Remove sshFingerprintValidator and rename fingerprintValidator

authority/provisioner/gcp.go

@@ -493,8 +493,8 @@ func (p *GCP) genHostOptions(_ context.Context, claims *gcpPayload) (SignSSHOpti
 	return SignSSHOptions{CertType: SSHHostCert}, keyID, principals, sshutil.HostCert, sshutil.DefaultIIDTemplate
 }
 
-func FormatServiceAccountUsername(serviceAccountId string) string {
-	return fmt.Sprintf("sa_%v", serviceAccountId)
+func FormatServiceAccountUsername(serviceAccountID string) string {
+	return fmt.Sprintf("sa_%v", serviceAccountID)
 }
 
 func (p *GCP) genUserOptions(_ context.Context, claims *gcpPayload) (SignSSHOptions, string, []string, sshutil.CertType, string) {

authority/provisioner/jwk.go

@@ -201,7 +201,7 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 		newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID).WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
-		fingerprintValidator(fingerprint),
+		csrFingerprintValidator(fingerprint),
 		commonNameSliceValidator(append([]string{claims.Subject}, claims.SANs...)),
 		defaultPublicKeyValidator{},
 		newDefaultSANsValidator(ctx, claims.SANs),
@@ -241,11 +241,6 @@ func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 		sshCertOptionsValidator(SignSSHOptions{KeyID: claims.Subject}),
 	}
 
-	// Check the fingerprint of the certificate request if given.
-	if claims.Confirmation != nil && claims.Confirmation.Kid != "" {
-		signOptions = append(signOptions, sshFingerprintValidator(claims.Confirmation.Kid))
-	}
-
 	// Default template attributes.
 	certType := sshutil.UserCert
 	keyID := claims.Subject

authority/provisioner/jwk_test.go

@@ -336,7 +336,7 @@ func TestJWK_AuthorizeSign(t *testing.T) {
 						case *x509NamePolicyValidator:
 							assert.Equals(t, nil, v.policyEngine)
 						case *WebhookController:
-						case fingerprintValidator:
+						case csrFingerprintValidator:
 							assert.Equals(t, tt.fingerprint, string(v))
 						default:
 							assert.FatalError(t, fmt.Errorf("unexpected sign option of type %T", v))
@@ -491,10 +491,10 @@ func TestJWK_AuthorizeSSHSign(t *testing.T) {
 		{"host-principals", p1, args{t2, SignSSHOptions{Principals: []string{"smallstep.com"}}, pub}, expectedHostOptions, http.StatusOK, false, false},
 		{"host-options", p1, args{t2, SignSSHOptions{CertType: "host", Principals: []string{"smallstep.com"}}, pub}, expectedHostOptions, http.StatusOK, false, false},
 		{"host-cnf", p1, args{t3, SignSSHOptions{CertType: "host", Principals: []string{"smallstep.com"}}, pub}, expectedHostOptions, http.StatusOK, false, false},
+		{"ignore-bad-cnf", p1, args{t4, SignSSHOptions{CertType: "host", Principals: []string{"smallstep.com"}}, pub}, expectedHostOptions, http.StatusOK, false, false},
 		{"fail-sshCA-disabled", p2, args{"foo", SignSSHOptions{}, pub}, expectedUserOptions, http.StatusUnauthorized, true, false},
 		{"fail-signature", p1, args{failSig, SignSSHOptions{}, pub}, nil, http.StatusUnauthorized, true, false},
 		{"fail-rsa1024", p1, args{t1, SignSSHOptions{}, rsa1024.Public()}, expectedUserOptions, http.StatusOK, false, true},
-		{"fail-cnf", p1, args{t4, SignSSHOptions{CertType: "host", Principals: []string{"smallstep.com"}}, pub}, expectedHostOptions, http.StatusUnauthorized, false, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

authority/provisioner/sign_options.go

@@ -507,11 +507,11 @@ func (o *provisionerExtensionOption) Modify(cert *x509.Certificate, _ SignOption
 	return nil
 }
 
-// fingerprintValidator is a CertificateRequestValidator that checks the
+// csrFingerprintValidator is a CertificateRequestValidator that checks the
 // fingerprint of the certificate request with the provided one.
-type fingerprintValidator string
+type csrFingerprintValidator string
 
