSSH

This adds a simple manual signature scheme to OpenSSH.
Signatures can be made and verified using ssh-keygen -Y sign|verify

Signatures embed the key used to make them. At verification time, this
is matched via principal name against an authorized_keys-like list
of allowed signers.

Mostly by Sebastian Kinne w/ some tweaks by me

ok markus@

OpenBSD-Commit-ID: 2ab568e7114c933346616392579d72be65a4b8fb

6 files changed, 1407 insertions, 7 deletions

diff --git a/Makefile.in b/Makefile.in
index c923c6ce..8d949509 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -184,7 +184,7 @@ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
 ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
 	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
-ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
+ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
 	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
diff --git a/PROTOCOL.sshsig b/PROTOCOL.sshsig
new file mode 100644
index 00000000..806c35da
--- /dev/null
+++ b/PROTOCOL.sshsig
@@ -0,0 +1,99 @@
+This document describes a lightweight SSH Signature format
+that is compatible with SSH keys and wire formats.
+
+At present, only detached and armored signatures are supported.
+
+1. Armored format
+
+The Armored SSH signatures consist of a header, a base64
+encoded blob, and a footer.
+
+The header is the string “-----BEGIN SSH SIGNATURE-----”
+followed by a newline. The footer is the string
+“-----END SSH SIGNATURE-----” immediately after a newline.
+
+The header MUST be present at the start of every signature.
+Files containing the signature MUST start with the header.
+Likewise, the footer MUST be present at the end of every
+signature.
+
+The base64 encoded blob SHOULD be broken up by newlines
+every 76 characters.
+
+Example:
+
+-----BEGIN SSH SIGNATURE-----
+U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgJKxoLBJBivUPNTUJUSslQTt2hD
+jozKvHarKeN8uYFqgAAAADZm9vAAAAAAAAAFMAAAALc3NoLWVkMjU1MTkAAABAKNC4IEbt
+Tq0Fb56xhtuE1/lK9H9RZJfON4o6hE9R4ZGFX98gy0+fFJ/1d2/RxnZky0Y7GojwrZkrHT
+FgCqVWAQ==
+-----END SSH SIGNATURE-----
+
+2. Blob format
+
+#define MAGIC_PREAMBLE "SSHSIG"
+#define SIG_VERSION    0x01
+
+        byte[6]   MAGIC_PREAMBLE
+        uint32    SIG_VERSION
+        string    publickey
+        string    namespace
+        string    reserved
+        string    hash_algorithm
+        string    signature
+
+The publickey field MUST contain the serialisation of the
+public key used to make the signature using the usual SSH
+encoding rules, i.e RFC4253, RFC5656,
+draft-ietf-curdle-ssh-ed25519-ed448, etc.
+
+Verifiers MUST reject signatures with versions greater than those
+they support.
+
+The purpose of the namespace value is to specify a unambiguous
+interpretation domain for the signature, e.g. file signing.
+This prevents cross-protocol attacks caused by signatures
+intended for one intended domain being accepted in another.
+The namespace value MUST NOT be the empty string.
+
+The reserved value is present to encode future information
+(e.g. tags) into the signature. Implementations should ignore
+the reserved field if it is not empty.
+
+Data to be signed is first hashed with the specified hash_algorithm.
+This is done to limit the amount of data presented to the signature
+operation, which may be of concern if the signing key is held in limited
+or slow hardware or on a remote ssh-agent. The supported hash algorithms
+are "sha256" and "sha512".
+
+The signature itself is made using the SSH signature algorithm and
+encoding rules for the chosen key type. For RSA signatures, the
+signature algorithm must be "rsa-sha2-512" or "rsa-sha2-256" (i.e.
+not the legacy RSA-SHA1 "ssh-rsa").
+
+This blob is encoded as a string using the RFC4243 encoding
+rules and base64 encoded to form the middle part of the
+armored signature.
+
+
+3. Signed Data, of which the signature goes into the blob above
+
+#define MAGIC_PREAMBLE "SSHSIG"
+
+        byte[6]   MAGIC_PREAMBLE
+        string    namespace
+        string    reserved
+        string    hash_algorithm
+        string    H(message)
+
+The preamble is the six-byte sequence "SSHSIG". It is included to
+ensure that manual signatures can never be confused with any message
+signed during SSH user or host authentication.
+
+The reserved value is present to encode future information
+(e.g. tags) into the signature. Implementations should ignore
+the reserved field if it is not empty.
+
+The data is concatenated and passed to the SSH signing
+function.
