Skip to content

Commit

Permalink
temporarily allow invalid ssh cert encoding
Browse files Browse the repository at this point in the history
  • Loading branch information
reaperhulk committed Jul 10, 2023
1 parent e068c6f commit 8f9632e
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 3 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,16 @@
Changelog
=========

.. _v41-0-2:

41.0.2 - 2023-07-10
~~~~~~~~~~~~~~~~~~~

* Fix SSH certificate encoding for critical options with values to be
compatible with OpenSSH. Previously generated invalid encodings will parse
successfully with a warning, but this invalid encoding support will be
removed in the next release.

.. _v41-0-1:

41.0.1 - 2023-06-01
Expand Down
16 changes: 13 additions & 3 deletions src/cryptography/hazmat/primitives/serialization/ssh.py
Original file line number Diff line number Diff line change
Expand Up @@ -1064,9 +1064,19 @@ def _parse_exts_opts(exts_opts: memoryview) -> typing.Dict[bytes, bytes]:
raise ValueError("Fields not lexically sorted")
value, exts_opts = _get_sshstr(exts_opts)
if len(value) > 0:
value, extra = _get_sshstr(value)
if len(extra) > 0:
raise ValueError("Unexpected extra data after value")
try:
value, extra = _get_sshstr(value)
except ValueError:
warnings.warn(
"This certificate has an incorrect encoding for critical "
"options or extensions. This will be an exception in "
"cryptography 42",
utils.DeprecatedIn41,
stacklevel=4,
)
else:
if len(extra) > 0:
raise ValueError("Unexpected extra data after value")
result[bname] = bytes(value)
last_name = bname
return result
Expand Down
27 changes: 27 additions & 0 deletions tests/hazmat/primitives/test_ssh.py
Original file line number Diff line number Diff line change
Expand Up @@ -1159,6 +1159,33 @@ def test_loads_ssh_cert(self, backend):
b"permit-user-rc": b"",
}

def test_loads_deprecated_invalid_encoding_cert(self, backend):
with pytest.warns(utils.DeprecatedIn41):
cert = load_ssh_public_identity(
b"ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYT"
b"ItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgXE7sJ+xDVVNCO"
b"cEvpZS+SXIbc0nJdny/KqVbnwHslMIAAAAIbmlzdHAyNTYAAABBBI/qcLq8"
b"iiErpAhOWRqdMkpFSCNv7TVUcXCIfAl01JXbe2MvS4V7lFtiyrBjLSV7Iyw"
b"3TrulrWLibjPzZvLwmQcAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAA//"
b"////////8AAABUAAAADWZvcmNlLWNvbW1hbmQAAAAoZWNobyBhYWFhYWFhY"
b"WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYQAAAA92ZXJpZnktcmVxdWly"
b"ZWQAAAAAAAAAEgAAAApwZXJtaXQtcHR5AAAAAAAAAAAAAABoAAAAE2VjZHN"
b"hLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI/qcLq8iiErpAhOWR"
b"qdMkpFSCNv7TVUcXCIfAl01JXbe2MvS4V7lFtiyrBjLSV7Iyw3TrulrWLib"
b"jPzZvLwmQcAAABlAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABKAAAAIQCi"
b"eCsIhGKrZdkE1+zY5EBucrLzxFpwnm/onIT/6rapvQAAACEAuVQ1yQjlPKr"
b"kfsGfjeG+2umZrOS5Ycx85BQhYf0RgsA="
)
assert isinstance(cert, SSHCertificate)
cert.verify_cert_signature()
assert list(cert.extensions.items()) == [
(b"permit-pty", b""),
]
assert list(cert.critical_options.items()) == [
(b"force-command", b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"),
(b"verify-required", b""),
]

@pytest.mark.parametrize(
"filename",
[
Expand Down

0 comments on commit 8f9632e

Please sign in to comment.