Index: ssh/certs.go |
=================================================================== |
--- a/ssh/certs.go |
+++ b/ssh/certs.go |
@@ -60,6 +60,17 @@ |
KeyAlgoECDSA521: CertAlgoECDSA521v01, |
} |
+// certToPrivAlgo returns the underlying algorithm for a certificate algorithm. |
+// Panics if a non-certificate algorithm is passed. |
+func certToPrivAlgo(algo string) string { |
+ for privAlgo, pubAlgo := range certAlgoNames { |
+ if pubAlgo == algo { |
+ return privAlgo |
+ } |
+ } |
+ panic("unknown cert algorithm") |
+} |
+ |
func (c *OpenSSHCertV01) PublicKeyAlgo() string { |
algo, ok := certAlgoNames[c.Key.PublicKeyAlgo()] |
if !ok { |
@@ -83,12 +94,14 @@ |
return |
} |
- cert.Key, in, ok = ParsePublicKey(in) |
+ privAlgo := certToPrivAlgo(algo) |
+ cert.Key, in, ok = parsePubKey(in, privAlgo) |
if !ok { |
return |
} |
- if cert.Key.PrivateKeyAlgo() != algo { |
+ // We test PublicKeyAlgo to make sure we don't use some weird sub-cert. |
+ if cert.Key.PublicKeyAlgo() != privAlgo { |
ok = false |
return |
} |
@@ -139,7 +152,7 @@ |
if !ok { |
return |
} |
- if cert.SignatureKey, _, ok = parsePubKey(sigKey); !ok { |
+ if cert.SignatureKey, _, ok = ParsePublicKey(sigKey); !ok { |
return |
} |
@@ -152,8 +165,7 @@ |
} |
func (cert *OpenSSHCertV01) Marshal() []byte { |
- pubKey := MarshalPublicKey(cert.Key) |
- |
+ pubKey := cert.Key.Marshal() |
sigKey := MarshalPublicKey(cert.SignatureKey) |
length := stringLength(len(cert.Nonce)) |