Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package google-guest-oslogin for
openSUSE:Factory checked in at 2023-09-01 14:19:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/google-guest-oslogin (Old)
and /work/SRC/openSUSE:Factory/.google-guest-oslogin.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "google-guest-oslogin"
Fri Sep 1 14:19:23 2023 rev:20 rq:1108277 version:20230823.00
Changes:
--------
---
/work/SRC/openSUSE:Factory/google-guest-oslogin/google-guest-oslogin.changes
2023-08-16 14:17:46.659263726 +0200
+++
/work/SRC/openSUSE:Factory/.google-guest-oslogin.new.1766/google-guest-oslogin.changes
2023-09-01 14:19:50.997600658 +0200
@@ -1,0 +2,12 @@
+Thu Aug 31 11:46:10 UTC 2023 - John Paul Adrian Glaubitz
<adrian.glaub...@suse.com>
+
+- Update to version 20230823.00
+ * selinux: Add sshd_key_t type enforcement to trusted user ca (#113)
+- from version 20230822.00
+ * sshca: Add tests with fingerprint and multiple extensions (#111)
+- from version 20230821.01
+ * sshca: Support method token and handle multi line (#109)
+- from version 20230821.00
+ * Update owners (#110)
+
+-------------------------------------------------------------------
Old:
----
google-guest-oslogin-20230808.00.tar.gz
New:
----
google-guest-oslogin-20230823.00.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ google-guest-oslogin.spec ++++++
--- /var/tmp/diff_new_pack.e0mZAi/_old 2023-09-01 14:19:52.149641775 +0200
+++ /var/tmp/diff_new_pack.e0mZAi/_new 2023-09-01 14:19:52.153641918 +0200
@@ -19,7 +19,7 @@
%{!?_pam_moduledir: %define _pam_moduledir %{_pamdir}}
Name: google-guest-oslogin
-Version: 20230808.00
+Version: 20230823.00
Release: 0
Summary: Google Cloud Guest OS Login
License: Apache-2.0
++++++ google-guest-oslogin-20230808.00.tar.gz ->
google-guest-oslogin-20230823.00.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230808.00/OWNERS
new/guest-oslogin-20230823.00/OWNERS
--- old/guest-oslogin-20230808.00/OWNERS 2023-08-08 20:00:56.000000000
+0200
+++ new/guest-oslogin-20230823.00/OWNERS 2023-08-23 02:54:45.000000000
+0200
@@ -2,10 +2,12 @@
# See the OWNERS docs at https://go.k8s.io/owners
approvers:
- - anandadalton
+ - a-crate
- bkatyl
- chaitanyakulkarni28
- dorileo
+ - drewhli
+ - elicriffield
- jjerger
- karnvadaliya
- koln67
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230808.00/selinux/oslogin.fc
new/guest-oslogin-20230823.00/selinux/oslogin.fc
--- old/guest-oslogin-20230808.00/selinux/oslogin.fc 2023-08-08
20:00:56.000000000 +0200
+++ new/guest-oslogin-20230823.00/selinux/oslogin.fc 2023-08-23
02:54:45.000000000 +0200
@@ -1,2 +1,3 @@
/var/google-sudoers.d(/.*)? system_u:object_r:google_t:s0
/var/google-users.d(/.*)? system_u:object_r:google_t:s0
+/etc/ssh/oslogin_trustedca.pub -p system_u:object_r:sshd_key_t:s0
Binary files old/guest-oslogin-20230808.00/selinux/oslogin.pp and
new/guest-oslogin-20230823.00/selinux/oslogin.pp differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230808.00/selinux/oslogin.te
new/guest-oslogin-20230823.00/selinux/oslogin.te
--- old/guest-oslogin-20230808.00/selinux/oslogin.te 2023-08-08
20:00:56.000000000 +0200
+++ new/guest-oslogin-20230823.00/selinux/oslogin.te 2023-08-23
02:54:45.000000000 +0200
@@ -7,9 +7,11 @@
attribute non_security_file_type;
type http_port_t;
type sshd_t;
+ type sshd_key_t;
class tcp_socket name_connect;
class file { create getattr setattr write open unlink };
class dir { search write remove_name add_name };
+ class fifo_file { getattr open read };
}
#============= types ==============
@@ -22,3 +24,4 @@
allow sshd_t google_t:file { create getattr setattr write open unlink };
allow sshd_t google_t:dir { search write remove_name add_name };
allow sshd_t http_port_t:tcp_socket name_connect;
+allow sshd_t sshd_key_t:fifo_file { getattr open read };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230808.00/src/pam/oslogin_sshca.cc
new/guest-oslogin-20230823.00/src/pam/oslogin_sshca.cc
