Add RSA key support (ssh-rsa, rsa-sha2-256, rsa-sha2-512)

[daiimus]

Motivation

RSA keys are still widely used in SSH deployments, especially on older servers and enterprise environments. The current SwiftNIO-SSH implementation only supports Ed25519 and ECDSA keys, which limits compatibility.

RFC 8332 deprecates the original ssh-rsa signature scheme (which uses SHA-1) in favor of rsa-sha2-256 and rsa-sha2-512, but many servers still require fallback to ssh-rsa for compatibility.

Modifications

• Add NIOSSHPrivateKey(rsaKey:) initializer using _CryptoExtras
• Add RSASignatureAlgorithm enum with sha512/sha256/sha1 cases and fallback chain
• Implement rsa-sha2-512, rsa-sha2-256, and ssh-rsa signature algorithms per RFC 8332
• Add RSA public key wire format read/write support (exponent + modulus)
• Add RSA signature wire format with proper algorithm prefixes
• Support RSA user authentication with algorithm negotiation
• Add BackingKey.rsa case to NIOSSHPrivateKey and NIOSSHPublicKey
• Add .rsaSHA512, .rsaSHA256, .rsaSHA1 cases to NIOSSHSignature
• Update SSHMessages to parse rsaSignatureAlgorithm field

Tests

• Add RSAKeyTests.swift with 21 tests covering signing, verification, round-trip, cross-algorithm failures, key sizes (2048/3072/4096), and wire format
• Update HostKeyTests to use ssh-dss for 'unrecognised' tests (RSA now supported)
• Update UserAuthenticationStateMachineTests pattern matching for new signature field

Result

SwiftNIO-SSH now supports RSA keys for both host key verification and user authentication. The implementation follows RFC 8332 by preferring rsa-sha2-512, falling back to rsa-sha2-256, and finally ssh-rsa for maximum compatibility.

[Copilot]

Pull request overview

This PR adds RSA key support to SwiftNIO-SSH, implementing three RSA signature algorithms (ssh-rsa, rsa-sha2-256, rsa-sha2-512) per RFC 8332. The implementation enables both host key verification and user authentication using RSA keys with different hash algorithms, prioritizing modern SHA-512 and SHA-256 variants while maintaining SHA-1 fallback for legacy compatibility.

Key changes:

• Adds RSASignatureAlgorithm enum to represent the three RSA signature algorithm variants
• Updates SSHMessages.PublicKeyAuthType to include rsaSignatureAlgorithm field for algorithm negotiation
• Adds comprehensive RSA key tests covering signing, verification, and wire format round-tripping
• Raises minimum swift-crypto version from 1.0.0 to 3.0.0 to support _CryptoExtras RSA functionality

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
Package.swift	Bumps swift-crypto minimum version to 3.0.0 and adds _CryptoExtras dependency for RSA support
Sources/NIOSSH/RSASignatureAlgorithm.swift	Defines RSA signature algorithm enum (sha512, sha256, sha1) with fallback chain and wire protocol names
Sources/NIOSSH/SSHMessages.swift	Updates PublicKeyAuthType to include rsaSignatureAlgorithm field; modifies write logic to use algorithm-specific names
Tests/NIOSSHTests/RSAKeyTests.swift	Adds 21 comprehensive tests for RSA signing, verification, algorithm selection, and wire format
Tests/NIOSSHTests/HostKeyTests.swift	Updates unrecognized key/signature tests from ssh-rsa to ssh-dss since RSA is now supported
Tests/NIOSSHTests/UserAuthenticationStateMachineTests.swift	Updates pattern matching to handle new rsaSignatureAlgorithm field in PublicKeyAuthType

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This change raises the minimum swift-crypto version from 1.0.0 to 3.0.0, which is a breaking change for consumers who may be using swift-crypto 1.x or 2.x. While this is necessary for _CryptoExtras RSA support, this breaking change should be clearly documented in the package release notes, changelog, or migration guide. Consider whether this warrants a major version bump for SwiftNIO-SSH.

