Fix parse error when using key fingerprints

The last release broke using private key fingerprints. This change fixes that up so that we properly delineate fingerprints and kms urls and handle them each appropriately.
cloudtools · Feb 11, 2019 · 80ee634 · 80ee634
1 parent 7952e33
commit 80ee634
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 8 deletions.
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-TAG?=1.6.2
+TAG?=1.7.1
 VERSION := $(shell echo `git describe --tags --long --match=*.*.* --dirty` | sed s/version-//g)
 
 PKG=github.com/cloudtools/ssh-cert-authority

diff --git a/sign_certd.go b/sign_certd.go
@@ -655,7 +655,7 @@ func (h *certRequestHandler) maybeSignWithCa(requestID string, numSignersRequire
 			return true, nil
 		}
 		log.Printf("Received %d signatures for %s, signing now.\n", len(h.state[requestID].signatures), requestID)
-		signer, err := ssh_ca_util.GetSignerForFingerprint(signingKeyFingerprint, h.sshAgentConn)
+		signer, err := ssh_ca_util.GetSignerForFingerprintOrUrl(signingKeyFingerprint, h.sshAgentConn)
 		if err != nil {
 			log.Printf("Couldn't find signing key for request %s, unable to sign request: %s\n", requestID, err)
 			return false, fmt.Errorf("Couldn't find signing key, unable to sign. Sorry.")

diff --git a/util/ssh.go b/util/ssh.go
@@ -7,24 +7,30 @@ import (
 	"golang.org/x/crypto/ssh/agent"
 	"io"
 	"net/url"
+	"regexp"
 )
 
-func GetSignerForFingerprint(fingerprint string, conn io.ReadWriter) (ssh.Signer, error) {
+var md5Fingerprint = regexp.MustCompile("([0-9a-fA-F]{2}:){15}[0-9a-fA-F]{2}")
+
+func GetSignerForFingerprintOrUrl(fingerprint string, conn io.ReadWriter) (ssh.Signer, error) {
+	isFingerprint := md5Fingerprint.MatchString(fingerprint)
+	if isFingerprint {
+		return GetSignerForFingerprint(fingerprint, conn)
+	}
 	keyUrl, err := url.Parse(fingerprint)
 	if err != nil {
 		return nil, fmt.Errorf("Ignoring invalid private key url: '%s'. Error parsing: %s", fingerprint, err)
 	}
-	if keyUrl.Scheme == "gcpkms" {
-		return getSignerForGcpKms(keyUrl.Path)
-	} else {
-		return getSignerForSshAgent(fingerprint, conn)
+	if keyUrl.Scheme != "gcpkms" {
+		return nil, fmt.Errorf("gcpkms:// is the only supported url scheme")
 	}
+	return getSignerForGcpKms(keyUrl.Path)
 }
 func getSignerForGcpKms(keyUrl string) (ssh.Signer, error) {
 	return signer.NewSshGcpKmsSigner(keyUrl)
 }
 
-func getSignerForSshAgent(fingerprint string, conn io.ReadWriter) (ssh.Signer, error) {
+func GetSignerForFingerprint(fingerprint string, conn io.ReadWriter) (ssh.Signer, error) {
 	sshAgent := agent.NewClient(conn)
 	signers, err := sshAgent.Signers()
 	if err != nil {