+
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index b4bc336f..93c76ef8 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.162 2019/07/19 03:38:01 djm Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.163 2019/09/03 08:34:19 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 19 2019 $
+.Dd $Mdocdate: September 3 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -141,6 +141,18 @@
 .Fl Q
 .Fl f Ar krl_file
 .Ar
+.Nm ssh-keygen
+.Fl Y Cm sign
+.Fl f Ar key_file
+.Fl n Ar namespace
+.Ar
+.Nm ssh-keygen
+.Fl Y Cm verify
+.Fl I Ar signer_identity
+.Fl f Ar allowed_keys_file
+.Fl n Ar namespace
+.Fl s Ar signature_file
+.Op Fl r Ar revocation_file
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -649,6 +661,62 @@ Specify desired generator when testing candidate moduli for DH-GEX.
 .It Fl y
 This option will read a private
 OpenSSH format file and print an OpenSSH public key to stdout.
+.It Fl Y Ar sign
+Cryptographically sign a file or some data using a SSH key.
+When signing,
+.Nm
+accepts zero or more files to sign on the command-line - if no files
+are specified then
+.Nm
+will sign data presented on standard input.
+Signatures are written to the path of the input file with
+.Dq .sig
+appended, or to standard output if the message to be signed was read from
+standard input.
+.Pp
+The key used for signing is specified using the
+.Fl f
+option and may refer to either a private key, or a public key with the private
+half available via
+.Xr ssh-agent 1 .
+An additional signature namespace, used to prevent signature confusion across
+different domains of use (e.g. file signing vs email signing) must be provided
+via the
+.Fl n
+flag.
+Namespaces are arbitrary strings, and may include:
+.Dq file
+for file signing,
+.Dq email
+for email signing.
+For custom uses, it is recommended to use names following a
+NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.
+.It Fl Y Ar verify
+Request to verify a signature generated using
+.Nm
+.Fl Y sign
+as described above.
+When verifying a signature,
+.Nm
+accepts a message on standard input and a signature namespace using
+.Fl n .
+A file containing the corresponding signature must also be supplied using the
+.Fl s
+flag, along with the identity of the signer using
+.Fl I
+and a list of allowed signers via the
+.Fl f
+flag.
+The format of the allowed signers file is documented in the
+.Sx ALLOWED SIGNERS
+section below.
+A file containing revoked keys can be passed using the
+.Fl r
+flag. The revocation file may be a KRL or a one-per-line list
+of public keys.
+Successful verification by an authorized signer is signalled by
+.Nm
+returning a zero exit status.
 .It Fl z Ar serial_number
 Specifies a serial number to be embedded in the certificate to distinguish
 this certificate from others from the same CA.
@@ -885,6 +953,57 @@ then
 .Nm
 will exit with a non-zero exit status.
 A zero exit status will only be returned if no key was revoked.
+.Sh ALLOWED SIGNERS
+When verifying signatures,
+.Nm
+uses a simple list of identities and keys to determine whether a signature
+comes from an authorized source.
+This "allowed signers" file uses a format patterned after the
+AUTHORIZED_KEYS FILE FORMAT described in
+.Xr sshd(8) .
+Each line of the file contains the following space-separated fields:
+principals, options, keytype, base64-encoded key.
+Empty lines and lines starting with a
+.Ql #
+are ignored as comments.
+.Pp
+The principals field is a pattern-list (See PATTERNS in
+.Xr ssh_config 5 )
+consisting of one or more comma-separated USER@DOMAIN identity patterns
+that are accepted for signing.
+When verifying, the identity presented via the
+.Fl I option
+must match a principals pattern in order for the corresponding key to be
+considered acceptable for verification.
+.Pp
+The options (if present) consist of comma-separated option specifications.
+No spaces are permitted, except within double quotes.
+The following option specifications are supported (note that option keywords
+are case-insensitive):
+.Bl -tag -width Ds
+.It Cm cert-authority
+Indicates that this key is accepted as a certificate authority (CA) and
+that certificates signed by this CA may be accepted for verification.
+.It Cm namespaces="namespace-list"
+Specifies a pattern-list of namespaces that are accepted for this key.
+If this option is present, the the signature namespace embedded in the
+signature object and presented on the verification command-line must
+match the specified list before the key will be considered acceptable.
+.El
+.Pp
+When verifying signatures made by certificates, the expected principal
+name must match both the principals pattern in the allowed signers file and
+the principals embedded in the certificate itself.
+.Pp
+An example allowed signers file:
+.Bd -literal -offset 3n
+# Comments allowed at start of line
+user1@example.com,user2@example.com ssh-rsa AAAAX1...
+# A certificate authority, trusted for all principals in a domain.
+*@example.com cert-authority ssh-ed25519 AAAB4...
+# A key that is accepted only for file signing.
