Client checks pubkey in challenge before signing

rustica-agent/src/rustica/error.rs

@@ -11,6 +11,7 @@ pub struct ServerError {
 pub enum RefreshError {
     TransportError,
     SigningError,
+    ServerChallengeNotForClientKey,
     UnsupportedMode,
     InvalidUri,
     ConfigurationError(String),
@@ -25,6 +26,7 @@ impl fmt::Display for RefreshError {
         match *self {
             RefreshError::ConfigurationError(ref err) => write!(f, "Configuration is invalid: {}", err),
             RefreshError::TransportError => write!(f, "Transport Error. Generally a TLS issue"),
+            RefreshError::ServerChallengeNotForClientKey => write!(f, "Server challenge is for a key unknown to the client"),
             RefreshError::SigningError => write!(f, "Signing or verification failed"),
             RefreshError::UnsupportedMode => write!(f, "Attempted to use a curve or cipher not supported by rustica-agent"),
             RefreshError::InvalidUri => write!(f, "Provided address of remote service was invalid"),

rustica-agent/src/rustica/mod.rs

@@ -100,6 +100,14 @@ pub async fn complete_rustica_challenge(
         SSHCertificate::from_string(&response.challenge).map_err(|_| RefreshError::SigningError)?;
     challenge_certificate.signature_key = challenge_certificate.key.clone();
 
+    // We assert that the pubkey in the challenge belongs to the client
+    // This prevents a malicious Rustica server from tricking the client into signing a
+    // malicious SSH certificate for some unknown key.
+    if challenge_certificate.key.fingerprint().hash != ssh_pubkey.fingerprint().hash {
+        error!("The public key in the challenge doesn't match the client's public key");
+        return Err(RefreshError::ServerChallengeNotForClientKey);
+    }
+
     let resigned_certificate = match signatory {
         Signatory::Yubikey(signer) => {
             let signature = signer