From 2bb7482c7fc5e649e9f82e4a9c30dcaa101df4e1 Mon Sep 17 00:00:00 2001
From: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Date: Thu, 4 Apr 2024 13:10:41 +0200
Subject: [PATCH] Add support for SSH certs

Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
---
 src/agent.rs                                  |   4 +++-
 src/proto/message.rs                          |   7 +++++++
 tests/messages/req-add-identity-with-cert.bin | Bin 0 -> 1836 bytes
 tests/sign-and-verify.sh                      |  19 +++++++++++++-----
 4 files changed, 24 insertions(+), 6 deletions(-)
 create mode 100644 tests/messages/req-add-identity-with-cert.bin

diff --git a/src/agent.rs b/src/agent.rs
index 21a7b59..0e8e501 100644
--- a/src/agent.rs
+++ b/src/agent.rs
@@ -41,7 +41,9 @@ impl Decoder for MessageCodec {
         }
 
         //use std::io::Write;
-        //let mut file = std::fs::File::create(uuid::Uuid::new_v4().to_string())?;
+        //let name = uuid::Uuid::new_v4().to_string();
+        //eprintln!("Capturing request into {name}");
+        //let mut file = std::fs::File::create(&name)?;
         //file.write_all(bytes)?;
         //drop(file);
 
diff --git a/src/proto/message.rs b/src/proto/message.rs
index f91db33..3cd783e 100644
--- a/src/proto/message.rs
+++ b/src/proto/message.rs
@@ -100,9 +100,12 @@ impl Decode for AddIdentity {
     type Error = Error;
 
     fn decode(reader: &mut impl Reader) -> Result<Self> {
+        eprintln!("before add identity decode");
         let privkey = KeypairData::decode(reader)?;
+        eprintln!("after add identity decode: {privkey:?}");
         let comment = String::decode(reader)?;
 
+        eprintln!("after comment {comment:?}");
         Ok(Self { privkey, comment })
     }
 }
@@ -129,10 +132,14 @@ impl Decode for AddIdentityConstrained {
     type Error = Error;
 
     fn decode(reader: &mut impl Reader) -> Result<Self> {
+        eprintln!("XX");
+
         let identity = AddIdentity::decode(reader)?;
+        eprintln!("found identity: {identity:?}");
         let mut constraints = vec![];
 
         while !reader.is_finished() {
+            eprintln!("constraint");
             constraints.push(KeyConstraint::decode(reader)?);
         }
 
