From e756ed16be454e5b19be101ed2f28cacaae3e50d Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@purestorage.com>
Date: Sat, 6 Mar 2021 10:11:55 -0800
Subject: [PATCH 1/3] initial integration

---
 lib/certgen/certgen.go      | 22 +++++++++++++++++++++-
 lib/certgen/certgen_test.go | 25 +++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/lib/certgen/certgen.go b/lib/certgen/certgen.go
index e7dd802d..6c5adca5 100644
--- a/lib/certgen/certgen.go
+++ b/lib/certgen/certgen.go
@@ -41,7 +41,7 @@ func goCertToFileString(c ssh.Certificate, username string) (string, error) {
 	certBytes := c.Marshal()
 	encoded := base64.StdEncoding.EncodeToString(certBytes)
 	fileComment := "/tmp/" + username + "-cert.pub"
-	return "ssh-rsa-cert-v01@openssh.com " + encoded + " " + fileComment, nil
+	return c.Type() + " " + encoded + " " + fileComment, nil
 }
 
 // gen_user_cert a username and key, returns a short lived cert for that user
@@ -129,6 +129,23 @@ func GetSignerFromPEMBytes(privateKey []byte) (crypto.Signer, error) {
 			return nil, err
 		}
 		switch v := parsedIface.(type) {
+		case *rsa.PrivateKey:
+			return v, nil
+		case *ecdsa.PrivateKey:
+			return v, nil
+		case ed25519.PrivateKey:
+			return v, nil
+		default:
+			return nil, fmt.Errorf("Type not recognized  %T!\n", v)
+		}
+	case "OPENSSH PRIVATE KEY":
+		parsedIface, err := ssh.ParseRawPrivateKey(privateKey)
+		if err != nil {
+			return nil, err
+		}
+		switch v := parsedIface.(type) {
+		case *ed25519.PrivateKey:
+			return v, nil
 		case *rsa.PrivateKey:
 			return v, nil
 		case *ecdsa.PrivateKey:
@@ -136,6 +153,7 @@ func GetSignerFromPEMBytes(privateKey []byte) (crypto.Signer, error) {
 		default:
 			return nil, fmt.Errorf("Type not recognized  %T!\n", v)
 		}
+
 	default:
 		err := errors.New("Cannot process that key")
 		return nil, err
@@ -150,6 +168,8 @@ func publicKey(priv interface{}) interface{} {
 	// TODO: eventaully we need to suport ecdsa for CA
 	// case *ecdsa.PrivateKey:
 	//	return &k.PublicKey
+	case ed25519.PrivateKey:
+		return k.Public().(ed25519.PublicKey)
 	default:
 		return nil
 	}
diff --git a/lib/certgen/certgen_test.go b/lib/certgen/certgen_test.go
index eb0f9f0f..862fa2be 100644
--- a/lib/certgen/certgen_test.go
+++ b/lib/certgen/certgen_test.go
@@ -199,6 +199,20 @@ RBm1g0vfLOjV1tPs5/0QMy7ANExMLGtzIJidWWWzIzw2rx4WC7xcIkJ+iWFIIFNy
 S9RSPfwJS7+Zr8LP4H6APpstQWZEXOo=
 -----END EC PRIVATE KEY-----`
 
+//openssl genpkey  -algorithm ED25519 -out key.pem
+const pkcs8Ed25519PrivateKey = `-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIHoHbl2RwHwmyWtXVLroUZEI+d/SqL3RKmECM5P7o7D5
+-----END PRIVATE KEY-----`
+
+// ssh-keygen -t ed25519
+const keygenEd25519PrivateKey = `-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDICn5DsRIjR4GyKVUPucWJ7A3+7TKoNfK/ImglUc6shQAAAKDzYr6j82K+
+owAAAAtzc2gtZWQyNTUxOQAAACDICn5DsRIjR4GyKVUPucWJ7A3+7TKoNfK/ImglUc6shQ
+AAAECdSciYZnODYp2QC0s838bYh8d2XEOuvBOqcOEA6MUjL8gKfkOxEiNHgbIpVQ+5xYns
+Df7tMqg18r8iaCVRzqyFAAAAHWN2aWVjY29AY3ZpZWNjby0tTWFjQm9va1BybzE1
+-----END OPENSSH PRIVATE KEY-----`
+
 const testDuration = time.Duration(120 * time.Second)
 
 // SSSD tests do require some setup... in this case we do some checks to ensure
@@ -244,6 +258,7 @@ func TestGenSSHCertFileStringGenerateSuccess(t *testing.T) {
 	if len(cert.ValidPrincipals) != 1 || cert.ValidPrincipals[0] != username {
 		t.Fatal("invalid cert content, bad username")
 	}
+	// now test with an Ed25519
 