--- old/guest-oslogin-20230808.00/src/pam/oslogin_sshca.cc 2023-08-08
20:00:56.000000000 +0200
+++ new/guest-oslogin-20230823.00/src/pam/oslogin_sshca.cc 2023-08-23
02:54:45.000000000 +0200
@@ -24,25 +24,25 @@
int (*skip_custom_fields)(char **buff, size_t *blen);
} sshca_type;
-static int sshca_dsa_skip_fields(char **buff, size_t *blen);
-static int sshca_ecdsa_skip_fields(char **buff, size_t *blen);
-static int sshca_ed25519_skip_fields(char **buff, size_t *blen);
-static int sshca_rsa_skip_fields(char **buff, size_t *blen);
+static int _sshca_dsa_skip_fields(char **buff, size_t *blen);
+static int _sshca_ecdsa_skip_fields(char **buff, size_t *blen);
+static int _sshca_ed25519_skip_fields(char **buff, size_t *blen);
+static int _sshca_rsa_skip_fields(char **buff, size_t *blen);
static sshca_type sshca_impl[] = {
- {"ecdsa-sha2-nistp256-cert-...@openssh.com", sshca_ecdsa_skip_fields},
- {"ecdsa-sha2-nistp384-cert-...@openssh.com", sshca_ecdsa_skip_fields},
- {"ecdsa-sha2-nistp521-cert-...@openssh.com", sshca_ecdsa_skip_fields},
- {"rsa-sha2-256-cert-...@openssh.com", sshca_rsa_skip_fields},
- {"rsa-sha2-512-cert-...@openssh.com", sshca_rsa_skip_fields},
- {"ssh-dss-cert-...@openssh.com", sshca_dsa_skip_fields},
- {"ssh-ed25519-cert-...@openssh.com", sshca_ed25519_skip_fields},
- {"ssh-rsa-cert-...@openssh.com", sshca_rsa_skip_fields},
+ {"ecdsa-sha2-nistp256-cert-...@openssh.com", _sshca_ecdsa_skip_fields},
+ {"ecdsa-sha2-nistp384-cert-...@openssh.com", _sshca_ecdsa_skip_fields},
+ {"ecdsa-sha2-nistp521-cert-...@openssh.com", _sshca_ecdsa_skip_fields},
+ {"rsa-sha2-256-cert-...@openssh.com", _sshca_rsa_skip_fields},
+ {"rsa-sha2-512-cert-...@openssh.com", _sshca_rsa_skip_fields},
+ {"ssh-dss-cert-...@openssh.com", _sshca_dsa_skip_fields},
+ {"ssh-ed25519-cert-...@openssh.com", _sshca_ed25519_skip_fields},
+ {"ssh-rsa-cert-...@openssh.com", _sshca_rsa_skip_fields},
{ },
};
static int
-sshca_get_string(char **buff, size_t *blen, char **ptr, size_t *len_ptr) {
+_sshca_get_string(char **buff, size_t *blen, char **ptr, size_t *len_ptr) {
u_int32_t len;
if (*blen < 4) {
@@ -74,7 +74,7 @@
}
static sshca_type*
-sshca_get_implementation(const char *type) {
+_sshca_get_implementation(const char *type) {
sshca_type *iter;
for (iter = sshca_impl; iter->type != NULL; iter++) {
@@ -87,14 +87,14 @@
}
static int
-sshca_rsa_skip_fields(char **buff, size_t *blen) {
+_sshca_rsa_skip_fields(char **buff, size_t *blen) {
// Skip e.
- if (sshca_get_string(buff, blen, NULL, NULL) < 0) {
+ if (_sshca_get_string(buff, blen, NULL, NULL) < 0) {
return -1;
}
// Skip n.
- if (sshca_get_string(buff, blen, NULL, NULL) < 0) {
+ if (_sshca_get_string(buff, blen, NULL, NULL) < 0) {
return -1;
}
@@ -102,24 +102,24 @@
}
static int
-sshca_dsa_skip_fields(char **buff, size_t *blen) {
+_sshca_dsa_skip_fields(char **buff, size_t *blen) {
// Skip p.
- if (sshca_get_string(buff, blen, NULL, NULL) < 0) {
+ if (_sshca_get_string(buff, blen, NULL, NULL) < 0) {
return -1;
}
// Skip q.
- if (sshca_get_string(buff, blen, NULL, NULL) < 0) {
+ if (_sshca_get_string(buff, blen, NULL, NULL) < 0) {
return -1;
}
// Skip g.
- if (sshca_get_string(buff, blen, NULL, NULL) < 0) {
+ if (_sshca_get_string(buff, blen, NULL, NULL) < 0) {
return -1;
}
// Skip y.
- if (sshca_get_string(buff, blen, NULL, NULL) < 0) {
+ if (_sshca_get_string(buff, blen, NULL, NULL) < 0) {
return -1;
}
@@ -127,20 +127,20 @@
}
static int
-sshca_ed25519_skip_fields(char **buff, size_t *blen) {
+_sshca_ed25519_skip_fields(char **buff, size_t *blen) {
// Skip pk.
- return sshca_get_string(buff, blen, NULL, NULL);
+ return _sshca_get_string(buff, blen, NULL, NULL);
}
static int
-sshca_ecdsa_skip_fields(char **buff, size_t *blen) {
+_sshca_ecdsa_skip_fields(char **buff, size_t *blen) {
// Skip curve.
- if (sshca_get_string(buff, blen, NULL, NULL) < 0) {
+ if (_sshca_get_string(buff, blen, NULL, NULL) < 0) {
return -1;
}
// Skip public key.
