From 4d1138029f128db42eb6fb99bdb940b69ad6d3c9 Mon Sep 17 00:00:00 2001
From: Christian Rebischke <chris.rebischke@archlinux.org>
Date: Sat, 4 Apr 2020 11:53:12 +0000
Subject: [PATCH] Fix #65559 + version bump

---
 PKGBUILD                | 11 +++++++----
 vault-fix-ssh-rsa.patch | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 4 deletions(-)
 create mode 100644 vault-fix-ssh-rsa.patch

diff --git a/PKGBUILD b/PKGBUILD
index e851453..b44993e 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -4,7 +4,7 @@
 
 pkgname='vault'
 pkgdesc='A tool for managing secrets'
-pkgver='1.3.3'
+pkgver='1.3.4'
 pkgrel='1'
 url="https://vaultproject.io/"
 license=('MPL')
@@ -14,17 +14,19 @@ makedepends=('go-pie' 'git' 'yarn' 'bower' 'nodejs-lts-dubnium' 'npm' 'zip'
 depends=('glibc')
 install='vault.install'
 backup=('etc/vault.hcl')
-_vault_commit='8e872c4ad94cb1f193a0fb239ae856e1fdf4bdb0'
+_vault_commit='3af4987cd9a61c2e915bcca410884c6e35f93060'
 source=("git+https://github.com/hashicorp/vault#commit=${_vault_commit}"
         'vault.service'
         'vault.sysusers'
         'vault.tmpfiles'
-        'vault.hcl')
+        'vault.hcl'
+        'vault-fix-ssh-rsa.patch')
 sha512sums=('SKIP'
             '6619cf57668e995cddb29fb6c388c18c21b251052a53832415e415bb4fe538361ef77b74536f5b082b9cda6cd71b598fc50d8b7f51092c4d60262052c5725af2'
             '92616ccf83fa5ca9f8b0d022cf8ceb1f3549e12b66bf21d9f77f3eb26bd75ec1dc36c155948ec987c642067b85fbfc30a9217d6c503d952a402aa5ef63e50928'
             '073f0f400cba78521cd2709ce86d88fbb14125117f9f3beca657f625d04eab8e00f7a01b5d9a1cfc03e9038844f5732bdbb1a85dd65a803d3f0b90f8bf87880e'
-            '46106cc76151eef2dd5e4b2caa6a96aae4d6ce1ecbf977dcc8667a3f6c829cbea95133622adafcb15cdfaa066ecc94c73c983e7613ee2f6573694981569729fe')
+            '46106cc76151eef2dd5e4b2caa6a96aae4d6ce1ecbf977dcc8667a3f6c829cbea95133622adafcb15cdfaa066ecc94c73c983e7613ee2f6573694981569729fe'
+            '7aab08cc3e203ae9a0c440c53f1f970e086953b6564b0f3ec35a0ae23a1bcbd9bf3db1107ee1777d5a6cc18915a9e80514b8422a5077c2f059b14efd66bafb26')
 changelog=CHANGELOG.md
 
 prepare () {
@@ -35,6 +37,7 @@ prepare () {
   export PACKAGE_ROOT="${GOPATH}/src/github.com/hashicorp/${pkgname}"
   cd $PACKAGE_ROOT
   git revert -n 61ff0fd8699dfe9efb9b014df8e9aff86a0aa924 #https://github.com/hashicorp/vault/issues/7475
+  patch -Np1 < "${srcdir}/vault-fix-ssh-rsa.patch"
 }
 
 build () {
diff --git a/vault-fix-ssh-rsa.patch b/vault-fix-ssh-rsa.patch
new file mode 100644
index 0000000..bd51104
--- /dev/null
+++ b/vault-fix-ssh-rsa.patch
@@ -0,0 +1,41 @@
+diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go
+index a64edfa2d..f3c83f765 100644
+--- a/builtin/logical/ssh/path_sign.go
++++ b/builtin/logical/ssh/path_sign.go
+@@ -9,6 +9,7 @@ import (
+ 	"crypto/sha256"
+ 	"errors"
+ 	"fmt"
++	"io"
+ 	"strconv"
+ 	"strings"
+ 	"time"
+@@ -484,10 +485,27 @@ func (b *creationBundle) sign() (retCert *ssh.Certificate, retErr error) {
+ 		},
+ 	}
+
+-	err = certificate.SignCert(rand.Reader, b.Signer)
++	sshAlgorithmSigner, _ := b.Signer.(ssh.AlgorithmSigner)
++
++	// prepare certificate for signing
++	certificate.Nonce = make([]byte, 32)
++	if _, err := io.ReadFull(rand.Reader, certificate.Nonce); err != nil {
++		return nil, fmt.Errorf("failed to generate signed SSH key")
++	}
++	certificate.SignatureKey = sshAlgorithmSigner.PublicKey()
++
++	// get bytes to sign
++	c2 := *certificate
++	c2.Signature = nil
++	out := c2.Marshal()
++	certificateBytes := out[:len(out)-4]
++
++	// sign with rsa-sha2-256
++	sig, err := sshAlgorithmSigner.SignWithAlgorithm(rand.Reader, certificateBytes, ssh.SigAlgoRSASHA2256)
+ 	if err != nil {
+ 		return nil, fmt.Errorf("failed to generate signed SSH key")
+ 	}
++	certificate.Signature = sig
+
+ 	return certificate, nil
+ }