42 lines
1.2 KiB
Diff
42 lines
1.2 KiB
Diff
|
diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go
|
||
|
|
index a64edfa2d..f3c83f765 100644
|
||
|
|
--- a/builtin/logical/ssh/path_sign.go
|
||
|
|
+++ b/builtin/logical/ssh/path_sign.go
|
||
|
|
@@ -9,6 +9,7 @@ import (
|
||
|
|
"crypto/sha256"
|
||
|
|
"errors"
|
||
|
|
"fmt"
|
||
|
|
+ "io"
|
||
|
|
"strconv"
|
||
|
|
"strings"
|
||
|
|
"time"
|
||
|
|
@@ -484,10 +485,27 @@ func (b *creationBundle) sign() (retCert *ssh.Certificate, retErr error) {
|
||
|
|
},
|
||
|
|
}
|
||
|
|
|
||
|
|
- err = certificate.SignCert(rand.Reader, b.Signer)
|
||
|
|
+ sshAlgorithmSigner, _ := b.Signer.(ssh.AlgorithmSigner)
|
||
|
|
+
|
||
|
|
+ // prepare certificate for signing
|
||
|
|
+ certificate.Nonce = make([]byte, 32)
|
||
|
|
+ if _, err := io.ReadFull(rand.Reader, certificate.Nonce); err != nil {
|
||
|
|
+ return nil, fmt.Errorf("failed to generate signed SSH key")
|
||
|
|
+ }
|
||
|
|
+ certificate.SignatureKey = sshAlgorithmSigner.PublicKey()
|
||
|
|
+
|
||
|
|
+ // get bytes to sign
|
||
|
|
+ c2 := *certificate
|
||
|
|
+ c2.Signature = nil
|
||
|
|
+ out := c2.Marshal()
|
||
|
|
+ certificateBytes := out[:len(out)-4]
|
||
|
|
+
|
||
|
|
+ // sign with rsa-sha2-256
|
||
|
|
+ sig, err := sshAlgorithmSigner.SignWithAlgorithm(rand.Reader, certificateBytes, ssh.SigAlgoRSASHA2256)
|
||
|
|
if err != nil {
|
||
|
|
return nil, fmt.Errorf("failed to generate signed SSH key")
|
||
|
|
}
|
||
|
|
+ certificate.Signature = sig
|
||
|
|
|
||
|
|
return certificate, nil
|
||
|
|
}
|