[
https://issues.apache.org/jira/browse/SSHD-1166?focusedWorklogId=603645&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-603645
]
ASF GitHub Bot logged work on SSHD-1166:
----------------------------------------
Author: ASF GitHub Bot
Created on: 28/May/21 18:09
Start Date: 28/May/21 18:09
Worklog Time Spent: 10m
Work Description: tomaswolf commented on a change in pull request #198:
URL: https://github.com/apache/mina-sshd/pull/198#discussion_r641727530
##########
File path:
sshd-common/src/main/java/org/apache/sshd/common/config/keys/OpenSshCertificate.java
##########
@@ -52,26 +57,34 @@
Collection<String> getPrincipals();
/**
- * Retrieves the time in number of seconds since the {@link
java.time.Instant#EPOCH} at which this certificate
- * becomes or became valid.
- *
- * @return the number of seconds since the Instant.EPOCH <em>as an
unsigned 64bit value</em>
- * @see {{@link #isValidNow(OpenSshCertificate)}
+ * When null, implies forever
*/
- long getValidAfter();
+ Instant getValidAfter();
+
+ default long getValidAfterEpochSeconds() {
+ if (getValidAfter() == null) {
+ return VALID_AFTER_FOREVER_EPOCH;
+ }
+ return getValidAfter().getEpochSecond();
Review comment:
I think it boils down to "do we need full round-tripping?"
I lack experience in this area. I like interfaces with Instant better, too,
but I'm worried about not being able to represent the full range of possible
values. Couldn't this become a problem for verifying a certificate signature?
At least internally I think we'll have to keep the raw 64bit value for this
case. Also, if we ever want to read a received certificate, pass it around as
OpenSshCertificate object, and then write it out again. We mustn't change the
bits of the validAfter/validBefore fields, that would invalidate the signature.
For creating OpenSshCertificateSignRequests, Instant is OK (with validation
for null or >= epoch).
##########
File path:
sshd-core/src/main/java/org/apache/sshd/certificate/OpenSshCertificateSignRequest.java
##########
@@ -0,0 +1,136 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.sshd.certificate;
+
+import java.security.PublicKey;
+import java.time.Instant;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.sshd.common.config.keys.OpenSshCertificate;
+
+/**
+ * Holds all the data necessary to create a signed OpenSSH Certificate
+ */
Review comment:
How about a builder (with fluent setters) for this instead of a signer
and a sign request?
```
OpenSshCertificate cert =
new OpenSshCertificateBuilder()
.setType(OpenSshCertificate.Type.USER)
.setPublicKey(keyToSign)
.setValidAfter(Instant.now())
.setValidBefore(null) // forever; don't expire
.set....
.sign(caKey);
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 603645)
Time Spent: 3h 10m (was: 3h)
> Support generating OpenSSH client certificates
> ----------------------------------------------
>
> Key: SSHD-1166
> URL: https://issues.apache.org/jira/browse/SSHD-1166
> Project: MINA SSHD
> Issue Type: New Feature
> Reporter: Alex Sherwin
> Priority: Major
> Time Spent: 3h 10m
> Remaining Estimate: 0h
>
> Support generating OpenSSH client certificates
> The OpenSSH certificate spec is defined here:
> https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD
> MINA already supports using OpenSSH client certs for publickey auth via
> SSHD-1161
> This ticket is to support creating/generating OpenSSH client certificates
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
