Support SK-ECDSA leaf certificates

2021-03-01 19:02:23 -05:00 · 2021-03-01 19:02:23 -05:00 · 3848df5516
--- a/lib/ssh_data/certificate.rb
+++ b/lib/ssh_data/certificate.rb
@ -12,16 +12,17 @@ module SSHData
    TYPE_HOST = 2

    # Certificate algorithm identifiers
-    ALGO_RSA      = "ssh-rsa-cert-v01@openssh.com"
-    ALGO_DSA      = "ssh-dss-cert-v01@openssh.com"
-    ALGO_ECDSA256 = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
-    ALGO_ECDSA384 = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
-    ALGO_ECDSA521 = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
-    ALGO_ED25519  = "ssh-ed25519-cert-v01@openssh.com"
+    ALGO_RSA         = "ssh-rsa-cert-v01@openssh.com"
+    ALGO_DSA         = "ssh-dss-cert-v01@openssh.com"
+    ALGO_ECDSA256    = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
+    ALGO_ECDSA384    = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
+    ALGO_ECDSA521    = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
+    ALGO_ED25519     = "ssh-ed25519-cert-v01@openssh.com"
+    ALGO_SK_ECDSA256 = "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"

    ALGOS = [
      ALGO_RSA, ALGO_DSA, ALGO_ECDSA256, ALGO_ECDSA384, ALGO_ECDSA521,
-      ALGO_ED25519
+      ALGO_ED25519, ALGO_SK_ECDSA256
    ]

    CRITICAL_OPTION_FORCE_COMMAND  = "force-command"
--- a/lib/ssh_data/encoding.rb
+++ b/lib/ssh_data/encoding.rb
@ -81,12 +81,13 @@ module SSHData
    ]

    PUBLIC_KEY_ALGO_BY_CERT_ALGO = {
-      Certificate::ALGO_RSA      => PublicKey::ALGO_RSA,
-      Certificate::ALGO_DSA      => PublicKey::ALGO_DSA,
-      Certificate::ALGO_ECDSA256 => PublicKey::ALGO_ECDSA256,
-      Certificate::ALGO_ECDSA384 => PublicKey::ALGO_ECDSA384,
-      Certificate::ALGO_ECDSA521 => PublicKey::ALGO_ECDSA521,
-      Certificate::ALGO_ED25519  => PublicKey::ALGO_ED25519,
+      Certificate::ALGO_RSA         => PublicKey::ALGO_RSA,
+      Certificate::ALGO_DSA         => PublicKey::ALGO_DSA,
+      Certificate::ALGO_ECDSA256    => PublicKey::ALGO_ECDSA256,
+      Certificate::ALGO_ECDSA384    => PublicKey::ALGO_ECDSA384,
+      Certificate::ALGO_ECDSA521    => PublicKey::ALGO_ECDSA521,
+      Certificate::ALGO_ED25519     => PublicKey::ALGO_ED25519,
+      Certificate::ALGO_SK_ECDSA256 => PublicKey::ALGO_SK_ECDSA256
    }

    CERT_ALGO_BY_PUBLIC_KEY_ALGO = {
@ -96,6 +97,7 @@ module SSHData
      PublicKey::ALGO_ECDSA384 => Certificate::ALGO_ECDSA384,
      PublicKey::ALGO_ECDSA521 => Certificate::ALGO_ECDSA521,
      PublicKey::ALGO_ED25519  => Certificate::ALGO_ED25519,
+      PublicKey::ALGO_SK_ECDSA256 => Certificate::ALGO_SK_ECDSA256
    }

    KEY_FIELDS_BY_PUBLIC_KEY_ALGO = {
--- a/spec/certificate_spec.rb
+++ b/spec/certificate_spec.rb
@ -265,6 +265,14 @@ describe SSHData::Certificate do
    SSHData::PublicKey::ED25519         # ca key type
  ]

+  test_cases << [
+    :skecdsa_leaf_for_rsa_ca,               # name
+    "skecdsa_leaf_for_rsa_ca-cert.pub",     # fixture
+    SSHData::Certificate::ALGO_SK_ECDSA256, # algo
+    SSHData::PublicKey::SKECDSA,            # public key type
+    SSHData::PublicKey::RSA                 # ca key type
+  ]
+
  test_cases.each do |name, fixture_name, algo, public_key_class, ca_key_class|
    describe(name) do
      let(:openssh) { fixture(fixture_name).strip }