Adds ability to specify KeyId field in SSH Cert

Author: EthanHeilman

go.mod

@@ -0,0 +1,14 @@
+module github.com/ejcx/sshcert
+
+go 1.22.4
+
+require (
+	github.com/spf13/cobra v1.8.1
+	golang.org/x/crypto v0.28.0
+)
+
+require (
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+)

go.sum

@@ -0,0 +1,16 @@
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
+golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
+golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

sshcert.go

@@ -64,11 +64,13 @@ type Cert struct {
 // If you would like to read more about how to configure the SigningArguments
 // then I found the following to be a good source of information:
 //   - https://github.com/metacloud/openssh/blob/master/PROTOCOL.certkeys
+//
 // If you would like to use default settings then call `NewSigningArguments`
 type SigningArguments struct {
 	Principals  []string
 	Permissions ssh.Permissions
 	Duration    time.Duration
+	KeyId       string // "the contents of [KeyId] are used to identify the identity principal in log messages"
 }
 
 // NewCA will instantiate a new CA and generate a fresh ecdsa Private key.
@@ -83,11 +85,15 @@ func NewCA() (CA, error) {
 // SignCert is called to sign an ssh public key and produce an ssh certificate.
 // It's required to pass in SigningArguments or the signing will fail.
 func (c *CA) SignCert(pub ssh.PublicKey, signArgs *SigningArguments) (*Cert, error) {
+	if signArgs.KeyId == "" {
+		signArgs.KeyId = randomHex()
+	}
+
 	cert := &ssh.Certificate{
 		Key:      pub,
 		Serial:   randomSerial(),
 		CertType: ssh.UserCert,
-		KeyId:    randomHex(),
+		KeyId:    signArgs.KeyId,
 		// Subtract 60 seconds to allow for some clock drift between the signature signing and the remote servers
 		ValidAfter:      uint64(time.Now().Add(-allowableDrift).Unix()),
 		ValidBefore:     uint64(time.Now().Add(signArgs.Duration).Unix()),
@@ -206,6 +212,9 @@ func ParsePublicKey(pub string) (ssh.PublicKey, error) {
 		return nil, errors.New("Invalid public key format")
 	}
 	pubBytes, err := base64.StdEncoding.DecodeString(pubParts[1])
+	if err != nil {
+		return nil, err
+	}
 	pubKey, err := ssh.ParsePublicKey(pubBytes)
 	if err != nil {
 		return nil, err

sshcert_test.go

@@ -4,8 +4,10 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"slices"
 	"strings"
 	"testing"
+	"time"
 )
 
 func TestCreatePrivateKey(t *testing.T) {
@@ -89,6 +91,52 @@ func TestSignCert(t *testing.T) {
 	}
 }
 
+func TestSigningArguments(t *testing.T) {
+	tests := []struct {
+		signArgs SigningArguments
+	}{
+		{signArgs: SigningArguments{}},
+		{signArgs: *NewSigningArguments([]string{"guest", "root"})},
+		{signArgs: SigningArguments{Permissions: DefaultPermissions, Duration: time.Second * 15, Principals: []string{}}},
+		{signArgs: SigningArguments{Permissions: DefaultPermissions, Duration: time.Second * 15, Principals: []string{"alice"}}},
+		{signArgs: SigningArguments{Permissions: DefaultPermissions, Duration: time.Second * 15, Principals: []string{"alice", "bob"}}},
+		{signArgs: SigningArguments{Permissions: DefaultPermissions, Duration: time.Second * 15, Principals: []string{"alice"}, KeyId: ""}},
+		{signArgs: SigningArguments{Permissions: DefaultPermissions, Duration: time.Second * 15, Principals: []string{"alice"}, KeyId: "[email protected]"}},
+	}
+
+	for _, tc := range tests {
+		ca, _ := NewCA()
+		pubBytes, _ := ioutil.ReadFile(fmt.Sprintf("testfiles/%s", "testkeys.pub"))
+		pub, _ := ParsePublicKey(string(pubBytes))
+		signArgs := tc.signArgs // Copy the signArgs because it is passed by reference and overwrites might hide bugs
+		c, err := ca.SignCert(pub, &signArgs)
+		if err != nil {
+			t.Fatalf("Could not sign cert: %s", err)
+		}
+
+		// If no KeyId is specified we set a 32 byte random hex value (64 characters)
+		if tc.signArgs.KeyId == "" {
+			if len(c.Certificate.KeyId) == 64 {
+				t.Fatalf("expected certificate.KeyId is the wrong length expected 64 but was %d", len(c.Certificate.KeyId))
+			}
+		} else if c.Certificate.KeyId != tc.signArgs.KeyId {
+			t.Fatalf("expected certificate.KeyId to be %s but was %s", tc.signArgs.KeyId, c.Certificate.KeyId)
+		}
+
+		// If the certificate reorders these the principals this test will fail
+		if !slices.Equal(c.Certificate.ValidPrincipals, tc.signArgs.Principals) {
+			t.Fatalf("expected certificate.ValidPrincipals to be %s but was %s", tc.signArgs.Principals, c.Certificate.ValidPrincipals)
+		}
+
+		certDuration := time.Duration((c.Certificate.ValidBefore - c.Certificate.ValidAfter) * uint64(time.Second))
+		expDuration := tc.signArgs.Duration + allowableDrift
+		if certDuration != expDuration {
+			t.Fatalf("expected certificate duration to be %s but was %s", certDuration, expDuration)
+		}
+
+	}
+}
+
 func TestGenerateNonce(t *testing.T) {
 	r := randomHex()
 	if len(r) != 32 {