Fix parse error when using key fingerprints

bobveznat · bobveznat · commit 80ee63490e61 · 2019-02-11T09:48:09.000-06:00
The last release broke using private key fingerprints. This change fixes
that up so that we properly delineate fingerprints and kms urls and
handle them each appropriately.
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-TAG?=1.6.2
+TAG?=1.7.1
 VERSION := $(shell echo `git describe --tags --long --match=*.*.* --dirty` | sed s/version-//g)
 
 PKG=github.com/cloudtools/ssh-cert-authority
diff --git a/sign_certd.go b/sign_certd.go
@@ -655,7 +655,7 @@ func (h *certRequestHandler) maybeSignWithCa(requestID string, numSignersRequire
 			return true, nil
 		}
 		log.Printf("Received %d signatures for %s, signing now.\n", len(h.state[requestID].signatures), requestID)
-		signer, err := ssh_ca_util.GetSignerForFingerprint(signingKeyFingerprint, h.sshAgentConn)
+		signer, err := ssh_ca_util.GetSignerForFingerprintOrUrl(signingKeyFingerprint, h.sshAgentConn)
 		if err != nil {
 			log.Printf("Couldn't find signing key for request %s, unable to sign request: %s\n", requestID, err)
 			return false, fmt.Errorf("Couldn't find signing key, unable to sign. Sorry.")
diff --git a/util/ssh.go b/util/ssh.go
@@ -7,24 +7,30 @@ import (
 	"golang.org/x/crypto/ssh/agent"
 	"io"
 	"net/url"
+	"regexp"
 )
 
-func GetSignerForFingerprint(fingerprint string, conn io.ReadWriter) (ssh.Signer, error) {
+var md5Fingerprint = regexp.MustCompile("([0-9a-fA-F]{2}:){15}[0-9a-fA-F]{2}")
+
+func GetSignerForFingerprintOrUrl(fingerprint string, conn io.ReadWriter) (ssh.Signer, error) {
+	isFingerprint := md5Fingerprint.MatchString(fingerprint)
+	if isFingerprint {
+		return GetSignerForFingerprint(fingerprint, conn)
+	}
 	keyUrl, err := url.Parse(fingerprint)
 	if err != nil {
 		return nil, fmt.Errorf("Ignoring invalid private key url: '%s'. Error parsing: %s", fingerprint, err)
 	}
-	if keyUrl.Scheme == "gcpkms" {
-		return getSignerForGcpKms(keyUrl.Path)
-	} else {
-		return getSignerForSshAgent(fingerprint, conn)
+	if keyUrl.Scheme != "gcpkms" {
+		return nil, fmt.Errorf("gcpkms:// is the only supported url scheme")
 	}
+	return getSignerForGcpKms(keyUrl.Path)
 }
 func getSignerForGcpKms(keyUrl string) (ssh.Signer, error) {
 	return signer.NewSshGcpKmsSigner(keyUrl)
 }
 
-func getSignerForSshAgent(fingerprint string, conn io.ReadWriter) (ssh.Signer, error) {
+func GetSignerForFingerprint(fingerprint string, conn io.ReadWriter) (ssh.Signer, error) {
 	sshAgent := agent.NewClient(conn)
 	signers, err := sshAgent.Signers()
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-TAG?=1.6.2`
	`1`	`+TAG?=1.7.1`
`2`	`2`	VERSION := $(shell echo `git describe --tags --long --match=..* --dirty` \| sed s/version-//g)
`3`	`3`
`4`	`4`	`PKG=github.com/cloudtools/ssh-cert-authority`
Original file line number	Diff line number	Diff line change
`@@ -655,7 +655,7 @@ func (h *certRequestHandler) maybeSignWithCa(requestID string, numSignersRequire`
`655`	`655`	`return true, nil`
`656`	`656`	`}`
`657`	`657`	`log.Printf("Received %d signatures for %s, signing now.\n", len(h.state[requestID].signatures), requestID)`
`658`		`- signer, err := ssh_ca_util.GetSignerForFingerprint(signingKeyFingerprint, h.sshAgentConn)`
	`658`	`+ signer, err := ssh_ca_util.GetSignerForFingerprintOrUrl(signingKeyFingerprint, h.sshAgentConn)`
`659`	`659`	`if err != nil {`
`660`	`660`	`log.Printf("Couldn't find signing key for request %s, unable to sign request: %s\n", requestID, err)`
`661`	`661`	`return false, fmt.Errorf("Couldn't find signing key, unable to sign. Sorry.")`