From e5f626a06dac2283df4a51389bc66ff466dfce72 Mon Sep 17 00:00:00 2001
From: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Date: Mon, 15 Apr 2024 09:17:32 +0200
Subject: [PATCH] Fix parsing `RestrictDestination` constraint

Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
---
 examples/key_storage.rs  |  9 +++++----
 src/proto/extension.rs   | 10 ++++++++++
 tests/known_hosts        |  1 +
 tests/sign-and-verify.sh |  2 +-
 4 files changed, 17 insertions(+), 5 deletions(-)
 create mode 100644 tests/known_hosts

diff --git a/examples/key_storage.rs b/examples/key_storage.rs
index 037251c..6499180 100644
--- a/examples/key_storage.rs
+++ b/examples/key_storage.rs
@@ -11,7 +11,7 @@ use sha1::Sha1;
 #[cfg(windows)]
 use ssh_agent_lib::agent::NamedPipeListener as Listener;
 use ssh_agent_lib::agent::{Agent, Session};
-use ssh_agent_lib::proto::extension::SessionBind;
+use ssh_agent_lib::proto::extension::{RestrictDestination, SessionBind};
 use ssh_agent_lib::proto::message::{self, Credential, Message, SignRequest};
 use ssh_agent_lib::proto::{signature, AddIdentityConstrained, KeyConstraint};
 use ssh_key::{
@@ -144,9 +144,10 @@ impl KeyStorage {
                 for constraint in constraints {
                     if let KeyConstraint::Extension(name, mut details) = constraint {
                         if name == "restrict-destination-v00@openssh.com" {
-                            if let Ok(destination_constraint) = details.parse::<SessionBind>() {
-                                eprintln!("Destination constraint: {destination_constraint:?}");
-                            }
+                            let destination_constraint = details
+                                .parse::<RestrictDestination>()
+                                .expect("to parse destination constraint");
+                            eprintln!("Destination constraint: {destination_constraint:?}");
                         }
                     }
                 }
diff --git a/src/proto/extension.rs b/src/proto/extension.rs
index 567b9b3..4c939df 100644
--- a/src/proto/extension.rs
+++ b/src/proto/extension.rs
@@ -205,6 +205,16 @@ mod tests {
             [0, 0, 0, 0], // reserved, not in the spec, authfd.c:495
         );
 
+        let destination_constraint = RestrictDestination::decode(&mut buffer)?;
+        eprintln!("Destination constraint: {destination_constraint:?}");
+
+        let mut buffer: &[u8] = &[
+            0, 0, 0, 102, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 78, 0, 0, 0, 0,
+            0, 0, 0, 10, 103, 105, 116, 104, 117, 98, 46, 99, 111, 109, 0, 0, 0, 0, 0, 0, 0, 51, 0,
+            0, 0, 11, 115, 115, 104, 45, 101, 100, 50, 53, 53, 49, 57, 0, 0, 0, 32, 227, 42, 170,
+            121, 21, 206, 185, 180, 73, 209, 186, 80, 234, 42, 40, 187, 26, 110, 1, 249, 11, 218,
+            36, 90, 45, 29, 135, 105, 125, 24, 162, 101, 0, 0, 0, 0, 0,
+        ];
         let destination_constraint = RestrictDestination::decode(&mut buffer)?;
         eprintln!("Destination constraint: {destination_constraint:?}");
         Ok(())
diff --git a/tests/known_hosts b/tests/known_hosts
new file mode 100644
index 0000000..90150c2
--- /dev/null
+++ b/tests/known_hosts
@@ -0,0 +1 @@
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
diff --git a/tests/sign-and-verify.sh b/tests/sign-and-verify.sh
index 5534ad2..479f9ce 100755
--- a/tests/sign-and-verify.sh
+++ b/tests/sign-and-verify.sh
@@ -40,7 +40,7 @@ echo | ssh-keygen -f ca_user_key
 ssh-keygen -t rsa -f id_rsa -N ""
 echo | ssh-keygen -s ca_user_key -I darren -n darren -V +1h -z 1 id_rsa.pub
 # Add the key with the cert
-ssh-add -t 2 id_rsa
+ssh-add -t 2 -H tests/known_hosts -h github.com id_rsa
 
 # clean up the only leftover
 rm -rf id_rsa id_rsa.pub id_rsa-cert.pub ca_user_key ca_user_key.pub