+user2@example.com namespaces="file" ssh-ed25519 AAA41...
+.Ed
 .Sh FILES
 .Bl -tag -width Ds -compact
 .It Pa ~/.ssh/id_dsa
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 3c32513b..76bc41b2 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.343 2019/09/03 08:27:52 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.344 2019/09/03 08:34:19 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -59,6 +59,7 @@
 #include "digest.h"
 #include "utf8.h"
 #include "authfd.h"
+#include "sshsig.h"
 
 #ifdef WITH_OPENSSL
 # define DEFAULT_KEY_TYPE_NAME "rsa"
@@ -2422,6 +2423,279 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
 	exit(ret);
 }
 
+static struct sshkey *
+load_sign_key(const char *keypath, const struct sshkey *pubkey)
+{
+	size_t i, slen, plen = strlen(keypath);
+	char *privpath = xstrdup(keypath);
+	const char *suffixes[] = { "-cert.pub", ".pub", NULL };
+	struct sshkey *ret = NULL, *privkey = NULL;
+	int r;
+
+	/*
+	 * If passed a public key filename, then try to locate the correponding
+	 * private key. This lets us specify certificates on the command-line
+	 * and have ssh-keygen find the appropriate private key.
+	 */
+	for (i = 0; suffixes[i]; i++) {
+		slen = strlen(suffixes[i]);
+		if (plen <= slen ||
+		    strcmp(privpath + plen - slen, suffixes[i]) != 0)
+			continue;
+		privpath[plen - slen] = '\0';
+		debug("%s: %s looks like a public key, using private key "
+		    "path %s instead", __func__, keypath, privpath);
+	}
+	if ((privkey = load_identity(privpath, NULL)) == NULL) {
+		error("Couldn't load identity %s", keypath);
+		goto done;
+	}
+	if (!sshkey_equal_public(pubkey, privkey)) {
+		error("Public key %s doesn't match private %s",
+		    keypath, privpath);
+		goto done;
+	}
+	if (sshkey_is_cert(pubkey) && !sshkey_is_cert(privkey)) {
+		/*
+		 * Graft the certificate onto the private key to make
+		 * it capable of signing.
+		 */
+		if ((r = sshkey_to_certified(privkey)) != 0) {
+			error("%s: sshkey_to_certified: %s", __func__,
+			    ssh_err(r));
+			goto done;
+		}
+		if ((r = sshkey_cert_copy(pubkey, privkey)) != 0) {
+			error("%s: sshkey_cert_copy: %s", __func__, ssh_err(r));
+			goto done;
+		}
+	}
+	/* success */
+	ret = privkey;
+	privkey = NULL;
+ done:
+	sshkey_free(privkey);
+	free(privpath);
+	return ret;
+}
+
+static int
+sign_one(struct sshkey *signkey, const char *filename, int fd,
+    const char *sig_namespace, sshsig_signer *signer, void *signer_ctx)
+{
+	struct sshbuf *sigbuf = NULL, *abuf = NULL;
+	int r = SSH_ERR_INTERNAL_ERROR, wfd = -1, oerrno;
+	char *wfile = NULL;
+	char *asig = NULL;
+
+	if (!quiet) {
+		if (fd == STDIN_FILENO)
+			fprintf(stderr, "Signing data on standard input\n");
+		else
+			fprintf(stderr, "Signing file %s\n", filename);
+	}
+	if ((r = sshsig_sign_fd(signkey, NULL, fd, sig_namespace,
+	    &sigbuf, signer, signer_ctx)) != 0) {
+		error("Signing %s failed: %s", filename, ssh_err(r));
+		goto out;
+	}
+	if ((r = sshsig_armor(sigbuf, &abuf)) != 0) {
+		error("%s: sshsig_armor: %s", __func__, ssh_err(r));
+		goto out;
+	}
+	if ((asig = sshbuf_dup_string(abuf)) == NULL) {
+		error("%s: buffer error", __func__);
+		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+
+	if (fd == STDIN_FILENO) {
+		fputs(asig, stdout);
+		fflush(stdout);
+	} else {
+		xasprintf(&wfile, "%s.sig", filename);
+		if (confirm_overwrite(wfile)) {
+			if ((wfd = open(wfile, O_WRONLY|O_CREAT|O_TRUNC,
+			    0666)) == -1) {
+				oerrno = errno;
