Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a basic step ssh verify command #832

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Add a basic step ssh verify command
  • Loading branch information
hslatman committed Jan 19, 2023
commit faa1fec60bd5cb7fef7e486cd3a19dd73eb43095
1 change: 1 addition & 0 deletions command/ssh/ssh.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ $ ssh internal.example.com
rekeyCommand(),
renewCommand(),
revokeCommand(),
verifyCommand(),
},
}

Expand Down
104 changes: 104 additions & 0 deletions command/ssh/verify.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
package ssh

import (
"bytes"
"encoding/base64"
"fmt"

"github.com/pkg/errors"
"github.com/urfave/cli"
"golang.org/x/crypto/ssh"
"golang.org/x/exp/maps"

"go.step.sm/cli-utils/command"

"github.com/smallstep/cli/utils"
)

func verifyCommand() cli.Command {
return cli.Command{
Name: "verify",
Action: command.ActionFunc(verifyAction),
Usage: "verify an ssh certificate",
UsageText: `**step ssh verify** <crt-file> <ca-file>`,
Description: `**step ssh verify** command ...
format.

`,
}
}

func verifyAction(ctx *cli.Context) error {

// TODO: validation of args; allow caFile to be interpreted as directory
var (
certFile = ctx.Args().Get(0)
caFile = ctx.Args().Get(1)
)

certBytes, err := utils.ReadFile(certFile)
if err != nil {
return err
}

pub, _, _, _, err := ssh.ParseAuthorizedKey(certBytes)
if err != nil {
// Attempt to parse the key without the type.
certBytes = bytes.TrimSpace(certBytes)
keyBytes := make([]byte, base64.StdEncoding.DecodedLen(len(certBytes)))
n, err := base64.StdEncoding.Decode(keyBytes, certBytes)
if err != nil {
return errors.Wrap(err, "error parsing ssh certificate")
}
if pub, err = ssh.ParsePublicKey(keyBytes[:n]); err != nil {
return errors.Wrap(err, "error parsing ssh certificate")
}
}
cert, ok := pub.(*ssh.Certificate)
if !ok {
return errors.Errorf("error decoding ssh certificate: %T is not an *ssh.Certificate", pub)
}

// TODO: add additional config? This could include a revocation check.
checker := &ssh.CertChecker{
SupportedCriticalOptions: maps.Keys(cert.CriticalOptions), // allow any option in the certificate
}

var principal string
if len(cert.ValidPrincipals) > 0 {
principal = cert.ValidPrincipals[0]
}

// check critical options, principal, validity and signature
if err := checker.CheckCert(principal, cert); err != nil {
return fmt.Errorf("error verifying ssh certificate: %w", err)
}

caBytes, err := utils.ReadFile(caFile)
if err != nil {
return err
}

caPub, _, _, _, err := ssh.ParseAuthorizedKey(caBytes)
if err != nil {
// Attempt to parse the key without the type.
certBytes = bytes.TrimSpace(caBytes)
keyBytes := make([]byte, base64.StdEncoding.DecodedLen(len(certBytes)))
n, err := base64.StdEncoding.Decode(keyBytes, certBytes)
if err != nil {
return errors.Wrap(err, "error parsing ssh CA certificate")
}
if caPub, err = ssh.ParsePublicKey(keyBytes[:n]); err != nil {
return errors.Wrap(err, "error parsing ssh CA certificate")
}
}

// check the certificate was signed by the SSH CA provided
caFP := ssh.FingerprintSHA256(caPub)
certSignerFP := ssh.FingerprintSHA256(cert.SignatureKey)
if certSignerFP != caFP {
return fmt.Errorf("ssh certificate signed by %q does not equal ssh CA %q", certSignerFP, caFP)
}

return nil
}
5 changes: 3 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -121,10 +121,11 @@ require (
github.com/x448/float16 v0.8.4 // indirect
go.etcd.io/bbolt v1.3.6 // indirect
go.opencensus.io v0.24.0 // indirect
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
golang.org/x/exp v0.0.0-20230118134722-a68e582fa157 // indirect
golang.org/x/mod v0.6.0 // indirect
golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect
golang.org/x/text v0.6.0 // indirect
golang.org/x/tools v0.1.12 // indirect
golang.org/x/tools v0.2.0 // indirect
google.golang.org/api v0.106.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
Expand Down
6 changes: 6 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -647,6 +647,8 @@ golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4
golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20230118134722-a68e582fa157 h1:fiNkyhJPUvxbRPbCqY/D9qdjmPzfHcpK3P4bM4gioSY=
golang.org/x/exp v0.0.0-20230118134722-a68e582fa157/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
Expand All @@ -656,6 +658,8 @@ golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKG
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I=
golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
golang.org/x/net v0.0.0-20170726083632-f5079bd7f6f7/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
Expand Down Expand Up @@ -766,6 +770,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE=
golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
Expand Down