- if (sshca_get_string(buff, blen, NULL, NULL) < 0) {
+ if (_sshca_get_string(buff, blen, NULL, NULL) < 0) {
return -1;
}
@@ -148,7 +148,7 @@
}
static int
-sshca_get_extension(pam_handle_t *pamh, const char *key, size_t k_len, char
**exts) {
+_sshca_get_extension(pam_handle_t *pamh, const char *key, size_t k_len, char
**exts) {
sshca_type* impl = NULL;
size_t n_len, t_len, tmp_exts_len, ret = -1;
char *tmp_exts, *tmp_head, *type, *key_b64, *head;
@@ -171,19 +171,19 @@
goto out;
}
- if (sshca_get_string(&key_b64, &n_len, &type, &t_len) < 0) {
+ if (_sshca_get_string(&key_b64, &n_len, &type, &t_len) < 0) {
PAM_SYSLOG(pamh, LOG_ERR, "Could not get cert's type string.");
goto out;
}
- impl = sshca_get_implementation(type);
+ impl = _sshca_get_implementation(type);
if (impl == NULL) {
PAM_SYSLOG(pamh, LOG_ERR, "Invalid cert type: %s.", type);
goto out;
}
// Skip nonce for all types of certificates.
- if (sshca_get_string(&key_b64, &n_len, NULL, NULL) < 0) {
+ if (_sshca_get_string(&key_b64, &n_len, NULL, NULL) < 0) {
PAM_SYSLOG(pamh, LOG_ERR, "Failed to skip cert's \"nonce\" field.");
goto out;
}
@@ -201,13 +201,13 @@
SKIP_UINT32(key_b64, n_len);
// Skip key id.
- if (sshca_get_string(&key_b64, &n_len, NULL, NULL) < 0) {
+ if (_sshca_get_string(&key_b64, &n_len, NULL, NULL) < 0) {
PAM_SYSLOG(pamh, LOG_ERR, "Failed to skip cert's \"key id\" field.");
goto out;
}
// Skip valid principals.
- if (sshca_get_string(&key_b64, &n_len, NULL, NULL) < 0) {
+ if (_sshca_get_string(&key_b64, &n_len, NULL, NULL) < 0) {
PAM_SYSLOG(pamh, LOG_ERR, "Failed to skip cert's \"valid principals\" "
"field.");
goto out;
@@ -220,21 +220,21 @@
SKIP_UINT64(key_b64, n_len);
// Skip critical options.
- if (sshca_get_string(&key_b64, &n_len, NULL, NULL) < 0) {
+ if (_sshca_get_string(&key_b64, &n_len, NULL, NULL) < 0) {
PAM_SYSLOG(pamh, LOG_ERR, "Failed to skip cert's \"critical options\" "
"field.");
goto out;
}
// Get extensions buffer.
- if (sshca_get_string(&key_b64, &n_len, &tmp_exts, &tmp_exts_len) < 0) {
+ if (_sshca_get_string(&key_b64, &n_len, &tmp_exts, &tmp_exts_len) < 0) {
PAM_SYSLOG(pamh, LOG_ERR, "Failed to get cert's \"extensions\" field.");
goto out;
}
// The field extensions is a self described/sized buffer.
tmp_head = tmp_exts;
- if (sshca_get_string(&tmp_exts, &tmp_exts_len, exts, &ret) < 0) {
+ if (_sshca_get_string(&tmp_exts, &tmp_exts_len, exts, &ret) < 0) {
PAM_SYSLOG(pamh, LOG_ERR, "Failed to read google's extension.");
goto out;
}
@@ -248,28 +248,31 @@
}
static size_t
-sshca_split_key(const char *blob, char **out) {
- int i, len, k_start;
+_sshca_split_key(const char *blob, char **out) {
+ int i, len, algo_start, k_start;
char *key = NULL;
- len = 0;
- k_start = 0;
+ len, k_start, algo_start = 0;
for (i = 0; blob[i] != '\0'; i++) {
if (blob[i] == ' ' && key == NULL) {
- k_start = i + 1;
- key = (char *)blob + i + 1;
+ if (!algo_start) {
+ algo_start = i;
+ } else {
+ k_start = i + 1;
+ key = (char *)blob + i + 1;
+ }
} else if (blob[i] == ' ' && key != NULL) {
len = i;
}
}
*out = strndup(key, len - k_start);
- return len;
+ return strlen(*out);
}
static size_t
-sshca_extract_fingerprint(const char *extension, char **out) {