+				error("Cannot open %s: %s",
+				    wfile, strerror(errno));
+				errno = oerrno;
+				r = SSH_ERR_SYSTEM_ERROR;
+				goto out;
+			}
+			if (atomicio(vwrite, wfd, asig,
+			    strlen(asig)) != strlen(asig)) {
+				oerrno = errno;
+				error("Cannot write to %s: %s",
+				    wfile, strerror(errno));
+				errno = oerrno;
+				r = SSH_ERR_SYSTEM_ERROR;
+				goto out;
+			}
+			if (!quiet) {
+				fprintf(stderr, "Write signature to %s\n",
+				    wfile);
+			}
+		}
+	}
+	/* success */
+	r = 0;
+ out:
+	free(wfile);
+	free(asig);
+	sshbuf_free(abuf);
+	sshbuf_free(sigbuf);
+	if (wfd != -1)
+		close(wfd);
+	return r;
+}
+
+static int
+sign(const char *keypath, const char *sig_namespace, int argc, char **argv)
+{
+	int i, fd = -1, r, ret = -1;
+	int agent_fd = -1;
+	struct sshkey *pubkey = NULL, *privkey = NULL, *signkey = NULL;
+	sshsig_signer *signer = NULL;
+
+	/* Check file arguments. */
+	for (i = 0; i < argc; i++) {
+		if (strcmp(argv[i], "-") != 0)
+			continue;
+		if (i > 0 || argc > 1)
+			fatal("Cannot sign mix of paths and standard input");
+	}
+
+	if ((r = sshkey_load_public(keypath, &pubkey, NULL)) != 0) {
+		error("Couldn't load public key %s: %s", keypath, ssh_err(r));
+		goto done;
+	}
+
+	if ((r = ssh_get_authentication_socket(&agent_fd)) != 0)
+		debug("Couldn't get agent socket: %s", ssh_err(r));
+	else {
+		if ((r = ssh_agent_has_key(agent_fd, pubkey)) == 0)
+			signer = agent_signer;
+		else
+			debug("Couldn't find key in agent: %s", ssh_err(r));
+	}
+
+	if (signer == NULL) {
+		/* Not using agent - try to load private key */
+		if ((privkey = load_sign_key(keypath, pubkey)) == NULL)
+			goto done;
+		signkey = privkey;
+	} else {
+		/* Will use key in agent */
+		signkey = pubkey;
+	}
+
+	if (argc == 0) {
+		if ((r = sign_one(signkey, "(stdin)", STDIN_FILENO,
+		    sig_namespace, signer, &agent_fd)) != 0)
+			goto done;
+	} else {
+		for (i = 0; i < argc; i++) {
+			if (strcmp(argv[i], "-") == 0)
+				fd = STDIN_FILENO;
+			else if ((fd = open(argv[i], O_RDONLY)) == -1) {
+				error("Cannot open %s for signing: %s",
+				    argv[i], strerror(errno));
+				goto done;
+			}
+			if ((r = sign_one(signkey, argv[i], fd, sig_namespace,
+			    signer, &agent_fd)) != 0)
+				goto done;
+			if (fd != STDIN_FILENO)
+				close(fd);
+			fd = -1;
+		}
+	}
+
+	ret = 0;
+done:
+	if (fd != -1 && fd != STDIN_FILENO)
+		close(fd);
+	sshkey_free(pubkey);
+	sshkey_free(privkey);
+	return ret;
+}
+
+static int
+verify(const char *signature, const char *sig_namespace, const char *principal,
+    const char *allowed_keys, const char *revoked_keys)
+{
+	int r, ret = -1, sigfd = -1;
+	struct sshbuf *sigbuf = NULL, *abuf = NULL;
+	struct sshkey *sign_key = NULL;
+	char *fp = NULL;
+
+	if ((abuf = sshbuf_new()) == NULL)
+		fatal("%s: sshbuf_new() failed", __func__);
+
+	if ((sigfd = open(signature, O_RDONLY)) < 0) {
+		error("Couldn't open signature file %s", signature);
+		goto done;
+	}
+
+	if ((r = sshkey_load_file(sigfd, abuf)) != 0) {
+		error("Couldn't read signature file: %s", ssh_err(r));
+		goto done;
+	}
+	if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) {
+		error("%s: sshsig_armor: %s", __func__, ssh_err(r));
+		return r;
+	}
+	if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace,
+	    &sign_key)) != 0)
+		goto done; /* sshsig_verify() prints error */
+
+	if ((fp = sshkey_fingerprint(sign_key, fingerprint_hash,
+	    SSH_FP_DEFAULT)) == NULL)