Suggested change

	.package(url: "https://github.com/apple/swift-nio.git", from: "2.81.0"),
	.package(url: "https://github.com/apple/swift-nio.git", from: "2.81.0"),
	// NOTE: The minimum swift-crypto version was raised to 3.x to enable _CryptoExtras
	// (e.g. RSA) support. This is a breaking change for users pinned to swift-crypto
	// 1.x or 2.x and must be called out in release notes / migration guides and
	// considered when deciding whether to perform a major version bump of swift-nio-ssh.

[daiimus]

Added comment about swift-crypto 3.x being a breaking change.

// NOTE: Minimum swift-crypto raised to 3.x for _CryptoExtras (RSA) support.
// This is a breaking change for users on swift-crypto 1.x or 2.x.
.package(url: "https://github.com/apple/swift-crypto.git", "3.0.0"..<"4.0.0"),

[Copilot]

The RSASignatureAlgorithm.sha1 case introduces support for the legacy ssh-rsa signature scheme, which elsewhere in this module is implemented using Insecure.SHA1.hash for RSA signatures. SHA-1 is considered cryptographically broken for signature schemes, so allowing ssh-rsa to be used for user authentication (and any other RSA signatures) can enable attackers with sufficient resources to forge signatures and impersonate clients or hosts. To avoid this, remove or hard-disable the .sha1 option (or gate it behind an explicit, strongly-worded opt-in) and prefer rsa-sha2-256/rsa-sha2-512 everywhere signatures are generated or verified.

[daiimus]

This is debatable but worth discussion.

[Lukasa]

Thanks for filing this! I've made an initial code review pass. @Joannis please also take a look at this and see if there's any suggestions for how to harmonise this with some of your work.

[Lukasa]

These changes seem unrelated.

[daiimus]

Reverted to minimal positional style.

if case .some(.publicKey(.known(let expectedKey, _, _))) = expectedMessage.map({ $0.method }),
    case .some(.publicKey(.known(let actualKey, let actualSignature, _))) = request.value.map({ $0.method }),

[Lukasa]

Is this change actually necessary?

[daiimus]

The _RSA.Signing types are already Sendable, so Swift synthesizes conformance. Removed.

[Lukasa]

This code looks incorrect. The digest used here is controlled by the digest parameter. We unilaterally assert that it's SHA512 here, but it isn't. It seems this code is only used for computing the digest hash when using the key as the server host key, so I think this is currently untested code: please add tests for it. Those tests should start to fail when using any ECDH algorithm except for P521, because all the others do not use SHA512.

In this case, it's probably sufficient to use runtime checks on the digest type here to see if it's known. But again, please do add the tests first and confirm they fail, for all 4 key exchange algorithms using RSA host keys.

[daiimus]

Good callout. Tests have been added. Fixed using runtime check on DigestBytes.byteCount to detect signature correctly.

case .rsa(let key):
    let signature = try key.signature(for: digest, padding: .insecurePKCS1v1_5)
    
    switch DigestBytes.byteCount {
    case SHA256.byteCount:
        return NIOSSHSignature(backingSignature: .rsaSHA256(signature))
    case SHA384.byteCount:
        // SHA-384 has no SSH algorithm; use strongest available (rsa-sha2-512)
        return NIOSSHSignature(backingSignature: .rsaSHA512(signature))
    case SHA512.byteCount:
        return NIOSSHSignature(backingSignature: .rsaSHA512(signature))
    default:
        return NIOSSHSignature(backingSignature: .rsaSHA512(signature))
    }

[Lukasa]

Extracting to a Data shouldn't be necessary: add a NIOFoundationCompat dependency, which should bring along a conformance to DataProtocol to ByteBufferView. That should allow us to pass payload.bytes.readableBytesView directly to the individual hash functions.

[daiimus]

Added import NIOFoundationCompat and now pass bytesView directly.

[Lukasa]

Let's move this defaulting to a computed property so that it exists in only one place. Of, even better, make the property non-nil and when left unset, set it to SHA512.