diff --git a/tests/messages/req-add-identity-with-cert.bin b/tests/messages/req-add-identity-with-cert.bin
new file mode 100644
index 0000000000000000000000000000000000000000..782c338f44cd039e7c325711c67ff1412aa43584
GIT binary patch
literal 1836
zcmah}c{JPk7XN8#iG2xaH7bf$ctNz5swf$yQ(K8Xu{TJFHI0a|RP17_D%E+drDJ&%
zCBq~3rFcr!9!AGY8EcjHB^@(G$%`KEyg&NKyXSn)J@@nZ-h0md-h1w8003YS5rIfb
z1Rm)}piq%CeUwEwnGhx*b^XFa0RRO5|8D^JB!Jegg%|c%;Yc@IAcwt~64h#XeseC3
zdtso0H#;Cf4UiBZ1OP&bz#gB6H}~cVzrxyw!q4g}6lRaeGS?XCV?K$XzE_L$)tbuF
zVO(<LzMaX<FIce^Rc7mI`fJ*YmY#y833AsTQ&Y73GmX%pH<I3%*57D)FW`$=H_CF2
zT=sqL*?VYI_M{SYh(?D$Swd(Y3zJTUBw+Tt41@LP^3&lBwOJ#g2K3@|4~JMZ+>|j7
ztA1+Jux)4xb92c;raxf2c)1P|jjlae-b$WboE{kXrNVW(J4WiIsuYrDD@Pg2V^?0<
zK@Od59sUT%hy-nj2W9CTxEgn^8|xKakhL-C)@=Gm`c9V}B<S??klnfWV_D>rt}NW=
zY;~eaFk_fps6CpQI}Ul-F8(;#q>7sy1qE~OqCd&CZzn`mdRCml?B*V9m6DvT^5m7=
z?KO}aq?)@UTf9s{3@0=WaYxtZi+jk1UH`rfPR8tG^_fnceNy(&hTV)T#Z3#}e>JdV
zYZGr{N|%!aY(H&<df@eHuu!au^{xD;BWXSPOCa3^OtWAXM<y7?SBUuIDHKAOAQBhg
ze-S{GPPrst1pWd2$O|k<07Wu^5=x>XaVQj$7*2`8Q~XI`0bgYRfF6tZ074k`TUqH?
zCWi}F?VDur|EkpJ<8so+Ok@Osf~5Ezvq$ct01`)=OYk=^G(=q%gzy<}STjGGIo>=@
zDh6*lHnnJJnXAFCNIY3QAnM*R%MiT5ew$`7DFVN>C#Rjc-qPe$rhc2I@V%7F^C{-`
z()GbnCj9nBuy<u}tF2!8&mA6AZfCq}5=5MhV-|^7@367%dP5?DZ%k0QbfGX%(f>j1
zX3;``HxfPGN13jIu2?;30h=f>mJ6`?m*>F>uX6isUx%8j|F|mo_`qhCjFxR?iQ{vO
zE!^k@!*vaR<;m!z#t}kBwI{r}uoKqn#2)((7mLjYOdkg5*LAeToCl@IKhHLkaS0l{
z)GF*a1nU<~7oB(S*X)paz;Fx}Q~M%%s<pi)INt9UU+SXyL_I1n9@YQYZm-Pw9Ri9T
zn0rsI)JpbgGRt}P`_3~*hOs<R`a4Dee5zFJq!Y1Pv*2~4=wCLM$|^dqN;f!7nu^W%
zj+qRzoiM33bvk`8gEWVbYj^qJ3#rS9^5E6t5wexCnnU7sR944bh(o=Oj7YYDr{S9$
zKY@3jN0H!m_31G%h$UD0Lu`l-M>jI>^;`SuXLX}aj$Pi`7;_&hZl$Ew-zE3&cjLA?
zPDn9}c0)W`G%WY|sh}c7ZGv;}SdkkWpOLg<UqT}1JgV~W4Ev$f*XEY06-rIB)A+r{
zUhfGfYsBS}cQ&sCW9{|*V@=iYd;|-MaFVTK|1*h%mN6_%YrElkCCxvjxn(eUTPbm4
z5A!gY+daVNjngG9bEx-s$<H)&HKQ%mLKl@Zdl~A!IYRsr<)Gn;YjMSmCVdT*T!zxJ
z;V?^o%rWy%v3FA|GYF2x=QEhkQ46Luift1kj!EP9Wn(Le@v58*dS{f2oTdF-AGpFP
zK=k+3hDYby9&N4=bOD@ld85j#SsY751$nD%aQ2F)zW6vz{rS5eN9ooPMaJb|=%}EF
zK7b$MZI)P@Z|N!xNsdoYvEj(|(K(hdPffi!s*$9+YQDzRSY?ei^Z3qx4P3p>^%|;)
zfBQEpTI_9p&&VnI_ePFCLsw3*t2n7K!N7;Qu+I@8AGeIcxfjR}mGgw7>RC!$q#v`%
zF7A4Y?XtTUg^zP*weT-mP&4(uAg1+r{%<EgwfuS?mxY|^>CF~7ya(UR@Hp^SSxa$y
z!s}_eNRbdFZ0gk0L?zBeTEB6Qqu$#CnVoxa7G;Z;lD%V$o%`Cvex7jgOITAcLxH0l
z$Mc$qECTHmdzTqEiqh&QS?MLEP>t%5glJ3ffPD8ukt&YuzBo4E-zoqjsJ+YYve|k)
zQ<)yMHocltm&)r*+x97kBsA8>yp=jMCa-=J`jZ0*>Cz5GE!mmouY-I2XI`eZZ-O}n
zhS+&w?z!R3jKUvy3%c;ch~0|PrwYH3Fu8{aWU-zXnp)(LBrpEqlL^A8&pAHu<TiPT
s#cs+|WZy1X`?bWBHR-8xGswX}^5{rNMv;Q4;S>uB-akC-=v1Eg4=Yd_#sB~S

literal 0
HcmV?d00001

diff --git a/tests/sign-and-verify.sh b/tests/sign-and-verify.sh
index ceb28cf..c9376c3 100755
--- a/tests/sign-and-verify.sh
+++ b/tests/sign-and-verify.sh
@@ -2,9 +2,8 @@
 
 set -euxo pipefail
 
-rm -rf ssh-agent.sock Cargo.toml.sig id_rsa id_rsa.pub agent.pub
-
-cargo run --example key_storage &
+rm -rf ssh-agent.socks Cargo.toml.sig id_rsa id_rsa.pub agent.pub ca_user_key ca_user_key.pub id_rsa-cert.pub
+#cargo run --example key_storage &
 
 while [ ! -e ssh-agent.sock ]; do
   echo "Waiting for ssh-agent.sock"
@@ -18,7 +17,7 @@ ssh-add -L | tee agent.pub
 ssh-keygen -Y sign -f agent.pub -n file < Cargo.toml > Cargo.toml.sig
 ssh-keygen -Y check-novalidate -n file -f agent.pub -s Cargo.toml.sig < Cargo.toml
 
-rm -rf Cargo.toml.sig id_rsa.pub agent.pub
+rm -rf Cargo.toml.sig agent.pub
 
 # Test other commands:
 export SSH_ASKPASS=`pwd`/tests/pwd-test.sh
@@ -33,5 +32,15 @@ echo | ssh-add -X
 # AddIdConstrained
 ssh-add -t 2 id_rsa
 
+rm -rf id_rsa id_rsa.pub
+
+# Create and sign SSH user certificate
+# see: https://cottonlinux.com/ssh-certificates/
+echo | ssh-keygen -f ca_user_key
+ssh-keygen -t rsa -f id_rsa -N ""
+echo | ssh-keygen -s ca_user_key -I darren -n darren -V +1h -z 1 id_rsa.pub
+# Add the key with the cert
+ssh-add -t 2 id_rsa
+
 # clean up the only leftover
-rm -rf id_rsa
+rm -rf id_rsa id_rsa.pub id_rsa-cert.pub ca_user_key ca_user_key.pub