+		fatal("%s: sshkey_fingerprint failed", __func__);
+	debug("Valid (unverified) signature from key %s", fp);
+	free(fp);
+	fp = NULL;
+
+	if (revoked_keys != NULL) {
+	    if ((r = sshkey_check_revoked(sign_key, revoked_keys)) != 0) {
+		    debug3("sshkey_check_revoked failed: %s", ssh_err(r));
+		    goto done;
+	    }
+	}
+
+	if ((r = sshsig_check_allowed_keys(allowed_keys, sign_key,
+	    principal, sig_namespace)) != 0) {
+		debug3("sshsig_check_allowed_keys failed: %s", ssh_err(r));
+		goto done;
+	}
+	/* success */
+	ret = 0;
+done:
+	if (!quiet) {
+		if (ret == 0) {
+			if ((fp = sshkey_fingerprint(sign_key, fingerprint_hash,
+			    SSH_FP_DEFAULT)) == NULL) {
+				fatal("%s: sshkey_fingerprint failed",
+				    __func__);
+			}
+			printf("Good \"%s\" signature for %s with %s key %s\n",
+			    sig_namespace, principal,
+			    sshkey_type(sign_key), fp);
+		} else {
+			printf("Could not verify signature.\n");
+		}
+	}
+	if (sigfd != -1)
+		close(sigfd);
+	sshbuf_free(sigbuf);
+	sshbuf_free(abuf);
+	sshkey_free(sign_key);
+	free(fp);
+	return ret;
+}
+
 static void
 usage(void)
 {
@@ -2457,7 +2731,10 @@ usage(void)
 	    "       ssh-keygen -A\n"
 	    "       ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"
 	    "                  file ...\n"
-	    "       ssh-keygen -Q -f krl_file file ...\n");
+	    "       ssh-keygen -Q -f le file ...\n"
+	    "       ssh-keygen -Y sign -f sign_key -n namespace\n"
+	    "       ssh-keygen -Y verify -I signer_identity -s signature_file\n"
+	    "                  -n namespace -f allowed_keys [-r revoked_keys]\n");
 	exit(1);
 }
 
@@ -2484,6 +2761,7 @@ main(int argc, char **argv)
 	FILE *f;
 	const char *errstr;
 	int log_level = SYSLOG_LEVEL_INFO;
+	char *sign_op = NULL;
 #ifdef WITH_OPENSSL
 	/* Moduli generation/screening */
 	char out_file[PATH_MAX], *checkpoint = NULL;
@@ -2514,9 +2792,9 @@ main(int argc, char **argv)
 	if (gethostname(hostname, sizeof(hostname)) == -1)
 		fatal("gethostname: %s", strerror(errno));
 
-	/* Remaining characters: Ydw */
+	/* Remaining characters: dw */
 	while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvxy"
-	    "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"
+	    "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Y:Z:"
 	    "a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
 		switch (opt) {
 		case 'A':
@@ -2672,6 +2950,9 @@ main(int argc, char **argv)
 		case 'V':
 			parse_cert_times(optarg);
 			break;
+		case 'Y':
+			sign_op = optarg;
+			break;
 		case 'z':
 			errno = 0;
 			if (*optarg == '+') {
@@ -2739,6 +3020,42 @@ main(int argc, char **argv)
 	argv += optind;
 	argc -= optind;
 
+	if (sign_op != NULL) {
+		if (cert_principals == NULL) {
+			error("Too few arguments for sign/verify: "
+			    "missing namespace");
+			exit(1);
+		}
+		if (strncmp(sign_op, "sign", 4) == 0) {
+			if (!have_identity) {
+				error("Too few arguments for sign: "
+				    "missing key");
+				exit(1);
+			}
+			return sign(identity_file, cert_principals, argc, argv);
+		} else if (strncmp(sign_op, "verify", 6) == 0) {
+			if (ca_key_path == NULL) {
+				error("Too few arguments for verify: "
+				    "missing signature file");
+				exit(1);
+			}
+			if (!have_identity) {
+				error("Too few arguments for sign: "
+				    "missing allowed keys file");
+				exit(1);
+			}
+			if (cert_key_id == NULL) {
+				error("Too few arguments for verify: "
+				    "missing principal ID");
+				exit(1);
+			}
