openssh bugs - Jun 2023 - [Bug 3577] New: CASignatureAlgorithms supports -cert alogrithms

https://bugzilla.mindrot.org/show_bug.cgi?id=3577

            Bug ID: 3577
           Summary: CASignatureAlgorithms supports -cert alogrithms
           Product: Portable OpenSSH
           Version: 9.3p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: xspielinbox+mindrot at protonmail.com

Hello,

The CASignatureAlgorithms directive in ssh and sshd supports the
following algorithms:
ssh-ed25519
ssh-ed25519-cert-v01 at openssh.com
sk-ssh-ed25519 at openssh.com
sk-ssh-ed25519-cert-v01 at openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256 at openssh.com
webauthn-sk-ecdsa-sha2-nistp256 at openssh.com
ssh-rsa-cert-v01 at openssh.com
rsa-sha2-256-cert-v01 at openssh.com
rsa-sha2-512-cert-v01 at openssh.com
ssh-dss-cert-v01 at openssh.com
ecdsa-sha2-nistp256-cert-v01 at openssh.com
ecdsa-sha2-nistp384-cert-v01 at openssh.com
ecdsa-sha2-nistp521-cert-v01 at openssh.com
sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com

Why are the *-cert-v01 at openssh.com algorithms allowed here? This seems
wrong to me as per documentation intermediate certificates aren't
supported and I don't see how this would work then.
They also aren't enabled by default.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3577

xspielinbox+mindrot at protonmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|CASignatureAlgorithms       |CASignatureAlgorithms
                   |supports -cert alogrithms   |supports -cert algorithms
                   |                            |when used alongside with
                   |                            |other options

--- Comment #1 from xspielinbox+mindrot at protonmail.com ---
To clarify:
When only configuring one of the -cert algorithms with
CASignatureAlgorithms, one gets an error, that the configuration is
invalid, but when adding them alongside some other algorithm, they are
supported.

However, when signing a user certificate with an CA, ssh-keygen -L will
always list the non -cert (the "normal" variant so to speak) as the
algorithm behing "using" in the Signing CA. So e.g. for a ed25519 CA:
Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA
(using ssh-ed25519)
I would not know how to get something that would then have:
Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA
(using ssh-ed25519-cert)

As this algorithm in my understanding is the one

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3577

--- Comment #2 from xspielinbox+mindrot at protonmail.com ---
that can be controlled via CASignatureAlgorithms, it does not make
sense to me, why these options are valid, if a key using this algorithm
cannot be obtained.

Moreover: having an option that is only valid alongside another option
without any explanation is very confusing.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3577

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
   Attachment #3700|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Created attachment 3700
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3700&action=edit
disallow certificate algorithms in CASignatureAlgorithms

Certificate algorithms won't work when specified in
CASignatureAlgorithms, but the option would incorrectly accepts them
without error. This fixes that.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3577

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3700|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3577

--- Comment #4 from xspielinbox+mindrot at protonmail.com ---
Thank you for the clarification and the patch!

The patch indeed fixes the configuration-file behavior. It doesn't fix
`ssh -Q CASignatureAlgorithms` still producing the wrong output,
however.

Also: You introduced a new variable ca_only that is true for
CASignatureAlgorithms and false for all others. Shouldn't it then
perhaps be named more something like no_ca, as CASignatureAlgorithms
does not accept only ca alogrithms, but rather the exact opposite or
what did I miss?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3577

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3701|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Created attachment 3701
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3701&action=edit
show only valid CA signing algorithms for -Q CASignatureAlgorithms
> The patch indeed fixes the configuration-file behavior. It doesn't fix
> `ssh -Q CASignatureAlgorithms` still producing the wrong output, however.
Yeah, it was using the list of all signature algorithms.
> Also: You introduced a new variable ca_only that is true for 
> CASignatureAlgorithms and false for all others. Shouldn't it then
perhaps
> be named more something like no_ca, as CASignatureAlgorithms does not
> accept only ca alogrithms, but rather the exact opposite or what did I
miss?
ca_only = algorithms that are valid for CAs to sign certificates.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3577

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3701|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3577

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
             Blocks|                            |3162
         Resolution|---                         |FIXED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
thanks for the report - these have both been committed and will be in
OpenSSH 8.4, due in a few months.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3162
[Bug 3162] Tracking bug for 8.4 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.