From 15dc17c58d27d07840fb18038bcaf30c111168c9 Mon Sep 17 00:00:00 2001
From: Thanh Nguyen <thanh@timweri.me>
Date: Thu, 9 Nov 2023 14:57:16 -0500
Subject: [PATCH] Client checks pubkey in challenge before signing

---
 rustica-agent/src/rustica/error.rs | 2 ++
 rustica-agent/src/rustica/mod.rs   | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/rustica-agent/src/rustica/error.rs b/rustica-agent/src/rustica/error.rs
index 5fad0ae..445f8c7 100644
--- a/rustica-agent/src/rustica/error.rs
+++ b/rustica-agent/src/rustica/error.rs
@@ -11,6 +11,7 @@ pub struct ServerError {
 pub enum RefreshError {
     TransportError,
     SigningError,
+    ServerChallengeNotForClientKey,
     UnsupportedMode,
     InvalidUri,
     ConfigurationError(String),
@@ -25,6 +26,7 @@ impl fmt::Display for RefreshError {
         match *self {
             RefreshError::ConfigurationError(ref err) => write!(f, "Configuration is invalid: {}", err),
             RefreshError::TransportError => write!(f, "Transport Error. Generally a TLS issue"),
+            RefreshError::ServerChallengeNotForClientKey => write!(f, "Server challenge is for a key unknown to the client"),
             RefreshError::SigningError => write!(f, "Signing or verification failed"),
             RefreshError::UnsupportedMode => write!(f, "Attempted to use a curve or cipher not supported by rustica-agent"),
             RefreshError::InvalidUri => write!(f, "Provided address of remote service was invalid"),
diff --git a/rustica-agent/src/rustica/mod.rs b/rustica-agent/src/rustica/mod.rs
index 47163e3..7c6378f 100644
--- a/rustica-agent/src/rustica/mod.rs
+++ b/rustica-agent/src/rustica/mod.rs
@@ -100,6 +100,14 @@ pub async fn complete_rustica_challenge(
         SSHCertificate::from_string(&response.challenge).map_err(|_| RefreshError::SigningError)?;
     challenge_certificate.signature_key = challenge_certificate.key.clone();
 
+    // We assert that the pubkey in the challenge belongs to the client
+    // This prevents a malicious Rustica server from tricking the client into signing a
+    // malicious SSH certificate for some unknown key.
+    if challenge_certificate.key.fingerprint().hash != ssh_pubkey.fingerprint().hash {
+        error!("The public key in the challenge doesn't match the client's public key");
+        return Err(RefreshError::ServerChallengeNotForClientKey);
+    }
+
     let resigned_certificate = match signatory {
         Signatory::Yubikey(signer) => {
             let signature = signer