Merge branch 'master' into authutil/standardize_argon2_dependency

.github/workflows/codecov.yml

@@ -31,6 +31,9 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version: 'stable'
+      - uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: gcc pkg-config libudev-dev libudev
       - name: Gather dependencies
         run: go mod download
       - name: Run coverage

.github/workflows/test.yml

@@ -1,30 +1,46 @@
 on: [push, pull_request]
 name: Test
 jobs:
-  test:
+  testlinux:
     strategy:
       matrix:
-        go-version: [1.22.x]
-        os: [ubuntu-latest, macos-latest]
+        go-version: [1.23.x]
+        os: [ubuntu-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ${{ matrix.go-version }}
+    - uses: awalsh128/cache-apt-pkgs-action@latest
+      with:
+        packages: gcc rpm alien rsync pkg-config libudev-dev libudev    
+    - uses: actions/checkout@v3
+    - run: make test
+  testmacos:
+    strategy:
+      matrix:
+        go-version: [1.23.x]
+        os: [macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/setup-go@v3
       with:
         go-version: ${{ matrix.go-version }}
     - uses: actions/checkout@v3
     - run: make test
+
   buildlinuxpackage:
     strategy:
       matrix:
-        go-version: [1.22.x]
+        go-version: [1.23.x]
     runs-on: ubuntu-latest
     steps:
     - uses: actions/setup-go@v3
       with:
         go-version: ${{ matrix.go-version }}
     - uses: awalsh128/cache-apt-pkgs-action@latest
       with:
-        packages: gcc rpm alien rsync pkg-config libudev-dev
+        packages: gcc rpm alien rsync pkg-config libudev-dev libudev
     - uses: actions/checkout@v3
     - run: make rpm
 

Makefile

@@ -10,7 +10,7 @@ endif
 BINARY=keymaster
 
 # These are the values we want to pass for Version and BuildTime
-VERSION?=1.15.4
+VERSION?=1.15.5
 DEFAULT_HOST?=
 VERSION_FLAVOUR?=
 EXTRA_LDFLAGS?=

cmd/keymaster/main.go

@@ -299,19 +299,19 @@ func insertSSHCertIntoAgentORWriteToFilesystem(certText []byte,
 		return nil
 	}
 	logger.Debugf(1, "Non fatal, failed to insert into agent without expiration")
-	encodedSigner, err := x509.MarshalPKCS8PrivateKey(signer)
+	encodedSigner, err := ssh.MarshalPrivateKey(signer, "")
 	if err != nil {
 		return err
 	}
 	err = ioutil.WriteFile(
 		privateKeyPath,
-		pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: encodedSigner}),
+		pem.EncodeToMemory(encodedSigner),
 		0600)
 	if err != nil {
 		return err
 	}
 	// now we need to write the certificate
-	sshCertPath := privateKeyPath + ".pub"
+	sshCertPath := privateKeyPath + "-cert.pub"
 	return ioutil.WriteFile(sshCertPath, certText, 0644)
 }
 

cmd/keymaster/main_test.go

@@ -6,12 +6,12 @@ import (
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"runtime"
 	"testing"
@@ -20,6 +20,7 @@ import (
 	"golang.org/x/crypto/ssh"
 
 	"github.com/Cloud-Foundations/golib/pkg/log/testlogger"
+	"github.com/Cloud-Foundations/keymaster/lib/certgen"
 	"github.com/Cloud-Foundations/keymaster/lib/client/config"
 	"github.com/Cloud-Foundations/keymaster/lib/client/twofa/u2f"
 	"github.com/Cloud-Foundations/keymaster/lib/client/util"
@@ -202,41 +203,29 @@ func TestMost(t *testing.T) {
 
 }
 
-func goCertToFileString(c ssh.Certificate, username string) (string, error) {
-	certBytes := c.Marshal()
-	encoded := base64.StdEncoding.EncodeToString(certBytes)
-	fileComment := "/tmp/" + username + "-" + c.SignatureKey.Type() + "-cert.pub"
-	return c.Type() + " " + encoded + " " + fileComment, nil
-}
-
 func TestInsertSSHCertIntoAgentORWriteToFilesystem(t *testing.T) {
 	//step 1: generate
 	publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
 	if err != nil {
 		t.Fatal(err)
 	}
+
 	sshPublic, err := ssh.NewPublicKey(publicKey)
 	if err != nil {
 		t.Fatal(err)
 	}
-	cert := ssh.Certificate{
-		Key:             sshPublic,
-		ValidPrincipals: []string{"username"},
-		ValidAfter:      uint64(time.Now().Unix()) - 10,
-		ValidBefore:     uint64(time.Now().Unix()) + 10,
-	}
+	sshPublicBytes := ssh.MarshalAuthorizedKey(sshPublic)
+
 	sshSigner, err := ssh.NewSignerFromKey(privateKey)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = cert.SignCert(rand.Reader, sshSigner)
-	if err != nil {
-		t.Fatal(err)
-	}
-	certString, err := goCertToFileString(cert, "username")
-	if err != nil {
-		t.Fatal(err)
-	}
+	seconds := 10
+	certDuration := time.Duration(seconds) * time.Second
+	extensions := make(map[string]string)
+
+	certString, _, err := certgen.GenSSHCertFileString("username", string(sshPublicBytes), sshSigner, "km.example.com", certDuration, extensions)
+
 	// This test needs a running agent... and remote windows
 	// builders do NOT have this... thus we need to abort this test
 	// until we have a way to NOT timeout on missing agent in
@@ -273,9 +262,23 @@ func TestInsertSSHCertIntoAgentORWriteToFilesystem(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	os.Remove(privateKeyPath)
-	// TODO: on linux/macos create agent + unix socket and pass that
+	defer os.Remove(privateKeyPath)
 
