keyParser: Properly parse ssh certificates

getPublicSSH() will simply pass through the original key blob. getPublicPEM() will return raw public key data of the certificate's public key, without incorporating the additional metadata.
mscdex · Jul 21, 2019 · 447a0c6 · 447a0c6
1 parent a7abff5
commit 447a0c6
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/lib/keyParser.js b/lib/keyParser.js
@@ -1223,7 +1223,7 @@ function parseDER(data, baseType, comment, fullType) {
       if (n === false)
         return new Error('Malformed OpenSSH public key');
       pubPEM = genOpenSSLRSAPub(n, e);
-      pubSSH = genOpenSSHRSAPub(n, e);
+      pubSSH = data;
       algo = 'sha1';
       break;
     case 'ssh-dss':
@@ -1240,15 +1240,15 @@ function parseDER(data, baseType, comment, fullType) {
       if (y === false)
         return new Error('Malformed OpenSSH public key');
       pubPEM = genOpenSSLDSAPub(p, q, g, y);
-      pubSSH = genOpenSSHDSAPub(p, q, g, y);
+      pubSSH = data;
       algo = 'sha1';
       break;
     case 'ssh-ed25519':
       var edpub = utils.readString(data, data._pos);
       if (edpub === false || edpub.length !== 32)
         return new Error('Malformed OpenSSH public key');
       pubPEM = genOpenSSLEdPub(edpub);
-      pubSSH = genOpenSSHEdPub(edpub);
+      pubSSH = data;
       algo = null;
       break;
     case 'ecdsa-sha2-nistp256':
@@ -1271,7 +1271,7 @@ function parseDER(data, baseType, comment, fullType) {
       if (ecpub === false)
         return new Error('Malformed OpenSSH public key');
       pubPEM = genOpenSSLECDSAPub(oid, ecpub);
-      pubSSH = genOpenSSHECDSAPub(oid, ecpub);
+      pubSSH = data;
       break;
     default:
       return new Error('Unsupported OpenSSH public key type: ' + baseType);
@@ -1316,6 +1316,12 @@ OpenSSH_Public.prototype = BaseKey;
     var type = utils.readString(data, data._pos, 'ascii');
     if (type === false || type.indexOf(baseType) !== 0)
       return new Error('Malformed OpenSSH public key');
+    if (/-cert-v0[01]@openssh.com/.test(type)) {
+      var nonce = utils.readString(data, data._pos);
+      if (nonce === false) {
+        return new Error('Malformed OpenSSH certificate');
+      }
+    }
 
     return parseDER(data, baseType, comment, fullType);
   };

diff --git a/test/fixtures/openssh_cert_rsa-cert.pub b/test/fixtures/openssh_cert_rsa-cert.pub
@@ -0,0 +1 @@
