[jira] [Commented] (SSHD-1266) OpenSSH certificate is not properly encoded when critical options are included

[Thomas Wolf (Jira)]

    [ 
https://issues.apache.org/jira/browse/SSHD-1266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534508#comment-17534508
 ] 

Thomas Wolf commented on SSHD-1266:
-----------------------------------

[~alex.sher...@gmail.com]: the {{ClientOpenSSHCertificatesTest.java}} still 
exists and is run. But I think it only tests that with certificates created by 
OpenSSH we can connect to an OpenSSH server. (i.e., that our protocol handling 
of these certificates is correct.)

Generating certificates came later, and it has a test that verifies that 
certificates generated by Java match certificates generated by OpenSSH. But 
that test forgot to add critical options.

> OpenSSH certificate is not properly encoded when critical options are included
> ------------------------------------------------------------------------------
>
>                 Key: SSHD-1266
>                 URL: https://issues.apache.org/jira/browse/SSHD-1266
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.8.0
>            Reporter: Zeljko Vukovic
>            Priority: Minor
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> If critical options are included when OpenSSH certificate is created same 
> can't be read with OpenSSH.
>  
> In oder to reproduce issue we can use existing test 
> [https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java#L152]
>  and just add critical options (as in the example bellow)
> {code:java}
> final OpenSshCertificate signedCert = 
> OpenSshCertificateBuilder.userCertificate()
>                .serial(0L)                
>                .publicKey(clientPublicKey)                
>                .id("user01")                
>                .principals(Collections.singletonList("user01"))               
>  
>                .criticalOptions(Arrays.asList(
>                         new 
> OpenSshCertificate.CertificateOption("force-command", "wget url"),
>                         new 
> OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32")))      
>     
>                .extensions(Arrays.asList(
>                         new 
> OpenSshCertificate.CertificateOption("permit-X11-forwarding"),
>                         new 
> OpenSshCertificate.CertificateOption("permit-agent-forwarding"),
>                         new 
> OpenSshCertificate.CertificateOption("permit-port-forwarding"),
>                         new 
> OpenSshCertificate.CertificateOption("permit-pty"),
>                         new 
> OpenSshCertificate.CertificateOption("permit-user-rc")))
>                 .sign(caKeypair, signatureAlgorithm); {code}
>  
> Once we check such certificate we get following error 
> {code:java}
> > ssh-keygen -L -f  /path/to/cert.pub 
> Type: ecdsa-sha2-nistp256-cert-...@openssh.com user certificate
>         Public key: ECDSA-CERT 
> SHA256:0ITcONLKI/H/FNpXZVZMaEYB0STXD4BQNBkSSuDpk5U
>         Signing CA: ECDSA SHA256:KPz5LunqQBL9hWJx5eDk11T16anJCn40d/g480PfuKw 
> (using ecdsa-sha2-nistp384)
>         Key ID: "user01"
>         Serial: 0
>         Valid: forever
>         Principals: 
>                 user01
>         Critical Options: 
> show_options: buffer error: string is too large {code}
> and similar for the other cert types(RSA, EC, Ed25519).
> I was tracing this issue and it looks like related to this code 
> [https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L840]
>  but I was not able to figure out what exactly.  
>  
> Interesting is that parsing certificate is working as expected 
> [https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L370]
> from code but also even if I create certificate directly with ssh-keygen
> {code:java}
> ssh-keygen -t rsa -b 4096 -f user_ca -C user_ca
> ssh-keygen -f user-key -b 4096 -t rsa
> ssh-keygen -s user_ca -I certN -n user -O source-address="127.0.0.1/32" -O 
> force-command="wget url" -V +10d user-key.pub {code}
>  
> [~alex.sher...@gmail.com] / [~twolf]  please if any hints what to check(it 
> looks to me that there is something wrong with encoding certificate option 
> data 
> [https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L838-L845]
>  , like these tuples should be written somehow differently) I am more than 
> open to support and create PR.
> This is working as expected for extensions as these are all empty(do not have 
> data) but once we include critical options which have data than there is 
> mentioned failure 
> ([https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys#L221-L268]
>  ).
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org