+			return verify(ca_key_path, cert_principals,
+			    cert_key_id, identity_file, rr_hostname);
+		}
+		usage();
+		/* NOTREACHED */
+	}
+
 	if (ca_key_path != NULL) {
 		if (argc < 1 && !gen_krl) {
 			error("Too few arguments.");
diff --git a/sshsig.c b/sshsig.c
new file mode 100644
index 00000000..0a1e1462
--- /dev/null
+++ b/sshsig.c
@@ -0,0 +1,787 @@
+/*
+ * Copyright (c) 2019 Google LLC
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "authfd.h"
+#include "authfile.h"
+#include "log.h"
+#include "misc.h"
+#include "sshbuf.h"
+#include "sshsig.h"
+#include "ssherr.h"
+#include "sshkey.h"
+#include "match.h"
+#include "digest.h"
+
+#define SIG_VERSION		0x01
+#define MAGIC_PREAMBLE		"SSHSIG"
+#define MAGIC_PREAMBLE_LEN	(sizeof(MAGIC_PREAMBLE) - 1)
+#define BEGIN_SIGNATURE		"-----BEGIN SSH SIGNATURE-----\n"
+#define END_SIGNATURE		"-----END SSH SIGNATURE-----"
+#define RSA_SIGN_ALG		"rsa-sha2-512" /* XXX maybe make configurable */
+#define RSA_SIGN_ALLOWED	"rsa-sha2-512,rsa-sha2-256"
+#define HASHALG_DEFAULT		"sha512" /* XXX maybe make configurable */
+#define HASHALG_ALLOWED		"sha256,sha512"
+
+int
+sshsig_armor(const struct sshbuf *blob, struct sshbuf **out)
+{
+	struct sshbuf *buf = NULL;
+	int r = SSH_ERR_INTERNAL_ERROR;
+
+	*out = NULL;
+
+	if ((buf = sshbuf_new()) == NULL) {
+		error("%s: sshbuf_new failed", __func__);
+		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+
+	if ((r = sshbuf_put(buf, BEGIN_SIGNATURE,
+	    sizeof(BEGIN_SIGNATURE)-1)) != 0) {
+		error("%s: sshbuf_putf failed: %s", __func__, ssh_err(r));
+		goto out;
+	}
+
+	if ((r = sshbuf_dtob64(blob, buf, 1)) != 0) {
+		error("%s: Couldn't base64 encode signature blob: %s",
+		    __func__, ssh_err(r));
+		goto out;
+	}
+
+	if ((r = sshbuf_put(buf, END_SIGNATURE,
+	    sizeof(END_SIGNATURE)-1)) != 0 ||
+	    (r = sshbuf_put_u8(buf, '\n')) != 0) {
+		error("%s: sshbuf_put failed: %s", __func__, ssh_err(r));
+		goto out;
+	}
+	/* success */
+	*out = buf;
+	buf = NULL; /* transferred */
+	r = 0;
+ out:
+	sshbuf_free(buf);
+	return r;
+}
+
+int
+sshsig_dearmor(struct sshbuf *sig, struct sshbuf **out)
+{
+	int r;
+	size_t eoffset = 0;
+	struct sshbuf *buf = NULL;
+	struct sshbuf *sbuf = NULL;
+	char *b64 = NULL;
+
+	if ((sbuf = sshbuf_fromb(sig)) == NULL) {
+		error("%s: sshbuf_fromb failed", __func__);
+		return SSH_ERR_ALLOC_FAIL;
+	}
+
+	if ((r = sshbuf_cmp(sbuf, 0,
+	    BEGIN_SIGNATURE, sizeof(BEGIN_SIGNATURE)-1)) != 0) {
+		error("Couldn't parse signature: missing header");
+		goto done;
+	}
+
+	if ((r = sshbuf_consume(sbuf, sizeof(BEGIN_SIGNATURE)-1)) != 0) {
+		error("%s: sshbuf_consume failed: %s", __func__, ssh_err(r));
+		goto done;
+	}
+
+	if ((r = sshbuf_find(sbuf, 0, "\n" END_SIGNATURE,
+	    sizeof("\n" END_SIGNATURE)-1, &eoffset)) != 0) {
+		error("Couldn't parse signature: missing footer");
+		goto done;
+	}
+
+	if ((r = sshbuf_consume_end(sbuf, sshbuf_len(sbuf)-eoffset)) != 0) {
+		error("%s: sshbuf_consume failed: %s", __func__, ssh_err(r));
+		goto done;
+	}
+
+	if ((b64 = sshbuf_dup_string(sbuf)) == NULL) {
+		error("%s: sshbuf_dup_string failed", __func__);
+		r = SSH_ERR_ALLOC_FAIL;
+		goto done;
+	}
+
+	if ((buf = sshbuf_new()) == NULL) {
+		error("%s: sshbuf_new() failed", __func__);
+		r = SSH_ERR_ALLOC_FAIL;
+		goto done;
+	}
+
+	if ((r = sshbuf_b64tod(buf, b64)) != 0) {
+		error("Coundn't decode signature: %s", ssh_err(r));
+		goto done;
+	}
+
+	/* success */
+	*out = buf;
+	r = 0;