+[email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgz5fIcgoIkQsJZQDfctoMKo7Iq/3X0DMXdPjncT7qzAAAAAADAQABAAABAQC23GMXX23QWyEy0GLUvR4fIXhyxqyfFfoJG/bBIi4br8CTkvAqkt6dMuOHOPKRlDwrMjcM0fIuSm87LDrZ1at1z0xtuVjHBoBXfp1FyGfKc2qFtqVnIX6pq2PFoVf8dcL/xR/OP9VMqx6O+PMv/jEXkENw6hEy0PtXuwYDg9VLI04QDtrx6v44BUbUvu8Qq9f8G5zcFBxMr8BdaPP6sdyWGVk05MRa7j+uC5zS3KS8dGV0PIOEeUmcVuhJsRRSVgBzzUq2mA1doui3GWA7vMQOyn4x89fMi3gXfjM8XMZA7Kc/35Nc0GxqtTYQT8G/axp2WdA7vyI1uz+4lk29ITW/AAAAAAAAAAAAAAABAAAAFHNzaDItc3RyZWFtcy1maXh0dXJlAAAAAAAAAABdNHdgAAAAAF00hcAAAAAdAAAADWZvcmNlLWNvbW1hbmQAAAAIAAAABGxzIC8AAAAdAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAqQ9PJtVu1y4XS8SvQnmV5va1RtiaSrcPdAcT7PE93lQMLpvsx2qDHSRy8KfqD2rZO9IjU8H6fEqKJEcuLkt+sECk3UlHLFgxhD7MYYW0KFpxfzoE8h5W/8qppXkqIu8uzwn3/+DcgTx2Ce6XN8B/yXBT1kFpnmpiRnyXS8CVKX0HMVYpdlsfUexy3BtXIphSUJsyYGs/1SUuybO0mYPguoYORtp0Od0/vScFgz/h6rzQtJgMsDns+XG4EoRmt1JMzdbBVEC/f154RCBqV2w1CGYlZ09nqOExZTEwGKktAImYn3LElqEcjzWf0PSBJ7awNVF/bGwMO+kQRJCfeKGlFwAAAQ8AAAAHc3NoLXJzYQAAAQCDThDHnBzeoEIlMYr7vzhl8hC7AxiXlsuLathqkYzn7H0AU5eGspfvJysV38vnXt/21TzFBorQ66be8cc/YHLfAaJqdpZEJWsxxqSRkVmAkpzaVN8k9OcVx9BqBS2VFwuanDoAw5JM2NEeZ6byQGd0cgWJcdGZ1K/EXzhYXCFcMPe1ye2Y2mdViDH+mellwuSw+H6Uq+UQbpbHf9fyJjReJ4Pu8C7PRMlD0JaZCFTKi58QlQcneOaQuVrtvZ4wDmvgLtWl+Zsqt9lUTpXZjwazXYDr8zyJ0cU+HMMVZ4E5StOKzTGg91jcOuChhZvkVOeJ2B4+KAsL2X9pu51iJj9h ssh certificate
diff --git a/test/fixtures/openssh_cert_rsa-cert.pub.result b/test/fixtures/openssh_cert_rsa-cert.pub.result
@@ -0,0 +1,7 @@
+{
+  "type": "[email protected]",
+  "comment": "ssh certificate",
+  "public": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAttxjF19t0FshMtBi1L0e\nHyF4csasnxX6CRv2wSIuG6/Ak5LwKpLenTLjhzjykZQ8KzI3DNHyLkpvOyw62dWr\ndc9MbblYxwaAV36dRchnynNqhbalZyF+qatjxaFX/HXC/8Ufzj/VTKsejvjzL/4x\nF5BDcOoRMtD7V7sGA4PVSyNOEA7a8er+OAVG1L7vEKvX/Buc3BQcTK/AXWjz+rHc\nlhlZNOTEWu4/rguc0tykvHRldDyDhHlJnFboSbEUUlYAc81KtpgNXaLotxlgO7zE\nDsp+MfPXzIt4F34zPFzGQOynP9+TXNBsarU2EE/Bv2sadlnQO78iNbs/uJZNvSE1\nvwIDAQAB\n-----END PUBLIC KEY-----",
+  "publicSSH": "AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgz5fIcgoIkQsJZQDfctoMKo7Iq/3X0DMXdPjncT7qzAAAAAADAQABAAABAQC23GMXX23QWyEy0GLUvR4fIXhyxqyfFfoJG/bBIi4br8CTkvAqkt6dMuOHOPKRlDwrMjcM0fIuSm87LDrZ1at1z0xtuVjHBoBXfp1FyGfKc2qFtqVnIX6pq2PFoVf8dcL/xR/OP9VMqx6O+PMv/jEXkENw6hEy0PtXuwYDg9VLI04QDtrx6v44BUbUvu8Qq9f8G5zcFBxMr8BdaPP6sdyWGVk05MRa7j+uC5zS3KS8dGV0PIOEeUmcVuhJsRRSVgBzzUq2mA1doui