-func (s fingerprintValidator) Valid(cr *x509.CertificateRequest) error {
+func (s csrFingerprintValidator) Valid(cr *x509.CertificateRequest) error {
 	if s != "" {
 		expected, err := base64.RawURLEncoding.DecodeString(string(s))
 		if err != nil {

authority/provisioner/sign_ssh_options.go

@@ -2,9 +2,6 @@ package provisioner
 
 import (
 	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/subtle"
-	"encoding/base64"
 	"encoding/binary"
 	"encoding/json"
 	"fmt"
@@ -429,24 +426,6 @@ func (v *sshNamePolicyValidator) Valid(cert *ssh.Certificate, _ SignSSHOptions)
 	}
 }
 
-// sshFingerprintValidator is a SSHPublicKeyValidator that checks the
-// fingerprint of the public key with the provided one.
-type sshFingerprintValidator string
-
-func (s sshFingerprintValidator) Valid(key ssh.PublicKey) error {
-	if s != "" {
-		expected, err := base64.RawURLEncoding.DecodeString(string(s))
-		if err != nil {
-			return errs.ForbiddenErr(err, "error decoding fingerprint")
-		}
-		sum := sha256.Sum256(key.Marshal())
-		if subtle.ConstantTimeCompare(expected, sum[:]) != 1 {
-			return errs.Forbidden("ssh public key fingerprint does not match %q", s)
-		}
-	}
-	return nil
-}
-
 // sshCertTypeUInt32
 func sshCertTypeUInt32(ct string) uint32 {
 	switch ct {

authority/provisioner/ssh_test.go

@@ -51,7 +51,6 @@ func signSSHCertificate(key crypto.PublicKey, opts SignSSHOptions, signOpts []Si
 	var mods []SSHCertModifier
 	var certOptions []sshutil.Option
 	var validators []SSHCertValidator
-	var keyValidators []SSHPublicKeyValidator
 
 	for _, op := range signOpts {
 		switch o := op.(type) {
@@ -72,19 +71,11 @@ func signSSHCertificate(key crypto.PublicKey, opts SignSSHOptions, signOpts []Si
 			}
 		// call webhooks
 		case *WebhookController:
-		case sshFingerprintValidator:
-			keyValidators = append(keyValidators, o)
 		default:
 			return nil, fmt.Errorf("signSSH: invalid extra option type %T", o)
 		}
 	}
 
-	for _, v := range keyValidators {
-		if err := v.Valid(pub); err != nil {
-			return nil, err
-		}
-	}
-
 	// Simulated certificate request with request options.
 	cr := sshutil.CertificateRequest{
 		Type:       opts.CertType,

authority/provisioner/x5c.go

@@ -250,7 +250,7 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 			x5cLeaf.NotBefore, x5cLeaf.NotAfter,
 		},
 		// validators
-		fingerprintValidator(fingerprint),
+		csrFingerprintValidator(fingerprint),
 		commonNameValidator(claims.Subject),
 		newDefaultSANsValidator(ctx, claims.SANs),
 		defaultPublicKeyValidator{},
@@ -293,11 +293,6 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 		sshCertOptionsValidator(SignSSHOptions{KeyID: claims.Subject}),
 	}
 
-	// Check the fingerprint of the certificate request if given.
-	if claims.Confirmation != nil && claims.Confirmation.Kid != "" {
-		signOptions = append(signOptions, sshFingerprintValidator(claims.Confirmation.Kid))
-	}
-
 	// Default template attributes.
 	certType := sshutil.UserCert
 	keyID := claims.Subject

authority/provisioner/x5c_test.go

@@ -527,7 +527,7 @@ func TestX5C_AuthorizeSign(t *testing.T) {
 								assert.Len(t, 0, v.webhooks)
 								assert.Equals(t, linkedca.Webhook_X509, v.certType)
 								assert.Len(t, 2, v.options)
-							case fingerprintValidator:
+							case csrFingerprintValidator:
 								assert.Equals(t, tc.fingerprint, string(v))
 							default:
 								assert.FatalError(t, fmt.Errorf("unexpected sign option of type %T", v))
@@ -824,7 +824,7 @@ func TestX5C_AuthorizeSSHSign(t *testing.T) {
 				claims:      claims,
 				token:       tok,
 				fingerprint: "fingerprint",
-				count:       11,
+				count:       10,
 			}
 		},
 	}
@@ -874,8 +874,6 @@ func TestX5C_AuthorizeSSHSign(t *testing.T) {
 								assert.Len(t, 0, v.webhooks)
 								assert.Equals(t, linkedca.Webhook_SSH, v.certType)
 								assert.Len(t, 2, v.options)
-							case sshFingerprintValidator:
-								assert.Equals(t, tc.fingerprint, string(v))
 							default:
 								assert.FatalError(t, fmt.Errorf("unexpected sign option of type %T", v))
 							}