+	buf = NULL; /* transferred */
+done:
+	sshbuf_free(buf);
+	sshbuf_free(sbuf);
+	free(b64);
+	return r;
+}
+
+static int
+sshsig_wrap_sign(struct sshkey *key, const char *hashalg,
+    const struct sshbuf *h_message, const char *sig_namespace,
+    struct sshbuf **out, sshsig_signer *signer, void *signer_ctx)
+{
+	int r;
+	size_t slen = 0;
+	u_char *sig = NULL;
+	struct sshbuf *blob = NULL;
+	struct sshbuf *tosign = NULL;
+	const char *sign_alg = NULL;
+
+	if ((tosign = sshbuf_new()) == NULL ||
+	    (blob = sshbuf_new()) == NULL) {
+		error("%s: sshbuf_new failed", __func__);
+		r = SSH_ERR_ALLOC_FAIL;
+		goto done;
+	}
+
+	if ((r = sshbuf_put(tosign, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 ||
+	    (r = sshbuf_put_cstring(tosign, sig_namespace)) != 0 ||
+	    (r = sshbuf_put_string(tosign, NULL, 0)) != 0 || /* reserved */
+	    (r = sshbuf_put_cstring(tosign, hashalg)) != 0 ||
+	    (r = sshbuf_putb(tosign, h_message)) != 0) {
+		error("Couldn't construct message to sign: %s", ssh_err(r));
+		goto done;
+	}
+
+	/* If using RSA keys then default to a good signature algorithm */
+	if (sshkey_type_plain(key->type) == KEY_RSA)
+		sign_alg = RSA_SIGN_ALG;
+
+	if (signer != NULL) {
+		if ((r = signer(key, &sig, &slen,
+		    sshbuf_ptr(tosign), sshbuf_len(tosign),
+		    sign_alg, 0, signer_ctx)) != 0) {
+			error("Couldn't sign message: %s", ssh_err(r));
+			goto done;
+		}
+	} else {
+		if ((r = sshkey_sign(key, &sig, &slen,
+		    sshbuf_ptr(tosign), sshbuf_len(tosign),
+		    sign_alg, 0)) != 0) {
+			error("Couldn't sign message: %s", ssh_err(r));
+			goto done;
+		}
+	}
+
+	if ((r = sshbuf_put(blob, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 ||
+	    (r = sshbuf_put_u32(blob, SIG_VERSION)) != 0 ||
+	    (r = sshkey_puts(key, blob)) != 0 ||
+	    (r = sshbuf_put_cstring(blob, sig_namespace)) != 0 ||
+	    (r = sshbuf_put_string(blob, NULL, 0)) != 0 || /* reserved */
+	    (r = sshbuf_put_cstring(blob, hashalg)) != 0 ||
+	    (r = sshbuf_put_string(blob, sig, slen)) != 0) {
+		error("Couldn't populate blob: %s", ssh_err(r));
+		goto done;
+	}
+
+	*out = blob;
+	blob = NULL;
+	r = 0;
+done:
+	free(sig);
+	sshbuf_free(blob);
+	sshbuf_free(tosign);
+	return r;
+}
+
+/* Check preamble and version. */
+static int
+sshsig_parse_preamble(struct sshbuf *buf)
+{
+	int r = SSH_ERR_INTERNAL_ERROR;
+	uint32_t sversion;
+
+	if ((r = sshbuf_cmp(buf, 0, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 ||
+	    (r = sshbuf_consume(buf, (sizeof(MAGIC_PREAMBLE)-1))) != 0 ||
+	    (r = sshbuf_get_u32(buf, &sversion)) != 0) {
+		error("Couldn't verify signature: invalid format");
+		return r;
+	}
+
+	if (sversion < SIG_VERSION) {
+		error("Signature version %lu is larger than supported "
+		    "version %u", (unsigned long)sversion, SIG_VERSION);
+		return SSH_ERR_INVALID_FORMAT;
+	}
+	return 0;
+}
+
+static int
+sshsig_check_hashalg(const char *hashalg)
+{
+	if (match_pattern_list(hashalg, HASHALG_ALLOWED, 0) == 1)
+		return 0;
+	error("%s: unsupported hash algorithm \"%.100s\"", __func__, hashalg);
+	return SSH_ERR_SIGN_ALG_UNSUPPORTED;
+}
+
+static int
+sshsig_peek_hashalg(struct sshbuf *signature, char **hashalgp)
+{
+	struct sshbuf *buf = NULL;
+	char *hashalg = NULL;
+	int r = SSH_ERR_INTERNAL_ERROR;
+
+	if (hashalgp != NULL)
+		*hashalgp = NULL;
+	if ((buf = sshbuf_fromb(signature)) == NULL)
+		return SSH_ERR_ALLOC_FAIL;
+	if ((r = sshsig_parse_preamble(buf)) != 0)
+		goto done;
