Skip to content

Commit

Permalink
ssh: support rsa-sha2-256/512 for client certificates
Browse files Browse the repository at this point in the history
The server-sig-algs logic was not working for certificate algorithms.
Follow-up on CL 392394.

Tested with OpenSSH 8.8 configured with

    PubkeyAcceptedKeyTypes [email protected]

Updates golang/go#39885
For golang/go#49952

Change-Id: Ic230dd6f98e96b7938acbd0128ab37d33b70abe5
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/392974
Trust: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
  • Loading branch information
FiloSottile committed Mar 15, 2022
1 parent 56f1c49 commit a85b873
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 6 deletions.
21 changes: 15 additions & 6 deletions ssh/certs.go
Original file line number Diff line number Diff line change
Expand Up @@ -483,6 +483,17 @@ func underlyingAlgo(algo string) string {
return algo
}

// certificateAlgo returns the certificate algorithms that uses the provided
// underlying signature algorithm.
func certificateAlgo(algo string) (certAlgo string, ok bool) {
for certName, algoName := range certKeyAlgoNames {
if algoName == algo {
return certName, true
}
}
return "", false
}

func (cert *Certificate) bytesForSigning() []byte {
c2 := *cert
c2.Signature = nil
Expand Down Expand Up @@ -526,13 +537,11 @@ func (c *Certificate) Marshal() []byte {

// Type returns the certificate algorithm name. It is part of the PublicKey interface.
func (c *Certificate) Type() string {
keyType := c.Key.Type()
for certName, keyName := range certKeyAlgoNames {
if keyName == keyType {
return certName
}
certName, ok := certificateAlgo(c.Key.Type())
if !ok {
panic("unknown certificate type for key type " + c.Key.Type())
}
panic("unknown certificate type for key type " + keyType)
return certName
}

// Verify verifies a signature against the certificate's public
Expand Down
10 changes: 10 additions & 0 deletions ssh/client_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,17 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (as Alg
return as, keyFormat
}

// The server-sig-algs extension only carries underlying signature
// algorithm, but we are trying to select a protocol-level public key
// algorithm, which might be a certificate type. Extend the list of server
// supported algorithms to include the corresponding certificate algorithms.
serverAlgos := strings.Split(string(extPayload), ",")
for _, algo := range serverAlgos {
if certAlgo, ok := certificateAlgo(algo); ok {
serverAlgos = append(serverAlgos, certAlgo)
}
}

keyAlgos := algorithmsForKeyFormat(keyFormat)
algo, err := findCommon("public key signature algorithm", keyAlgos, serverAlgos)
if err != nil {
Expand Down

0 comments on commit a85b873

Please sign in to comment.