Add support for OpenSSH certificates, resolve #31 #901
Conversation
norrisjeremy
left a comment
norrisjeremy
left a comment
There was a problem hiding this comment.
- Can you run
mvn formatter:formatto ensure that everything is formatted correctly? - Does this support SSH certs for host keys? If not, we need to add support for that too, as I'm opposed to only adding support SSH certs for user pubkey auth, w/o also adding support for SSH certs as host keys as well at the same time.
src/main/java/com/jcraft/jsch/OpenSshCertificateAwareIdentityFile.java
Outdated
Show resolved
Hide resolved
src/main/java/com/jcraft/jsch/OpenSshCertificateAwareIdentityFile.java
Outdated
Show resolved
Hide resolved
|
@norrisjeremy is there more feedback to this, as it would be nice to get to the finish line, thanks |
|
Hi @norrisjeremy, thanks for following up. I marked the comments as resolved on GitHub because I had already addressed them locally and didn’t want to lose track of your suggestions. I’m currently adding support for host keys as well (it’s nearly finished) and I’ll push everything together in the next update. Please let me know if you have any additional suggestions in the meantime. |
Hi @luigidemasi, Great, thanks! We are excited to have someone step up and contribute this work! Thanks, |
I added the support for Host Certificate, let me know wdyt. |
|
Great to see progress on this one. If we are getting close to the finish line it would be good to do the last review and update the reported findings so fingers crossed we can get this merged and released. Thank you. |
I probably won't have time to start reviewing this again until next week. |
Thanks for the update, no problem. Just glad we are on path to the goal line. |
|
Sorry to bother - but would be good to get this reviewed |
HI @davsclaus, Yes, I haven't forgotten, I will try to review it when I have some time available. Thanks, |
norrisjeremy
left a comment
norrisjeremy
left a comment
There was a problem hiding this comment.
Just a few initial comments, I still have a lot left to review.
src/main/java/com/jcraft/jsch/OpenSshCertificateHostKeyVerifier.java
Outdated
Show resolved
Hide resolved
luigidemasi
force-pushed
the
openssh_certificate_support
branch
from
e3194d7 to
7db8379
Compare
There was a problem hiding this comment.
Do we need to change anything here to properly support host certs?
| if (type.equals("rsa-sha2-256") || type.equals("rsa-sha2-512") | ||
| || type.equals("ssh-rsa-sha224@ssh.com") || type.equals("ssh-rsa-sha256@ssh.com") | ||
| || type.equals("ssh-rsa-sha384@ssh.com") || type.equals("ssh-rsa-sha512@ssh.com")) { | ||
| type = "ssh-rsa"; | ||
| } |
There was a problem hiding this comment.
For example, do we need to add any adjustments here to map rsa-sha2-512-cert-v01@openssh.com & rsa-sha2-256-cert-v01@openssh.com to ssh-rsa-cert-v01@openssh.com?
src/main/java/com/jcraft/jsch/OpenSshCertificateHostKeyVerifier.java
Outdated
Show resolved
Hide resolved
src/main/java/com/jcraft/jsch/OpenSshCertificateHostKeyVerifier.java
Outdated
Show resolved
Hide resolved
| + certificateId); | ||
| } | ||
|
|
||
| checkSignature(certificate, caPublicKeyAlgorithm); |
There was a problem hiding this comment.
We need to add support for the CASignatureAlgorithms option and then allow enforcement of it at some point:
CASignatureAlgorithms
Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is:
ssh-ed25519,ecdsa-sha2-nistp256,
ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ssh-ed25519@openssh.com,
sk-ecdsa-sha2-nistp256@openssh.com,
rsa-sha2-512,rsa-sha2-256
If the specified list begins with a ‘+’ character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a ‘-’ character, then the specified algorithms (including wildcards) will be removed from the default set instead of
replacing them.
ssh(1) will not accept host certificates signed using algorithms other than those specified.
src/main/java/com/jcraft/jsch/OpenSshCertificateHostKeyVerifier.java
Outdated
Show resolved
Hide resolved
src/main/java/com/jcraft/jsch/OpenSshCertificateAwareIdentityFile.java
Outdated
Show resolved
Hide resolved
src/main/java/com/jcraft/jsch/OpenSshCertificateHostKeyVerifier.java
Outdated
Show resolved
Hide resolved
src/main/java/com/jcraft/jsch/OpenSshCertificateAwareIdentityFile.java
Outdated
Show resolved
Hide resolved
norrisjeremy
left a comment
norrisjeremy
left a comment
There was a problem hiding this comment.
It makes me a bit nervous how much of the new parsing code for handling certs is converting everything to String objects, since much of the existing code for parsing regular public keys simply does it by operating on byte[] objects.