+_sshca_extract_fingerprint(const char *extension, char **out) {
int i = 0;
if (extension == NULL || strstr(extension, "fingerpr...@google.com=") ==
NULL) {
@@ -285,27 +288,27 @@
return i;
}
-int
-sshca_get_byoid_fingerprint(pam_handle_t *pamh, const char *blob, char
**fingerprint) {
+static int
+_sshca_get_byoid_fingerprint(pam_handle_t *pamh, const char *blob, char
**fingerprint) {
size_t f_len, k_len, exts_len = -1;
char *key, *exts = NULL;
- k_len = sshca_split_key(blob, &key);
+ k_len = _sshca_split_key(blob, &key);
if (k_len <= 0) {
PAM_SYSLOG(pamh, LOG_ERR, "Could not split ssh ca cert.");
goto out;
}
- exts_len = sshca_get_extension(pamh, key, k_len, &exts);
+ exts_len = _sshca_get_extension(pamh, key, k_len, &exts);
if (exts_len < 0) {
- PAM_SYSLOG(pamh, LOG_ERR, "Could not parse/extract extension"
+ PAM_SYSLOG(pamh, LOG_ERR, "Could not parse/extract extension "
"from ssh ca cert.");
goto out;
}
- f_len = sshca_extract_fingerprint(exts, fingerprint);
+ f_len = _sshca_extract_fingerprint(exts, fingerprint);
if (f_len == 0) {
- PAM_SYSLOG(pamh, LOG_ERR, "Could not parse/extract fingerprint"
+ PAM_SYSLOG(pamh, LOG_ERR, "Could not parse/extract fingerprint "
"from ssh ca cert's extension.");
goto out;
}
@@ -316,6 +319,33 @@
return f_len;
}
+
+int
+sshca_get_byoid_fingerprint(pam_handle_t *pamh, const char *blob, char
**fingerprint) {
+ char *line, *saveptr = NULL;
+ size_t f_len = 0;
+
+ if (blob == NULL || strlen(blob) == 0) {
+ PAM_SYSLOG(pamh, LOG_ERR, "Could not parse/extract fingerprint "
+ "from ssh ca cert's extension: \"blob\" is empty.");
+ }
+
+ if (fingerprint == NULL) {
+ PAM_SYSLOG(pamh, LOG_ERR, "Could not parse/extract fingerprint "
+ "from ssh ca cert's extension: \"fingerprint\" is NULL.");
+ }
+
+ line = strtok_r((char *)blob, "\n", &saveptr);
+ while (line != NULL) {
+ f_len = _sshca_get_byoid_fingerprint(pamh, line, fingerprint);
+ if (f_len > 0) {
+ return f_len;
+ }
+ line = strtok_r(NULL, "\n", &saveptr);
+ }
+
+ return f_len;
+}
#ifdef __cplusplus
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230808.00/test/Makefile
new/guest-oslogin-20230823.00/test/Makefile
--- old/guest-oslogin-20230808.00/test/Makefile 2023-08-08 20:00:56.000000000
+0200
+++ new/guest-oslogin-20230823.00/test/Makefile 2023-08-23 02:54:45.000000000
+0200
@@ -7,7 +7,7 @@
TEST_RUNNER = ./test_runner --gtest_output=xml
NEW_TEST_RUNNER = ./new_test_runner --gtest_output=xml
SSHCA_TEST_RUNNER = ./sshca_runner --gtest_output=xml
--gtest_filter="SSHCATests.*"
-CPPFLAGS += -I$(TOPDIR)/src/include -I/usr/include/json-c -I$(GTEST_DIR)
-isystem $(GTEST_DIR)/include
+CPPFLAGS += -I$(TOPDIR)/src/include -I$(TOPDIR)/third_party/include
-I/usr/include/json-c -I$(GTEST_DIR) -isystem $(GTEST_DIR)/include
CXXFLAGS += -g -Wall -Wextra -std=c++11
LDLIBS = -lcurl -ljson-c -lpthread
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230808.00/test/oslogin_sshca_test.cc
new/guest-oslogin-20230823.00/test/oslogin_sshca_test.cc
--- old/guest-oslogin-20230808.00/test/oslogin_sshca_test.cc 2023-08-08
20:00:56.000000000 +0200
+++ new/guest-oslogin-20230823.00/test/oslogin_sshca_test.cc 2023-08-23
02:54:45.000000000 +0200
@@ -23,7 +23,7 @@
namespace oslogin_utils {