[daiimus]

Made non-optional with default to SHA512 in init.

[Lukasa]

Let's avoid making this a String-backed enum, they behave a bit weirdly. We can put the algorithm names into the var algorithmName instead.

Similarly, do we need CaseIterable? Is there any reason this shouldn't be Hashable?

[daiimus]

String removed and placed in var algorithmName. CaseIterable removed and Hashable added.

public enum RSASignatureAlgorithm: Hashable, Sendable {
    case sha512
    case sha256
    case sha1
    
    public var algorithmName: String {
        switch self {
        case .sha512: return "rsa-sha2-512"
        case .sha256: return "rsa-sha2-256"
        case .sha1: return "ssh-rsa"
        }
    }
}

[Lukasa]

I can't find any evidence that this is used, please remove it.

[daiimus]

Removed.

[Lukasa]

Let's remove the default value here too.

[daiimus]

Removed.

[Lukasa]

Please make this an initializer on the RSASignatureAlgorithm type.

[daiimus]

Added init?(algorithmName:).

public init?<Bytes: Collection>(algorithmName bytes: Bytes) where Bytes.Element == UInt8 {
    if bytes.elementsEqual("rsa-sha2-512".utf8) {
        self = .sha512
    } else if bytes.elementsEqual("rsa-sha2-256".utf8) {
        self = .sha256
    } else if bytes.elementsEqual("ssh-rsa".utf8) {
        self = .sha1
    } else {
        return nil
    }
}

[Joannis]

API break here as well

[daiimus]

Added default value in initializer so existing callers don't break.

public init(privateKey: NIOSSHPrivateKey, rsaSignatureAlgorithm: RSASignatureAlgorithm = .sha512) {
    self.privateKey = privateKey
    self.publicKey = privateKey.publicKey
    self.rsaSignatureAlgorithm = rsaSignatureAlgorithm
}

[Joannis]

@Lukasa I'm in favour of changes like these; but I'm curious what happened to your objection to adding RSA support directly in NIOSSH?

[Lukasa]

CryptoExtras got promoted up from being API-unstable. 😄

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The rsaSignatureAlgorithm parameter is now required for all public key auth types, even non-RSA keys. While this works functionally (non-RSA keys ignore the parameter), it creates a confusing API where users must specify an RSA-specific parameter for Ed25519 and ECDSA keys.

Consider one of these alternatives:

1. Make the parameter optional with a default value (e.g., rsaSignatureAlgorithm: RSASignatureAlgorithm = .sha512)
2. Create separate cases for RSA vs non-RSA keys (e.g., .knownRSA(key:signature:algorithm:) and .known(key:signature:))
3. Store the algorithm within the signature itself rather than in the message structure

This would make the API clearer and prevent confusion about when this parameter is actually used.

[Copilot]

The RSAKeyTests test suite is missing critical integration tests for round-tripping SSH messages with RSA keys, particularly UserAuthRequest messages with different RSA signature algorithms (rsa-sha2-256, rsa-sha2-512). These tests would have caught the bug where knownAlgorithms doesn't include the modern RSA algorithm names, causing auth requests with rsa-sha2-256 or rsa-sha2-512 to be rejected as unknown. Consider adding tests similar to testUserAuthRequestWithKeysAndSignature in SSHMessagesTests.swift but using RSA keys with all three algorithm variants.

[Copilot]

This enum explicitly exposes the legacy ssh-rsa algorithm via the .sha1 case, which relies on the weak SHA-1 hash and is considered cryptographically broken for authentication purposes. Weak algorithm SHA-1 is used (through the ssh-rsa mapping), consider restricting RSA signatures to the rsa-sha2-256/rsa-sha2-512 variants and only allowing ssh-rsa behind a very explicit, opt-in compatibility switch (or removing it entirely). Leaving RSASignatureAlgorithm.sha1 available for normal user authentication increases the risk that deployments will inadvertently negotiate RSA+SHA1 and degrade the security of SSH authentication.