tomaswolf commented on code in PR #222: URL: https://github.com/apache/mina-sshd/pull/222#discussion_r869384180
########## sshd-core/src/main/java/org/apache/sshd/certificate/OpenSshCertificateBuilder.java: ########## @@ -104,7 +110,21 @@ public OpenSshCertificateBuilder principals(Collection<String> principals) { } public OpenSshCertificateBuilder criticalOptions(List<OpenSshCertificate.CertificateOption> criticalOptions) { - this.criticalOptions = criticalOptions; + if (criticalOptions != null && !criticalOptions.isEmpty()) { + // check if any duplicates + Set<String> names = new HashSet<String>(); + Set<String> duplicates = criticalOptions.stream().filter(option -> !names.add(option.getName())) + .map(option -> option.getName()) + .collect(Collectors.toSet()); + if (!duplicates.isEmpty()) { + throw new IllegalArgumentException("Duplicate critical option: " + String.join(",", duplicates)); + } + // lexically order by "name" + List<OpenSshCertificate.CertificateOption> sortedCriticalOptions = criticalOptions.stream() + .sorted(Comparator.comparing(OpenSshCertificate.CertificateOption::getName)) + .collect(Collectors.toList()); + this.criticalOptions = sortedCriticalOptions; + } Review Comment: Thanks for adding this; I also noticed that. The same duplicate detection and sorting is also needed for the extensions. ########## sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java: ########## @@ -154,7 +150,12 @@ public void signCertificate() throws Exception { .publicKey(clientPublicKey) .id("user01") .principals(Collections.singletonList("user01")) + .criticalOptions(Arrays.asList( + new OpenSshCertificate.CertificateOption("force-command", "/path/to/script.sh"), + new OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32"), + new OpenSshCertificate.CertificateOption("verify-required"))) Review Comment: Please also add critical options in the `GenerateOpenSshClientCertificateOracleTest`. That one tests against pre-existing certificates generated using OpenSSH. ########## sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java: ########## @@ -154,7 +150,12 @@ public void signCertificate() throws Exception { .publicKey(clientPublicKey) .id("user01") .principals(Collections.singletonList("user01")) + .criticalOptions(Arrays.asList( + new OpenSshCertificate.CertificateOption("force-command", "/path/to/script.sh"), + new OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32"), + new OpenSshCertificate.CertificateOption("verify-required"))) .extensions(Arrays.asList( + new OpenSshCertificate.CertificateOption("no-touch-required"), Review Comment: A bit off-topic, but I wonder: should non-sk keys even accept this option? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org