-#define VALID_ECDSA_SINGLE_EXT "ecdsa-sha2-nistp256-cert-...@openssh.com " \
+#define VALID_ECDSA_SINGLE_EXT "publickey
ecdsa-sha2-nistp256-cert-...@openssh.com " \
"AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg1yMhf" \
"NVBe4etWEQNDmtxhsAD+YAb7fl/Bn0Z+GGEE9EAAAAIbmlzdHAyNTYAAABBBJ+nM2cR4B" \
"FHbmokUIScpTaSkx/F1QS2KfIx6z4wcpUmjzKtbP0KFw12mMUiNHzlNBD0B2RnX54uN+k" \
@@ -48,7 +48,23 @@
"bcetrgglFiujUFlIdxkHMmsIxHM88wEnJAlETd7zl9WR/FgQYn3y2dZz9VKoheJdg== " \
"pantheon.sitar.mig" \
-#define INVALID_ECDSA_NO_FP "ecdsa-sha2-nistp256-cert-...@openssh.com A" \
+#define VALID_ECDSA_MULTI_EXT "publickey ecdsa-sha2-nistp256-cert-v01@o" \
+ "penssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb" \
+ "20AAAAgcBZK0OB/KoC8ir+mo+aDJm3e88cmk1/UZ+NMhiWyXMQAAAAIbmlzdHAyNTYAA" \
+ "ABBBCK4bF9EA181g2ZHWmuggqjsK53SwQKVzyDNZHDIMcCN117t6dSJYvSAgnlg01PGx" \
+ "9HyTz7ffcPf3yUfN21WgRsAAAAAAAAAAAAAAAEAAAAWZmluZ2VycHJpbnRAZ29vZ2xlL" \
+ "mNvbQAAABoAAAAWZmluZ2VycHJpbnRAZ29vZ2xlLmNvbQAAAABk5O4EAAAAAGbE0HQAA" \
+ "AAAAAAAxQAAADtmaW5nZXJwcmludEBnb29nbGUuY29tPWI4NmRiNGNhLTA5ZmQtNDI5Z" \
+ "S1iMTIxLWExMjc5OTYxNDAzMgAAAAAAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAA" \
+ "AAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd" \
+ "2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAA" \
+ "AAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEErH/DI" \
+ "zvUUx1Isb5xtFpgt2TgPsB9QfbM7EAGKJ8yZaljZr2blH+XsQjIognAv3FCE3t3zTshl" \
+ "8atWl5fzzXa4QAAAGUAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEoAAAAhAPTeGWrdg" \
+ "chbWRO1o6ignVyuwq6tTjz/rSfzkjDZw6BsAAAAIQCSDGI9KQuAxhaVDhD9y1XHm2s+I" \
+ "+IddaiA/0hzb4MDtA== fingerpr...@google.com" \
+
+#define INVALID_ECDSA_NO_FP "publickey
ecdsa-sha2-nistp256-cert-...@openssh.com A" \
"AAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgxlbtL" \
"/mjYXEgsXjl7GZgpvIFncxbfmjPYVewm1sdXo4AAAAIbmlzdHAyNTYAAABBBMYdGLr6M" \
"102qgBeJ3CanDi0WV1vGif2jMMv1ldtN0+wbDztYdtUu8iop/tN46wFVbfmSzyx/R2YL" \
@@ -60,12 +76,12 @@
"pM3dlil8jDXlpL4U1JSmP3MeHX0OKcpHgAAACAYiWa3KrreEzN+VrnuhwStH70bvH9Qm" \
"6Va6a0IcMrMkA== fingerpr...@google.com" \
-#define INVALID_ECDSA_NON_CERT "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTI" \
+#define INVALID_ECDSA_NON_CERT "publickey ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTI" \
"tbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMYdGLr6M102qgBeJ3CanDi0WV1vGif2jMM" \
"v1ldtN0+wbDztYdtUu8iop/tN46wFVbfmSzyx/R2YLbvQ+z2k/sY= " \
"fingerpr...@google.com" \
-#define VALID_RSA_SINGLE_EXT "ssh-rsa-cert-...@openssh.com AAAAHHNzaC1yc" \
+#define VALID_RSA_SINGLE_EXT "publickey ssh-rsa-cert-...@openssh.com
AAAAHHNzaC1yc" \
"2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgijvX6FIu7BjRIACC+C0b8cxrAORm8flzJU" \
"3Y2q7ci/4AAAADAQABAAABAQCU/mydd9mSwlSDv4T3OiL5IHrvSuXpWFvCEDmVyLxBHz1" \
"FCwjnk3G5xSt9nGtUyL0KpGt0dyvLU07JGB33cbVnVe1z3373FNKxF8LdwDTEZG6xijXu" \
@@ -98,7 +114,43 @@
"IBVqgGgEztsSYO0brQWsCoiOxToxWiqDbYc2ifgcIUB+kSzvmbkvbgoNuT111PKpMkIii" \
"GqmJpNjwsqExxW5E= fingerpr...@google.com" \
-#define INVALID_RSA_NO_FP "ssh-rsa-cert-...@openssh.com AAAAHHNzaC1yc2Et" \
+#define VALID_RSA_MULTI_EXT "publickey ssh-rsa-cert-...@openssh.com AAAA" \