3GWA7vMQOyn4x89fMi3gXfjM8XMZA7Kc/35Nc0GxqtTYQT8G/axp2WdA7vyI1uz+4lk29ITW/AAAAAAAAAAAAAAABAAAAFHNzaDItc3RyZWFtcy1maXh0dXJlAAAAAAAAAABdNHdgAAAAAF00hcAAAAAdAAAADWZvcmNlLWNvbW1hbmQAAAAIAAAABGxzIC8AAAAdAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAqQ9PJtVu1y4XS8SvQnmV5va1RtiaSrcPdAcT7PE93lQMLpvsx2qDHSRy8KfqD2rZO9IjU8H6fEqKJEcuLkt+sECk3UlHLFgxhD7MYYW0KFpxfzoE8h5W/8qppXkqIu8uzwn3/+DcgTx2Ce6XN8B/yXBT1kFpnmpiRnyXS8CVKX0HMVYpdlsfUexy3BtXIphSUJsyYGs/1SUuybO0mYPguoYORtp0Od0/vScFgz/h6rzQtJgMsDns+XG4EoRmt1JMzdbBVEC/f154RCBqV2w1CGYlZ09nqOExZTEwGKktAImYn3LElqEcjzWf0PSBJ7awNVF/bGwMO+kQRJCfeKGlFwAAAQ8AAAAHc3NoLXJzYQAAAQCDThDHnBzeoEIlMYr7vzhl8hC7AxiXlsuLathqkYzn7H0AU5eGspfvJysV38vnXt/21TzFBorQ66be8cc/YHLfAaJqdpZEJWsxxqSRkVmAkpzaVN8k9OcVx9BqBS2VFwuanDoAw5JM2NEeZ6byQGd0cgWJcdGZ1K/EXzhYXCFcMPe1ye2Y2mdViDH+mellwuSw+H6Uq+UQbpbHf9fyJjReJ4Pu8C7PRMlD0JaZCFTKi58QlQcneOaQuVrtvZ4wDmvgLtWl+Zsqt9lUTpXZjwazXYDr8zyJ0cU+HMMVZ4E5StOKzTGg91jcOuChhZvkVOeJ2B4+KAsL2X9pu51iJj9h",
+  "private": null
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		[email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgz5fIcgoIkQsJZQDfctoMKo7Iq/3X0DMXdPjncT7qzAAAAAADAQABAAABAQC23GMXX23QWyEy0GLUvR4fIXhyxqyfFfoJG/bBIi4br8CTkvAqkt6dMuOHOPKRlDwrMjcM0fIuSm87LDrZ1at1z0xtuVjHBoBXfp1FyGfKc2qFtqVnIX6pq2PFoVf8dcL/xR/OP9VMqx6O+PMv/jEXkENw6hEy0PtXuwYDg9VLI04QDtrx6v44BUbUvu8Qq9f8G5zcFBxMr8BdaPP6sdyWGVk05MRa7j+uC5zS3KS8dGV0PIOEeUmcVuhJsRRSVgBzzUq2mA1doui3GWA7vMQOyn4x89fMi3gXfjM8XMZA7Kc/35Nc0GxqtTYQT8G/axp2WdA7vyI1uz+4lk29ITW/AAAAAAAAAAAAAAABAAAAFHNzaDItc3RyZWFtcy1maXh0dXJlAAAAAAAAAABdNHdgAAAAAF00hcAAAAAdAAAADWZvcmNlLWNvbW1hbmQAAAAIAAAABGxzIC8AAAAdAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAqQ9PJtVu1y4XS8SvQnmV5va1RtiaSrcPdAcT7PE93lQMLpvsx2qDHSRy8KfqD2rZO9IjU8H6fEqKJEcuLkt+sECk3UlHLFgxhD7MYYW0KFpxfzoE8h5W/8qppXkqIu8uzwn3/+DcgTx2Ce6XN8B/yXBT1kFpnmpiRnyXS8CVKX0HMVYpdlsfUexy3BtXIphSUJsyYGs/1SUuybO0mYPguoYORtp0Od0/vScFgz/h6rzQtJgMsDns+XG4EoRmt1JMzdbBVEC/f154RCBqV2w1CGYlZ09nqOExZTEwGKktAImYn3LElqEcjzWf0PSBJ7awNVF/bGwMO+kQRJCfeKGlFwAAAQ8AAAAHc3NoLXJzYQAAAQCDThDHnBzeoEIlMYr7vzhl8hC7AxiXlsuLathqkYzn7H0AU5eGspfvJysV38vnXt/21TzFBorQ66be8cc/YHLfAaJqdpZEJWsxxqSRkVmAkpzaVN8k9OcVx9BqBS2VFwuanDoAw5JM2NEeZ6byQGd0cgWJcdGZ1K/EXzhYXCFcMPe1ye2Y2mdViDH+mellwuSw+H6Uq+UQbpbHf9fyJjReJ4Pu8C7PRMlD0JaZCFTKi58QlQcneOaQuVrtvZ4wDmvgLtWl+Zsqt9lUTpXZjwazXYDr8zyJ0cU+HMMVZ4E5StOKzTGg91jcOuChhZvkVOeJ2B4+KAsL2X9pu51iJj9h ssh certificate