I worry this could potentially result in large changes of overall memory usage & garbage collection pressure by JSch.
src/main/java/com/jcraft/jsch/OpenSshCertificateHostKeyVerifier.java
Outdated
Show resolved
Hide resolved
|
Hi @luigidemasi, Why have you marked many of the comments I have made as resolved even though no changes have been pushed? Thanks, |
src/main/java/com/jcraft/jsch/OpenSshCertificateAwareIdentityFile.java
Outdated
Show resolved
Hide resolved
src/main/java/com/jcraft/jsch/OpenSshCertificateAwareIdentityFile.java
Outdated
Show resolved
Hide resolved
Hi @norrisjeremy, same as #901 (comment) |
|
Are there integration tests covering cases in which CA key type doesn't match the user/host key type? I.e., I believe it is valid for an Assuming my understanding is correct, we should construct various combinations of certs in which the cert algorithm doesn't match the CA key algorithm for integration tests. |
You are 100% correct that SSH allows the CA key type to be different from the certificate key type it signs (i.e., cross-signing is permissible). I have coverage for this specific scenario. In both I believe this covers the various combinations you mentioned. |
Excellent, thanks! |
luigidemasi
force-pushed
the
openssh_certificate_support
branch
from
8bc73ed to
350e3ed
Compare
… Host Certificate
… code review for Host Certificate support
luigidemasi
force-pushed
the
openssh_certificate_support
branch
from
350e3ed to
abef369
Compare
… code review for Host Certificate support - part2
luigidemasi
force-pushed
the
openssh_certificate_support
branch
from
abef369 to
7934f5d
Compare
|
| // any principal of the specified type." | ||
| // Empty principals in a host certificate mean the certificate is valid for any host. | ||
| Collection<String> principals = certificate.getPrincipals(); | ||
| if (principals != null && !principals.isEmpty()) { |
There was a problem hiding this comment.
I'm a bit confused: is this allowing host certs with empty or missing principals?
Doesn't that contradict draft-miller-ssh-cert-05 section 3.1 & draft-miller-ssh-cert-05 section 3.3?
Or am I misunderstanding?
3.1. Accepting certificates
...
* MUST verify that at least one of the listed certificate principals
is accepted
...
3.3. Use in host authentication
...
Certificate host keys list hostnames and/or IP addresses for the host
in their "principals" section. Clients MUST match the hostname or
address thay are using for the host against the principals in this
list and refuse to authorise the certificate if it is absent.
...
There was a problem hiding this comment.
It's here: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/Attic/PROTOCOL.certkeys?annotate=HEAD
but I agree with you that probably it's better to do the opposite, no principals means validation fails.
There was a problem hiding this comment.
Interesting.
Can you validate how OpenSSH behaves?
Does it's ssh client reject a host that presents a host cert with empty/missing principals (aligning with draft-miller-ssh-cert-05)?
Or does it accept it (aligning with the original PROTOCOL.certkeys)?
There was a problem hiding this comment.
I think OpenSSH rejects host certs with empty principals if I'm reading through their code correct:
https://github.com/openssh/openssh-portable/blob/0ffb76c6590800958777cd0f7b1aaae19c74fa3f/sshkey.c#L2419.
There was a problem hiding this comment.
I think OpenSSH rejects host certs with empty principals if I'm reading through their code correct: https://github.com/openssh/openssh-portable/blob/0ffb76c6590800958777cd0f7b1aaae19c74fa3f/sshkey.c#L2419.
nope, require_principal is 0 in sshkey_cert_check_host method:
sshkey_cert_check_host(host_key, hostname, 0, options.ca_sign_algorithms, &fail_reason)while is 1 when validating a user certificate:
if (sshkey_cert_check_authority_now(key, 0, 1, 0,
use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
goto fail_reason;To summarize:
- Empty principal lists are formally valid for both user and host certificates
- An empty principal list creates a "wildcard certificate" - valid for any principal
- There's no RFC requirement that says user certificates must have principals
any certificate with empty principal list is formally valid, but are wildcard certificates and can be used by anyone.
OpenSSH makes a security-minded choice that goes beyond the specification, but this is OpenSSH policy, not protocol specification.
There was a problem hiding this comment.
Hi @norrisjeremy,
I’m just circling back following your note from earlier this month. I completely understand that things can get busy, so no worries at all if you haven't had the chance to dig back into this yet.
However, since I’m keen to unblock this PR, would it help to offload this review to another maintainer? Is there someone else you trust to take a look?
Luigi.
There was a problem hiding this comment.
Hi @luigidemasi,
Apologies, it's been a busy time lately, I'm hoping to find time to circle back to this soon.
Thanks,
Jeremy
There was a problem hiding this comment.
thanks, we are close to the finish line for this PR. Maybe any extra work can be in a new tricket/PR to avoid this being stalled for very long time.
There was a problem hiding this comment.
Hi @davsclaus,
I know you and other folks are extremely anxious to see this land, but I would ask that you remain patient.
I've been busy lately with some other work, but I'm hoping to find time soon to dedicate to reviewing this more.
Thanks,
Jeremy
There was a problem hiding this comment.
Sorry to bother you, but we are coming to a close to 2025 and this PR has been open for 3+ months now.
Are you considering to meet us half-way or something? I know its ungrateful work to maintain open source, but it also adds bad vibes when PRs are dragged along for a long time.
To my understanding this is new feature that is designed to not affect any existing functionality (forgive me if I got that wrong). And if so could this new feature then be documented that "there is a spec clarification in progress .. so use this with that in mind, that it can be changed when the clarification is provided".
Regards
Claus Ibsen
3 participants
No description provided.