+ "HHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgpv8XuCPuX0/2hATuCuFa1kVXR" \
+ "CNzX7gU6T4Q/EVZiMkAAAADAQABAAABAQDPh7YORgzS7V3F5oxVlwTABglvV6cUx32GO7" \
+ "I84CxVRnWdW9D4eQoRD+lN8YKcbWN826/G9A9AIyADl6nMpxocgymCCyz4ujapTf/ntaH" \
+ "pc7QTNuKDQ3x9ptHVjPSbXx+HVBC0gFgCxRlymAjN8P9Rex+wkJRMPCOIwykO9H5BkDfc" \
+ "iZMcPc+BAVvM/A+oREjHVO7yyOEiMXByoiXOg9yd4KM70ypmAOLan4unQRy10Bye6U2fL" \
+ "mqkPzfLIQpdExBmU+MEEBum+Kqk3pdppwli/EnueHSkljtJLBBID5bD3xEzNcdi107OoW" \
+ "fXBgiTAyewrW7GCYw1V27LpUwg21/lAAAAAAAAAAAAAAABAAAAFmZpbmdlcnByaW50QGd" \
+ "vb2dsZS5jb20AAAAaAAAAFmZpbmdlcnByaW50QGdvb2dsZS5jb20AAAAAZOTh1AAAAABm" \
+ "xMQ6AAAAAAAAAMUAAAA7ZmluZ2VycHJpbnRAZ29vZ2xlLmNvbT1iODZkYjRjYS0wOWZkL" \
+ "TQyOWUtYjEyMS1hMTI3OTk2MTQwMzIAAAAAAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZw" \
+ "AAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZ" \
+ "vcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAA" \
+ "AAAAAAAAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQDY+memx1OUatqYIbrKErOTXM1/h" \
+ "rqeDmT423gK5ecqmzJt86ZS1Z1WhuqOD4CW9YISZP2VpScV61Cj4OF5MuEi8V7UaaJf6N" \
+ "himixleP88rCxCbXWc9MwX7xBnX8spvOPcrof9zs8fKnDJuhRMMf614gfD3C0cPpahtxx" \
+ "4n7KytJ14jSKaECUjcpZ+f30WHrZvLY4sJMmMBJhcuMWC6Y1lckMT0t9M0pjRs2ZUOOyc" \
+ "R5wTxybr7rFxzQhHiSpfXeVwErz8b+5IxvvlqUCawTmVmntcP9atobNZCIRt28K6Fyw7A" \
+ "AjoD0jP3nLoEQuk2As4erfmuabBZK4HwxoaWVSbsV8T7RYq/JiDdvP6x+BbEhgmrnBRUA" \
+ "dPTRy2fEFxgIKbKhg8tm5M9GO8k/VeVykeOmcL88Da2swXuCcp1wAQjrrn81jyunsVlLG" \
+ "Kzeco3qrSn/6nwtcNOu2I8JNwk1GKvV7KTYEL/xNQSQ2Pk6r1HlPlyq/eo3HuFE/NxO9u" \
+ "iXLV3bapMSt3KsvCkTpLW1eJLg9bytd2aVpZW7s4uuR1mTZfgDPM75zXubkgqA2RVQ7Tl" \
+ "76MzBW9LL1f/B7lMxdJYQF1WqqSJNVcRLS5L0zpuS9Z48piYv8v2ioJGCFae+CnwmNYw+" \
+ "wPAd0MXp1X6808ceRvmqADSbU4zxH00BUIdwAAAhQAAAAMcnNhLXNoYTItNTEyAAACAF6" \
+ "7EZPDjyBO6+Zv88KnNyTFkQ5+wbS2DzD9myW/cSGxEvKX/Ccznzi8ROesNzjv4vOJja3Z" \
+ "2UIm4LjmzVXrTJsu0XFQ8NnN8Bk1GedqxLgYUfEgTkVh2Wj778Cw278NTQFRqwdkYrK3q" \
+ "DksHGrp8xoXNb7kf8Kws1R4GS8ue0mW5QFgQRd2WLRckYh5S9cnDMbw4wGrZFFu75RJUA" \
+ "lozlB7sDCcMJRtJ5VmU8PgzyZpsRm2GnNCLqbnH/QbH3wPnHgbtaZqGU5vU2uRkwML+P8" \
+ "mn8fbePqOw4sC5sGvxOZ3Zr6S22WygRaoq7iM6w4Yhjg57Ga0RRsT8KbAmFyZlnghroS8" \
+ "9R84iVJPDxjSskrpY1oM5pjonvmD/3GeGd6oXl/x9A+df5YBiVxn6KiXgbS90yYXJFpeh" \
+ "xE+whj5PeNlL/6qaqf0MesCHT+6Uwo/Hp7DAbRCzEt8KBWr1nt6bLwEzitT4nokTljo70" \
+ "ctSlNsmXAOalqatlffQnGF1J5n3HDbPH6zKon82MMAnlha+SGfDQqc1uhMdfbfL7DMhFm" \
+ "xLPX5BvoRzQT96EGgWjhlmI7j2e8fghkjsCwaH7HrfSBuXYvw1DPRBaOktIEDPk9tF70B" \
+ "WIdoJJX2phxK1km8+78sdCbtVVaTzlGNDflqM++kqmNHhZFtoWRYeHKYHRFo " \
+ "fingerpr...@google.com" \
+
+#define INVALID_RSA_NO_FP "publickey ssh-rsa-cert-...@openssh.com
AAAAHHNzaC1yc2Et" \
"Y2VydC12MDFAb3BlbnNzaC5jb20AAAAgwCArEN+qa2BR5+4DNaSCwGP3avz3wFcJzuaZk" \
"UrXsv0AAAADAQABAAABAQCic3UBNOW41D6BH8e8acBKAw3PdWcvqEIP8v5Otk56nXNrZH" \
"8tTrposPHZOjAoMCyv9F3siuv+ZfX8k0/x2l9Efayhdcr8AWIr+riqYBNHUby7iefdXCR" \
@@ -130,7 +182,7 @@
"6tN/eIqzpsfLbRPoK4B7xmoEqtPn1KidKZnvegGasSfrquoyM/E4enhV3kXfJQ== " \
"fingerpr...@google.com" \
-#define INVALID_RSA_NON_CERT "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCU/m" \
+#define INVALID_RSA_NON_CERT "publickey ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCU/m" \