+	//t.Logf("certString='%s'", certString)
+
+	// TODO: on linux/macos create agent + unix socket and pass that
+	if oldSSHSock != "" && runtime.GOOS == "darwin" {
+		//reset the socket
+		err = os.Setenv("SSH_AUTH_SOCK", oldSSHSock)
+		if err != nil {
+			t.Fatal(err)
+		}
+		cmd := exec.Command("ssh-add", "-t", "30", privateKeyPath)
+		err := cmd.Run()
+		if err != nil {
+			t.Fatalf("Command finished with error: %v", err)
+		}
+	}
 }
 
 func TestMainSimple(t *testing.T) {

go.mod

@@ -1,8 +1,8 @@
 module github.com/Cloud-Foundations/keymaster
 
-go 1.21.0
+go 1.22.0
 
-toolchain go1.22.4
+toolchain go1.23.2
 
 replace github.com/bearsh/hid v1.3.0 => github.com/bearsh/hid v1.5.0
 
@@ -12,11 +12,11 @@ require (
 	github.com/Cloud-Foundations/npipe v0.0.0-20191222161149-761e85df1f92
 	github.com/Cloud-Foundations/tricorder v0.0.0-20191102180116-cf6bbf6d0168
 	github.com/aws/aws-sdk-go v1.55.5
-	github.com/aws/aws-sdk-go-v2 v1.30.3
-	github.com/aws/aws-sdk-go-v2/config v1.27.27
-	github.com/aws/aws-sdk-go-v2/service/organizations v1.30.2
-	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3
-	github.com/bearsh/hid v1.5.0
+	github.com/aws/aws-sdk-go-v2 v1.32.2
+	github.com/aws/aws-sdk-go-v2/config v1.28.0
+	github.com/aws/aws-sdk-go-v2/service/organizations v1.34.2
+	github.com/aws/aws-sdk-go-v2/service/sts v1.32.2
+	github.com/bearsh/hid v1.6.0
 	github.com/cloudflare/cfssl v1.6.5
 	github.com/duo-labs/webauthn v0.0.0-20221205164246-ebaf9b74c6ec
 	github.com/flynn/u2f v0.0.0-20180613185708-15554eb68e5d
@@ -25,38 +25,39 @@ require (
 	github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef
 	github.com/lib/pq v1.10.9
 	github.com/marshallbrekka/go-u2fhost v0.0.0-20210111072507-3ccdec8c8105
-	github.com/mattn/go-sqlite3 v1.14.22
+	github.com/mattn/go-sqlite3 v1.14.24
 	github.com/nirasan/go-oauth-pkce-code-verifier v0.0.0-20220510032225-4f9f17eaec4c
 	github.com/pquerna/otp v1.4.0
-	github.com/prometheus/client_golang v1.19.1
+	github.com/prometheus/client_golang v1.20.5
 	github.com/tstranex/u2f v1.0.0
 	github.com/vjeantet/ldapserver v1.0.1
-	golang.org/x/crypto v0.25.0
-	golang.org/x/net v0.27.0
-	golang.org/x/oauth2 v0.21.0
-	golang.org/x/term v0.22.0
+	golang.org/x/crypto v0.28.0
+	golang.org/x/net v0.30.0
+	golang.org/x/oauth2 v0.23.0
+	golang.org/x/term v0.25.0
 	gopkg.in/ldap.v2 v2.5.1
 	gopkg.in/yaml.v2 v2.4.0
-	mvdan.cc/sh/v3 v3.8.0
+	mvdan.cc/sh/v3 v3.10.0
 )
 
 require (
-	dario.cat/mergo v1.0.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
-	github.com/cloudflare/circl v1.3.9 // indirect
-	github.com/cyphar/filepath-securejoin v0.3.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.2 // indirect
+	github.com/cloudflare/circl v1.5.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.3.4 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.6.0 // indirect
 	github.com/go-git/go-git/v5 v5.12.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
@@ -67,14 +68,14 @@ require (
 
 require (
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
-	github.com/aws/smithy-go v1.20.3 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.41 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.2 // indirect
+	github.com/aws/smithy-go v1.22.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
@@ -87,12 +88,12 @@ require (
 	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/common v0.60.1 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/sys v0.22.0 // indirect
-	golang.org/x/time v0.5.0
-	google.golang.org/protobuf v1.34.2 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/time v0.7.0
+	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
 	gopkg.in/natefinch/npipe.v2 v2.0.0-20160621034901-c1b8fa8bdcce // indirect
 )