[GitHub] [mina-sshd] tomaswolf commented on a diff in pull request #222: SSHD-1266 - fix for issue with critical option data encoding and smal…

GitBox Wed, 11 May 2022 07:40:46 -0700


tomaswolf commented on code in PR #222:
URL: https://github.com/apache/mina-sshd/pull/222#discussion_r870397695



##########
sshd-core/src/main/java/org/apache/sshd/certificate/OpenSshCertificateBuilder.java:
##########
@@ -104,7 +110,21 @@ public OpenSshCertificateBuilder 
principals(Collection<String> principals) {
     }
 
     public OpenSshCertificateBuilder 
criticalOptions(List<OpenSshCertificate.CertificateOption> criticalOptions) {
-        this.criticalOptions = criticalOptions;
+        if (criticalOptions != null && !criticalOptions.isEmpty()) {
+            // check if any duplicates
+            Set<String> names = new HashSet<String>();
+            Set<String> duplicates = criticalOptions.stream().filter(option -> 
!names.add(option.getName()))
+                    .map(option -> option.getName())
+                    .collect(Collectors.toSet());
+            if (!duplicates.isEmpty()) {
+                throw new IllegalArgumentException("Duplicate critical option: 
" + String.join(",", duplicates));
+            }
+            // lexically order by "name"
+            List<OpenSshCertificate.CertificateOption> sortedCriticalOptions = 
criticalOptions.stream()
+                    
.sorted(Comparator.comparing(OpenSshCertificate.CertificateOption::getName))
+                    .collect(Collectors.toList());
+            this.criticalOptions = sortedCriticalOptions;
+        }

Review Comment:
   I based my comment of the [OpenSSH 
documentation](https://github.com/openssh/openssh-portable/blob/0086a286ea6bbd11ca9b664ac3bb12b27443d6eb/PROTOCOL.certkeys#L274):
   
   > The encoding and ordering of extensions in this field is identical to that 
of the critical options, as is the requirement that each name appear only once.
   
   I had not checked what the OpenSSH code actually does. It appears that 
[auth-options.c](https://github.com/openssh/openssh-portable/blob/0086a286ea6bbd11ca9b664ac3bb12b27443d6eb/auth-options.c#L72)
 does not enforce _any_ ordering or key uniqueness requirements. 
[ssh-keygen.c](https://github.com/openssh/openssh-portable/blob/0086a286ea6bbd11ca9b664ac3bb12b27443d6eb/ssh-keygen.c#L1601)
 appears to only sort, but not check for duplicates, 
[except](https://github.com/openssh/openssh-portable/blob/0086a286ea6bbd11ca9b664ac3bb12b27443d6eb/ssh-keygen.c#L1964)
 for `force-command` and `source-address`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

[GitHub] [mina-sshd] tomaswolf commented on a diff in pull request #222: SSHD-1266 - fix for issue with critical option data encoding and smal…

Reply via email to