agent: ensure we unwrap ssh.Certificate to get ssh.PublicKey

Signed-off-by: Morten Linderud <morten@linderud.pw>
Foxboron · Dec 29, 2024 · 0e44550 · 0e44550
1 parent 13c0e9e
commit 0e44550
Showing 1 changed file with 16 additions and 9 deletions.
diff --git a/agent/agent.go b/agent/agent.go
@@ -159,23 +159,30 @@ func (a *Agent) SignWithFlags(key ssh.PublicKey, data []byte, flags agent.Signat
 		return nil, err
 	}
 
+	var wantKey []byte
+	wantKey = key.Marshal()
 	alg := key.Type()
+
+	// Unwrap the ssh.Certificate PublicKey
+	if strings.Contains(alg, "cert") {
+		parsedCert, err := ssh.ParsePublicKey(wantKey)
+		if err != nil {
+			return nil, err
+		}
+		cert, ok := parsedCert.(*ssh.Certificate)
+		if ok {
+			wantKey = cert.Key.Marshal()
+			alg = cert.Key.Type()
+		}
+	}
+
 	switch {
 	case alg == ssh.KeyAlgoRSA && flags&agent.SignatureFlagRsaSha256 != 0:
 		alg = ssh.KeyAlgoRSASHA256
 	case alg == ssh.KeyAlgoRSA && flags&agent.SignatureFlagRsaSha512 != 0:
 		alg = ssh.KeyAlgoRSASHA512
 	}
 
-	// Check that the key is not wrapped
-	var wantKey []byte
-	if cert, ok := key.(*ssh.Certificate); ok {
-		wantKey = cert.Key.Marshal()
-		alg = cert.Key.Type()
-	} else {
-		wantKey = key.Marshal()
-	}
-
 	for _, s := range signers {
 		if !bytes.Equal(s.PublicKey().Marshal(), wantKey) {
 			continue