"ydd9mSwlSDv4T3OiL5IHrvSuXpWFvCEDmVyLxBHz1FCwjnk3G5xSt9nGtUyL0KpGt0dyv" \
"LU07JGB33cbVnVe1z3373FNKxF8LdwDTEZG6xijXuOi4xfk47arlpk9Pw14qcnVu9on4R" \
"m4cSmm5PkyIwTfJsKvOl8oOgZ0HZG7pzYEt+9wUoeGzUE0rsAreNFVB7ZBqHp2ZtdIe5d" \
@@ -138,7 +190,7 @@
"NZPchE/T19LSP/fQbPCGmqc+mC6YodSEbLkO6JmOaW+knTEc9D6xdozx6Oa4vR " \
"fingerpr...@google.com" \
-#define VALID_DSA_SINGLE_EXT "ssh-dss-cert-...@openssh.com AAAAHHNzaC1kc" \
+#define VALID_DSA_SINGLE_EXT "publickey ssh-dss-cert-...@openssh.com
AAAAHHNzaC1kc" \
"3MtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgH400e9SzsvaN8OkKvH26sXEJtU/BVc2IBG" \
"fdZDHk508AAACBAO9UdOmq7Z0qy86mwsDf07TmXQe7X0TLKbyFSsd2b+jTCzpXy9rBhgg" \
"oJlzYzxSQgtR4JaSTauZMiQQViN3cKvHuGfAXIOIMtMHVupNy6WSkcixGrvw6Y0Yr90+e" \
@@ -163,7 +215,35 @@
"AAAAdzc2gtZHNzAAAAKH5faM5YTlMn+h2cf99PJ8rjvqQUJoh5yi3a4pkGcr5MJs53Wfi" \
"DPaA= fingerpr...@google.com" \
-#define INVALID_DSA_NO_FP "ssh-dss-cert-...@openssh.com AAAAHHNzaC1kc3Mt" \
+#define VALID_DSA_MULTI_EXT "publickey ssh-dss-cert-...@openssh.com AAAA" \
+ "HHNzaC1kc3MtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg4F67aKUUtM8mWvtHxr2AjRcDB" \
+ "jkmICwZRUOx4JaDVYEAAACBAKbdH1vmX/ZCVY1v41hXxEroqQpfOGR+G/0gtuscO5rU+c" \
+ "9T4qq5lm3E+SwFfCCqC4x6+zDomsJvptMJU0r1oxMuXDo0PRtr4qMMKw0FwZ29D+9zITb" \
+ "FvaRUc4+FQ5JvxCUBEKQxzetsTyIsirM4vWW6oKMGACAvgs3qu+CrPKtnAAAAFQDWlrhr" \
+ "iKONlBabChlcap+cmeMzvQAAAIEAnlrkClDOBZ0Cx+cQF201G3Bq9eThHYo+sxydojtIW" \
+ "SYAJFYLvQjF0r/34Wxj5sBgxcGhe8yp3Y+ZggB3vGZ6UjzCy6F6zkfgyl+KzYfV42uRrW" \
+ "+7dn7VChySMM2OcgTnN69QMTkym8Pv00qF+a0XD1mH9uK0l1q0eZtndj59rfUAAACARtR" \
+ "gCOBB7JoU1Br38bo6VNww26oRV4BkVEQN9l3M+6sxG0IL8brBuCh1JLyQVLMcXNj+K2pQ" \
+ "PH8JDKdOrbP/xarcRY+fhRN5IvP5n/fNOJp3oXsvjiOeH1z4u1Ra7e0DAoJEOofKbr/sg" \
+ "QfCNsB4gP4u62ck27w2pRXNdxJKyrkAAAAAAAAAAAAAAAEAAAAWZmluZ2VycHJpbnRAZ2" \
+ "9vZ2xlLmNvbQAAABoAAAAWZmluZ2VycHJpbnRAZ29vZ2xlLmNvbQAAAABk5Nv4AAAAAGb" \
+ "Evl8AAAAAAAAAxQAAADtmaW5nZXJwcmludEBnb29nbGUuY29tPWI4NmRiNGNhLTA5ZmQt" \
+ "NDI5ZS1iMTIxLWExMjc5OTYxNDAzMgAAAAAAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nA" \
+ "AAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm" \
+ "9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAA" \
+ "AAAAAAAAAAbEAAAAHc3NoLWRzcwAAAIEAuoOoF4etzwXHXkc4b1Wx15adJkLBzbRARAuc" \
+ "A360XxdxzO+Gt5A/OLV7eE8jxVaz0sC9CE1ikpAp/u0ZL+tVZyA0X2KMAJetgFxVZueyI" \
+ "wHY1IKOzJibJ4OP8re3MiYYoxdAd2fK4n9x/IvjIIXy8GfEsiBQXNEBDcMKTCGgJC0AAA" \
+ "AVAPhsO/SR/pV7M52uwsfIbnTshxC/AAAAgCEG5HUjilYhxoWKAXhdsnEHKGzv9zDTkBQ" \
+ "9c5zrG/ZegmJiFrpmwL2ON38Co+BcH88kxDjdyVOkIncldxVd0OpdAGLClhEVeY3g4nWl" \
+ "DYPPxkH4GJapMltkYMwa6HaWCRRgNE/aEwcAyMj3lwtCRXtX33tMM+9hjDHUbRNkpv60A" \
+ "AAAgB/6hg9VhH/eJLQm3URYl+dXSiBONDkbLzKHUvSaAqmItoDDsW6N/pd5XqrSzLxa1R" \
+ "DihDoRNZbZ7uWCjRKfwoPZTKL42OV4WRa//gPDzx55zECZokYg0d5/AbZ3pmf9XYo2Lka" \
+ "eA3PlT8Oz/DABW3BKipLrvXhZYAn8PumuUNsdAAAANwAAAAdzc2gtZHNzAAAAKBleCvo9" \
+ "QgobHREVlFH0/E84XhTVRfOok7RE4ht2EOiZLG2cfThvWUQ= " \
+ "fingerpr...@google.com" \
+
+#define INVALID_DSA_NO_FP "publickey ssh-dss-cert-...@openssh.com
AAAAHHNzaC1kc3Mt" \
"Y2VydC12MDFAb3BlbnNzaC5jb20AAAAgGrlYnOqQxs/zzfWRcrM7DHrFy653/x7rtOghw" \
"R/f3HIAAACBALzWA8yWLownZsO4Tuc4DF6EplCJ1SBSEqMYAEhzrnxjHkoOpJ3Ncs+Zn5" \