 }
 
@@ -531,6 +546,16 @@ func TestGetSignerFromPEMBytesSuccess(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	// Ed25519 from openssl
+	_, err = GetSignerFromPEMBytes([]byte(pkcs8Ed25519PrivateKey))
+	if err != nil {
+		t.Fatal(err)
+	}
+	// keygenEd25519PrivateKey
+	_, err = GetSignerFromPEMBytes([]byte(keygenEd25519PrivateKey))
+	if err != nil {
+		t.Fatal(err)
+	}
 }
 
 func TestGetPubKeyFromPem(t *testing.T) {

From d596d7621352f99a9611f7d4286cdf1218cd0dda Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@gmail.com>
Date: Sat, 6 Mar 2021 15:09:34 -0800
Subject: [PATCH 2/3] adding tests for cert generation for ssh-ed25519

---
 lib/certgen/certgen.go      |  2 +-
 lib/certgen/certgen_test.go | 20 +++++++++++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/lib/certgen/certgen.go b/lib/certgen/certgen.go
index 6c5adca5..be797e1e 100644
--- a/lib/certgen/certgen.go
+++ b/lib/certgen/certgen.go
@@ -40,7 +40,7 @@ func GetUserPubKeyFromSSSD(username string) (string, error) {
 func goCertToFileString(c ssh.Certificate, username string) (string, error) {
 	certBytes := c.Marshal()
 	encoded := base64.StdEncoding.EncodeToString(certBytes)
-	fileComment := "/tmp/" + username + "-cert.pub"
+	fileComment := "/tmp/" + username + "-" + c.SignatureKey.Type() + "-cert.pub"
 	return c.Type() + " " + encoded + " " + fileComment, nil
 }
 
diff --git a/lib/certgen/certgen_test.go b/lib/certgen/certgen_test.go
index 862fa2be..9a25c09c 100644
--- a/lib/certgen/certgen_test.go
+++ b/lib/certgen/certgen_test.go
@@ -8,6 +8,7 @@ import (
 	"encoding/pem"
 	"os"
 	"os/user"
+	"strings"
 	"testing"
 	"time"
 
@@ -255,11 +256,28 @@ func TestGenSSHCertFileStringGenerateSuccess(t *testing.T) {
 		t.Fatal(err)
 	}
 	t.Logf("got '%s'", certString)
+	if !strings.HasPrefix(certString, "ssh-rsa-cert-v01@openssh.com ") {
+		t.Logf("wrong prefix on stringification rsa-cert")
+	}
 	if len(cert.ValidPrincipals) != 1 || cert.ValidPrincipals[0] != username {
 		t.Fatal("invalid cert content, bad username")
 	}
 	// now test with an Ed25519
-
+	goodEd25519Signer, err := ssh.ParsePrivateKey([]byte(pkcs8Ed25519PrivateKey))
+	if err != nil {
+		t.Fatal(err)
+	}
+	certString, cert, err = GenSSHCertFileString(username, ed25519PublicSSH, goodEd25519Signer, hostIdentity, testDuration)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("got '%s'", certString)
+	if !strings.HasPrefix(certString, "ssh-ed25519-cert-v01@openssh.com ") {
+		t.Logf("wrong prefix on stringification for ed25519")
+	}
+	if len(cert.ValidPrincipals) != 1 || cert.ValidPrincipals[0] != username {
+		t.Fatal("invalid cert content, bad username")
+	}
 }
 
 func TestGenSSHCertFileStringGenerateFailBadPublicKey(t *testing.T) {

From 7d2c0aed90fb92a6fde8888afd303257923380ce Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@gmail.com>
Date: Sun, 7 Mar 2021 09:18:48 -0800
Subject: [PATCH 3/3] fixing added space

---
 lib/certgen/certgen.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/certgen/certgen.go b/lib/certgen/certgen.go
index be797e1e..2834fc13 100644
--- a/lib/certgen/certgen.go
+++ b/lib/certgen/certgen.go
@@ -144,16 +144,15 @@ func GetSignerFromPEMBytes(privateKey []byte) (crypto.Signer, error) {
 			return nil, err
 		}
 		switch v := parsedIface.(type) {
-		case *ed25519.PrivateKey:
-			return v, nil
 		case *rsa.PrivateKey:
 			return v, nil
 		case *ecdsa.PrivateKey:
 			return v, nil
+		case *ed25519.PrivateKey:
+			return v, nil
 		default:
 			return nil, fmt.Errorf("Type not recognized  %T!\n", v)
 		}
-
 	default:
 		err := errors.New("Cannot process that key")
 		return nil, err