+	if ((r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0 ||
+	    (r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0 ||
+	    (r = sshbuf_get_string(buf, NULL, NULL)) != 0 ||
+	    (r = sshbuf_get_cstring(buf, &hashalg, NULL)) != 0 ||
+	    (r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0) {
+		error("Couldn't parse signature blob: %s", ssh_err(r));
+		goto done;
+	}
+	if ((r = sshsig_check_hashalg(hashalg)) != 0)
+		goto done;
+
+	/* success */
+	r = 0;
+	*hashalgp = hashalg;
+	hashalg = NULL;
+ done:
+	free(hashalg);
+	sshbuf_free(buf);
+	return r;
+}
+
+static int
+sshsig_wrap_verify(struct sshbuf *signature, const char *hashalg,
+    const struct sshbuf *h_message, const char *expect_namespace,
+    struct sshkey **sign_keyp)
+{
+	int r = SSH_ERR_INTERNAL_ERROR;
+	struct sshbuf *buf = NULL, *toverify = NULL;
+	struct sshkey *key = NULL;
+	const u_char *sig;
+	char *got_namespace = NULL, *sigtype = NULL, *sig_hashalg = NULL;
+	size_t siglen;
+
+	if (sign_keyp != NULL)
+		*sign_keyp = NULL;
+
+	if ((toverify = sshbuf_new()) == NULL) {
+		error("%s: sshbuf_new failed", __func__);
+		r = SSH_ERR_ALLOC_FAIL;
+		goto done;
+	}
+	if ((r = sshsig_check_hashalg(hashalg)) != 0)
+		goto done;
+
+	if ((r = sshbuf_put(toverify, MAGIC_PREAMBLE,
+	    MAGIC_PREAMBLE_LEN)) != 0 ||
+	    (r = sshbuf_put_cstring(toverify, expect_namespace)) != 0 ||
+	    (r = sshbuf_put_string(toverify, NULL, 0)) != 0 || /* reserved */
+	    (r = sshbuf_put_cstring(toverify, hashalg)) != 0 ||
+	    (r = sshbuf_putb(toverify, h_message)) != 0) {
+		error("Couldn't construct message to verify: %s", ssh_err(r));
+		goto done;
+	}
+
+	if ((r = sshsig_parse_preamble(signature)) != 0)
+		goto done;
+
+	if ((r = sshkey_froms(signature, &key)) != 0 ||
+	    (r = sshbuf_get_cstring(signature, &got_namespace, NULL)) != 0 ||
+	    (r = sshbuf_get_string(signature, NULL, NULL)) != 0 ||
+	    (r = sshbuf_get_cstring(signature, &sig_hashalg, NULL)) != 0 ||
+	    (r = sshbuf_get_string_direct(signature, &sig, &siglen)) != 0) {
+		error("Couldn't parse signature blob: %s", ssh_err(r));
+		goto done;
+	}
+
+	if (sshbuf_len(signature) != 0) {
+		error("Signature contains trailing data");
+		r = SSH_ERR_INVALID_FORMAT;
+		goto done;
+	}
+
+	if (strcmp(expect_namespace, got_namespace) != 0) {
+		error("Couldn't verify signature: namespace does not match");
+		debug("%s: expected namespace \"%s\" received \"%s\"",
+		    __func__, expect_namespace, got_namespace);
+		r = SSH_ERR_SIGNATURE_INVALID;
+		goto done;
+	}
+	if (strcmp(hashalg, sig_hashalg) != 0) {
+		error("Couldn't verify signature: hash algorithm mismatch");
+		debug("%s: expected algorithm \"%s\" received \"%s\"",
+		    __func__, hashalg, sig_hashalg);
+		r = SSH_ERR_SIGNATURE_INVALID;
+		goto done;
+	}
+	/* Ensure that RSA keys use an acceptable signature algorithm */
+	if (sshkey_type_plain(key->type) == KEY_RSA) {
+		if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) {
+			error("Couldn't verify signature: unable to get "
+			    "signature type: %s", ssh_err(r));
+			goto done;
+		}
+		if (match_pattern_list(sigtype, RSA_SIGN_ALLOWED, 0) != 1) {
+			error("Couldn't verify signature: unsupported RSA "
+			    "signature algorithm %s", sigtype);
+			r = SSH_ERR_SIGN_ALG_UNSUPPORTED;
+			goto done;
+		}
+	}
+	if ((r = sshkey_verify(key, sig, siglen, sshbuf_ptr(toverify),
+	    sshbuf_len(toverify), NULL, 0)) != 0) {
+		error("Signature verification failed: %s", s