Zeljko Vukovic created SSHD-1266: ------------------------------------ Summary: OpenSSH certificate is not properly encoded when critical options are included Key: SSHD-1266 URL: https://issues.apache.org/jira/browse/SSHD-1266 Project: MINA SSHD Issue Type: Bug Affects Versions: 2.8.0 Reporter: Zeljko Vukovic
If critical options are included OpenSSH certificate can't be read with openssh. In oder to reproduce issue we can use existing test [https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java#L152] but just add critical options {code:java} final OpenSshCertificate signedCert = OpenSshCertificateBuilder.userCertificate() .serial(0L) .publicKey(clientPublicKey) .id("user01") .principals(Collections.singletonList("user01")) .criticalOptions(Arrays.asList( new OpenSshCertificate.CertificateOption("force-command", "wget url"), new OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32"))) .extensions(Arrays.asList( new OpenSshCertificate.CertificateOption("permit-X11-forwarding"), new OpenSshCertificate.CertificateOption("permit-agent-forwarding"), new OpenSshCertificate.CertificateOption("permit-port-forwarding"), new OpenSshCertificate.CertificateOption("permit-pty"), new OpenSshCertificate.CertificateOption("permit-user-rc"))) .sign(caKeypair, signatureAlgorithm); {code} Once we check such certificate we get following error {code:java} > ssh-keygen -L -f /path/to/cert.pub Type: ecdsa-sha2-nistp256-cert-...@openssh.com user certificate Public key: ECDSA-CERT SHA256:0ITcONLKI/H/FNpXZVZMaEYB0STXD4BQNBkSSuDpk5U Signing CA: ECDSA SHA256:KPz5LunqQBL9hWJx5eDk11T16anJCn40d/g480PfuKw (using ecdsa-sha2-nistp384) Key ID: "user01" Serial: 0 Valid: forever Principals: user01 Critical Options: show_options: buffer error: string is too large {code} and similar for the other cert types(RSA, EC, Ed25519). I was tracing this issue and it looks like related to this code [https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L840] but was not able to figure out what exactly. [~alex.sher...@gmail.com] / [~twolf] if any hints I am more than open to support and create PR. This defect is related to the following tickets https://issues.apache.org/jira/browse/SSHD-1166 https://issues.apache.org/jira/browse/SSHD-1161 -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org