"jdcnCamkm6KQ4keXkV0xwLthRgLxhUguc9xANV5k2Vft+axWr+cp+KNiGzDjblTUnWzQD" \
@@ -187,7 +267,7 @@
"+YzrU7BOR7qnGs1qJqWhgFKXETMeHxPzpi4ny9tSNlI6c0g= " \
"fingerpr...@google.com" \
-#define INVALID_DSA_NON_CERT "ssh-dss AAAAB3NzaC1kc3MAAACBAO9UdOmq7Z0qy8" \
+#define INVALID_DSA_NON_CERT "publickey ssh-dss
AAAAB3NzaC1kc3MAAACBAO9UdOmq7Z0qy8" \
"6mwsDf07TmXQe7X0TLKbyFSsd2b+jTCzpXy9rBhggoJlzYzxSQgtR4JaSTauZMiQQViN3" \
"cKvHuGfAXIOIMtMHVupNy6WSkcixGrvw6Y0Yr90+e8PXcFw6jwQbFZX4v9zlUuIl067rC" \
"rxp1jnhBjxvBZEmpR/ezAAAAFQCO10V2wYXJ7cSo4eEgHB1BnOxbzwAAAIEAzbdt5bgzV" \
@@ -198,7 +278,7 @@
"kN0PeT2KtyGWqLcnbFRSQGNQOs+vv3TIUofZosXKTA2EtmjpKcIbfu3lF+J50g= " \
"fingerpr...@google.com" \
-#define VALID_ED25519_SINGLE_EXT "ssh-ed25519-cert-...@openssh.com AAAAI" \
+#define VALID_ED25519_SINGLE_EXT "publickey ssh-ed25519-cert-...@openssh.com
AAAAI" \
"HNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIDaErnQWEw/jxPD0JUJsEk" \
"CtENcE11Zl53QHbxbAgx22AAAAIHs6r2AekiTHmmoJMKxAKtKW4qcGq5Ku1+SJ1NLdZh0" \
"1AAAAAAAAAAAAAAABAAAAFmZpbmdlcnByaW50QGdvb2dsZS5jb20AAAAaAAAAFmZpbmdl" \
@@ -209,7 +289,20 @@
"Yv0T0U/GZoCiLfVm3pcXV3RA8aze+y/pbjv+MOxjmAb4KbRH31/S34UALsyGwQM= fing" \
"erpr...@google.com" \
-#define INVALID_ED25519_NO_FP "ssh-ed25519-cert-...@openssh.com AAAAIHNz" \
+#define VALID_ED25519_MULTI_EXT "publickey ssh-ed25519-cert-v01@openssh." \
+ "com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIEBlk2f75yvu5" \
+ "8QqsykJfRrKxblQi2RmcW2bzj9mhi2YAAAAINYsHqqaS4JdLuAevLnHc7lBu0qv2/Lfx+" \
+ "VLRTIIA5wxAAAAAAAAAAAAAAABAAAAFmZpbmdlcnByaW50QGdvb2dsZS5jb20AAAAaAAA" \
+ "AFmZpbmdlcnByaW50QGdvb2dsZS5jb20AAAAAZOTuuAAAAABmxND2AAAAAAAAAMUAAAA7" \
+ "ZmluZ2VycHJpbnRAZ29vZ2xlLmNvbT1iODZkYjRjYS0wOWZkLTQyOWUtYjEyMS1hMTI3O" \
+ "Tk2MTQwMzIAAAAAAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LW" \
+ "FnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAA" \
+ "ACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3Nz" \
+ "aC1lZDI1NTE5AAAAIJD/WK1OEhbe0bG/3ibbjawl0FNHf3nho9hF9D5QcXOPAAAAUwAAA" \
+ "Atzc2gtZWQyNTUxOQAAAEANxz8Lv5Ojc0U1SIU5eGoGk8N+LAHS5/OfB3AvLT94raJ8qc" \
+ "lB7KvEgKOycsF5xLJOL9+/oe29SeNTq+ubIkIN fingerpr...@google.com" \
+
+#define INVALID_ED25519_NO_FP "publickey ssh-ed25519-cert-...@openssh.com
AAAAIHNz" \
"aC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIDDgIXa9QLFY7RpSNnWDm3Saq" \
"YZ5HGcpzHq9hdv64nqXAAAAIKfDRdZjpCb2YVsmhs286hQTH7JFctizNC0W7UQKfruSAA" \
"AAAAAAAAAAAAABAAAAFmZpbmdlcnByaW50QGdvb2dsZS5jb20AAAAaAAAAFmZpbmdlcnB" \
@@ -218,7 +311,7 @@
"AALc3NoLWVkMjU1MTkAAABAt2CPRZos3Lna+44LwI6ON8rRktxAqz1S4nUf+IwrG83Wbv" \
"nEvvZ2plHLTAU7GP2ZMedVKoXB9KXB2vNBVjt9Cg== fingerpr...@google.com" \
-#define INVALID_ED25519_NON_CERT "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH" \
+#define INVALID_ED25519_NON_CERT "publickey ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIH" \
"s6r2AekiTHmmoJMKxAKtKW4qcGq5Ku1+SJ1NLdZh01 fingerpr...@google.com" \
TEST(SSHCATests, TestValidSingleExtCert) {
@@ -226,9 +319,13 @@
const char *key;
} *iter, tests[] = {
{VALID_RSA_SINGLE_EXT},
+ {VALID_RSA_MULTI_EXT},
{VALID_DSA_SINGLE_EXT},
+ {VALID_DSA_MULTI_EXT},
{VALID_ECDSA_SINGLE_EXT},
+ {VALID_ECDSA_MULTI_EXT},
{VALID_ED25519_SINGLE_EXT},
+ {VALID_ED25519_MULTI_EXT},
{ NULL },
};
