Handle pubkey blob in sign call being SSH cert

obelisk · Nov 28, 2023 · 49f3acf · 49f3acf
1 parent 2b41dc9
commit 49f3acf
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/rustica-agent/src/lib.rs b/rustica-agent/src/lib.rs
@@ -333,8 +333,15 @@ impl SshAgentHandler for Handler {
 
             return Ok(Response::SignResponse { signature });
         } else if let Signatory::Direct(privkey) = &self.signatory {
+            // Extract the pubkey fingerprint from either the SSH pubkey or the SSH cert
+            let fingerprint = match (Certificate::from_bytes(&pubkey), PublicKey::from_bytes(&pubkey)) {
+                (Ok(cert), _) => cert.key.fingerprint(),
+                (_, Ok(pubkey)) => pubkey.fingerprint(),
+                _ => return Err(AgentError::from("Invalid key blob")),
+            };
+
             // Don't sign requests if the requested key does not match the signatory
-            if privkey.pubkey.encode() != pubkey {
+            if privkey.pubkey.fingerprint() != fingerprint {
                 return Err(AgentError::from("No such key"));
             }