From a049e1f7e786cf77201954cdcc421ed08956d7d9 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Wed, 27 Nov 2019 14:48:14 -0800
Subject: [PATCH] Check at the cert type instead of at the body.

---
 api/ssh.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/ssh.go b/api/ssh.go
index 6382a27d..b559c27a 100644
--- a/api/ssh.go
+++ b/api/ssh.go
@@ -56,7 +56,7 @@ func (s *SSHSignRequest) Validate() error {
 		// Validate identity signature if provided
 		if s.IdentityCSR.CertificateRequest != nil {
 			if err := s.IdentityCSR.CertificateRequest.CheckSignature(); err != nil {
-				return errors.Wrap(err, "invalid csr")
+				return errors.Wrap(err, "invalid identityCSR")
 			}
 		}
 		return nil
@@ -308,7 +308,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
 	if cr := body.IdentityCSR.CertificateRequest; cr != nil {
 		var opts provisioner.Options
 		// Use same duration as ssh certificate for user certificates
-		if body.CertType == provisioner.SSHUserCert {
+		if cert.CertType == ssh.UserCert {
 			opts = provisioner.Options{
 				NotBefore: provisioner.NewTimeDuration(time.Unix(int64(cert.ValidAfter), 0)),
 				NotAfter:  provisioner.NewTimeDuration(time.Unix(int64(cert.ValidBefore), 0)),