ca: Add sign_user_cert function

The `sshca::ca::sign_cert` function has been renamed to `sign_host_cert`, reflecting that it creates SSH host certificates. A new `sign_user_cert` function is now available to sign SSH user certificates.
2023-11-21 21:26:16 -06:00 · 2023-11-21 21:26:16 -06:00 · cd7a7272ef
parent 94ae6f727e
commit cd7a7272ef
2 changed files with 31 additions and 4 deletions
--- a/src/ca.rs
+++ b/src/ca.rs
@ -137,12 +137,38 @@ pub fn parse_public_key(data: &[u8]) -> Result<PublicKey, LoadKeyError> {
 /// This function creates a signed certificate for an SSH host public
 /// key.  The certificate will be valid for the specified hostname and
 /// any alias names provided.
-pub fn sign_cert(
+pub fn sign_host_cert(
    hostname: &str,
    pubkey: &PublicKey,
    duration: Duration,
    privkey: &PrivateKey,
    alias: &[&str],
+) -> Result<Certificate, CertError> {
+    sign_cert(hostname, pubkey, duration, privkey, alias, CertType::Host)
+}
+
+/// Create a signed SSH certificate for a user public key
+///
+/// This function creates a signed certificate for an SSH user public
+/// key.  The certificate will be valid for the specified username and
+/// any alias names provided.
+pub fn sign_user_cert(
+    username: &str,
+    pubkey: &PublicKey,
+    duration: Duration,
+    privkey: &PrivateKey,
+    alias: &[&str],
+) -> Result<Certificate, CertError> {
+    sign_cert(username, pubkey, duration, privkey, alias, CertType::User)
+}
+
+fn sign_cert(
+    principal: &str,
+    pubkey: &PublicKey,
+    duration: Duration,
+    privkey: &PrivateKey,
+    alias: &[&str],
+    cert_type: CertType,
 ) -> Result<Certificate, CertError> {
    let now = SystemTime::now();
    let not_before = now.duration_since(UNIX_EPOCH)?.as_secs();
@ -151,8 +177,8 @@ pub fn sign_cert(
    let mut builder = Builder::new_with_random_nonce(
        &mut OsRng, pubkey, not_before, not_after,
    )?;
-    builder.cert_type(CertType::Host)?;
-    builder.valid_principal(hostname)?;
+    builder.cert_type(cert_type)?;
+    builder.valid_principal(principal)?;
    for a in alias {
        builder.valid_principal(*a)?;
    }
--- a/src/server/host.rs
+++ b/src/server/host.rs
@ -211,7 +211,8 @@ pub(super) async fn sign_host_cert(
        pubkey.algorithm().as_str(),
        hostname
    );
-    let cert = ca::sign_cert(&hostname, &pubkey, duration, &privkey, &[])?;
+    let cert =
+        ca::sign_host_cert(&hostname, &pubkey, duration, &privkey, &[])?;
    info!(
        "Signed {} key for {}",
        pubkey.algorithm().as_str(),