[GitHub] [mina-sshd] tomaswolf commented on a diff in pull request #222: SSHD-1266 - fix for issue with critical option data encoding and smal…

Tue, 10 May 2022 10:11:36 -0700 


tomaswolf commented on code in PR #222:
URL: https://github.com/apache/mina-sshd/pull/222#discussion_r869384180


##########
sshd-core/src/main/java/org/apache/sshd/certificate/OpenSshCertificateBuilder.java:
##########
@@ -104,7 +110,21 @@ public OpenSshCertificateBuilder 
principals(Collection<String> principals) {
     }
 
     public OpenSshCertificateBuilder 
criticalOptions(List<OpenSshCertificate.CertificateOption> criticalOptions) {
-        this.criticalOptions = criticalOptions;
+        if (criticalOptions != null && !criticalOptions.isEmpty()) {
+            // check if any duplicates
+            Set<String> names = new HashSet<String>();
+            Set<String> duplicates = criticalOptions.stream().filter(option -> 
!names.add(option.getName()))
+                    .map(option -> option.getName())
+                    .collect(Collectors.toSet());
+            if (!duplicates.isEmpty()) {
+                throw new IllegalArgumentException("Duplicate critical option: 
" + String.join(",", duplicates));
+            }
+            // lexically order by "name"
+            List<OpenSshCertificate.CertificateOption> sortedCriticalOptions = 
criticalOptions.stream()
+                    
.sorted(Comparator.comparing(OpenSshCertificate.CertificateOption::getName))
+                    .collect(Collectors.toList());
+            this.criticalOptions = sortedCriticalOptions;
+        }

Review Comment:
   Thanks for adding this; I also noticed that. The same duplicate detection 
and sorting is also needed for the extensions.



##########
sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java:
##########
@@ -154,7 +150,12 @@ public void signCertificate() throws Exception {
                 .publicKey(clientPublicKey)
                 .id("user01")
                 .principals(Collections.singletonList("user01"))
+                .criticalOptions(Arrays.asList(
+                        new 
OpenSshCertificate.CertificateOption("force-command", "/path/to/script.sh"),
+                        new 
OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32"),
+                        new 
OpenSshCertificate.CertificateOption("verify-required")))

Review Comment:
   Please also add critical options in the 
`GenerateOpenSshClientCertificateOracleTest`. That one tests against 
pre-existing certificates generated using OpenSSH.



##########
sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java:
##########
@@ -154,7 +150,12 @@ public void signCertificate() throws Exception {
                 .publicKey(clientPublicKey)
                 .id("user01")
                 .principals(Collections.singletonList("user01"))
+                .criticalOptions(Arrays.asList(
+                        new 
OpenSshCertificate.CertificateOption("force-command", "/path/to/script.sh"),
+                        new 
OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32"),
+                        new 
OpenSshCertificate.CertificateOption("verify-required")))
                 .extensions(Arrays.asList(
+                        new 
OpenSshCertificate.CertificateOption("no-touch-required"),

Review Comment:
   A bit off-topic, but I wonder: should non-sk keys even accept this option?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to