[PATCH v2 0/3] sshsig: find-principal fix & match-principals

Fabian Stelzer fs at gigacodes.de
Wed Nov 3 19:51:09 AEDT 2021

This patch series adds a few tests to the find-principals & verify
operations of ssh-keygen and fixes a bug in find-principals.
find-principals was checking key validity times for CA signed certs
but not for normal keys or a validity specified on the CA key.
The verify operation correctly does both. As find-principals just returns
the first match, this could return principals with an expired/notyetvalid key.
This patch changes this behaviour and could therefore be considered a
breaking change.
At the moment the docs are not quite clear about this. find-principals
is specified to return a list of principals. It wasn't clear to me that
this meant only those found on a single line. I assumed i would get all
that match the signatures public key. If my understanding is correct
that find-principals should always just return one match (sometimes
having multiple principals) then i can update the manpage as well.

It also adds a new -Y match-principals that can be used to determine if
a principal is present in the allowed signers file (considering wildcard
matches). I am implementing "Trust on first use" for git commit signing
via ssh keys  and needed a safe way to check that i will not add a principal
already present (and thereby possibly overriding their key if it expires
for example). Generally i only would like to add principals not already
matching any existing entry.

Changes since v1:
 - instead of fixing just the find-principals check consolidate find &
   verify functions into one so we always use the same logic for both
 - drops the already merged tests & optional verify_time parsing patches

Fabian Stelzer (3):
  sshsig: move cert_filter_principals() for reuse
  sshsig: fix find-principals key lifespan validation
  ssh-keygen: add match-principals call

 regress/sshsig.sh | 129 ++++++++++++++++++++++++
 ssh-keygen.1      |  14 +++
 ssh-keygen.c      |  35 +++++++
 sshsig.c          | 246 ++++++++++++++++++++++++----------------------
 sshsig.h          |   4 +
 5 files changed, 310 insertions(+), 118 deletions(-)

base-commit: 0328a081f38c09d2d4d650e94461a47fb5eef536

More information about the openssh-unix-dev mailing list