Fix parsing RestrictDestination constraint

Signed-off-by: Wiktor Kwapisiewicz <[email protected]>

Author: wiktor-k

examples/key_storage.rs

@@ -11,7 +11,7 @@ use sha1::Sha1;
 #[cfg(windows)]
 use ssh_agent_lib::agent::NamedPipeListener as Listener;
 use ssh_agent_lib::agent::{Agent, Session};
-use ssh_agent_lib::proto::extension::SessionBind;
+use ssh_agent_lib::proto::extension::{RestrictDestination, SessionBind};
 use ssh_agent_lib::proto::message::{self, Credential, Message, SignRequest};
 use ssh_agent_lib::proto::{signature, AddIdentityConstrained, KeyConstraint};
 use ssh_key::{
@@ -144,9 +144,10 @@ impl KeyStorage {
                 for constraint in constraints {
                     if let KeyConstraint::Extension(name, mut details) = constraint {
                         if name == "[email protected]" {
-                            if let Ok(destination_constraint) = details.parse::<SessionBind>() {
-                                eprintln!("Destination constraint: {destination_constraint:?}");
-                            }
+                            let destination_constraint = details
+                                .parse::<RestrictDestination>()
+                                .expect("to parse destination constraint");
+                            eprintln!("Destination constraint: {destination_constraint:?}");
                         }
                     }
                 }

src/proto/extension.rs

@@ -205,6 +205,16 @@ mod tests {
             [0, 0, 0, 0], // reserved, not in the spec, authfd.c:495
         );
 
+        let destination_constraint = RestrictDestination::decode(&mut buffer)?;
+        eprintln!("Destination constraint: {destination_constraint:?}");
+
+        let mut buffer: &[u8] = &[
+            0, 0, 0, 102, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 78, 0, 0, 0, 0,
+            0, 0, 0, 10, 103, 105, 116, 104, 117, 98, 46, 99, 111, 109, 0, 0, 0, 0, 0, 0, 0, 51, 0,
+            0, 0, 11, 115, 115, 104, 45, 101, 100, 50, 53, 53, 49, 57, 0, 0, 0, 32, 227, 42, 170,
+            121, 21, 206, 185, 180, 73, 209, 186, 80, 234, 42, 40, 187, 26, 110, 1, 249, 11, 218,
+            36, 90, 45, 29, 135, 105, 125, 24, 162, 101, 0, 0, 0, 0, 0,
+        ];
         let destination_constraint = RestrictDestination::decode(&mut buffer)?;
         eprintln!("Destination constraint: {destination_constraint:?}");
         Ok(())

tests/known_hosts

@@ -0,0 +1 @@
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl

tests/sign-and-verify.sh

@@ -40,7 +40,13 @@ echo | ssh-keygen -f ca_user_key
 ssh-keygen -t rsa -f id_rsa -N ""
 echo | ssh-keygen -s ca_user_key -I darren -n darren -V +1h -z 1 id_rsa.pub
 # Add the key with the cert
-ssh-add -t 2 id_rsa
-
+if [ $(ssh-add -h 2>&1 | grep -ic hostkey_file) -eq 1 ]; then
+  # has support for RestrictDestination constraint (ubuntu)
+  ssh-add -t 2 -H tests/known_hosts -h github.com id_rsa
+else
+  # does not support RestrictDestination constraint (macos)
+  ssh-add -t 2 id_rsa
+fi
+  
 # clean up the only leftover
 rm -rf id_rsa id_rsa.pub id_rsa-cert.pub ca_user_key ca_user_key.pub