From a6deea7d8d0a9e50e2a44e62d9a25ead29902c33 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Wed, 18 Dec 2019 14:43:38 -0800
Subject: [PATCH] Renew identity certificate in /ssh/rekey and /ssh/renew

---
 api/sshRekey.go | 14 +++++++++++---
 api/sshRenew.go | 26 ++++++++++++++++++++++++--
 2 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/api/sshRekey.go b/api/sshRekey.go
index 6b7ef5d7..aa70cf4f 100644
--- a/api/sshRekey.go
+++ b/api/sshRekey.go
@@ -30,7 +30,8 @@ func (s *SSHRekeyRequest) Validate() error {
 
 // SSHRekeyResponse is the response object that returns the SSH certificate.
 type SSHRekeyResponse struct {
-	Certificate SSHCertificate `json:"crt"`
+	Certificate         SSHCertificate `json:"crt"`
+	IdentityCertificate []Certificate  `json:"identityCrt,omitempty"`
 }
 
 // SSHRekey is an HTTP handler that reads an RekeySSHRequest with a one-time-token
@@ -72,7 +73,14 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	JSONStatus(w, &SSHSignResponse{
-		Certificate: SSHCertificate{newCert},
+	identity, err := h.renewIdentityCertificate(r)
+	if err != nil {
+		WriteError(w, errs.Forbidden(err))
+		return
+	}
+
+	JSONStatus(w, &SSHRekeyResponse{
+		Certificate:         SSHCertificate{newCert},
+		IdentityCertificate: identity,
 	}, http.StatusCreated)
 }
diff --git a/api/sshRenew.go b/api/sshRenew.go
index 5a847796..5165bf33 100644
--- a/api/sshRenew.go
+++ b/api/sshRenew.go
@@ -26,7 +26,8 @@ func (s *SSHRenewRequest) Validate() error {
 
 // SSHRenewResponse is the response object that returns the SSH certificate.
 type SSHRenewResponse struct {
-	Certificate SSHCertificate `json:"crt"`
+	Certificate         SSHCertificate `json:"crt"`
+	IdentityCertificate []Certificate  `json:"identityCrt,omitempty"`
 }
 
 // SSHRenew is an HTTP handler that reads an RenewSSHRequest with a one-time-token
@@ -62,7 +63,28 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	identity, err := h.renewIdentityCertificate(r)
+	if err != nil {
+		WriteError(w, errs.Forbidden(err))
+		return
+	}
+
 	JSONStatus(w, &SSHSignResponse{
-		Certificate: SSHCertificate{newCert},
+		Certificate:         SSHCertificate{newCert},
+		IdentityCertificate: identity,
 	}, http.StatusCreated)
 }
+
+// renewIdentityCertificate request the client TLS certificate if present.
+func (h *caHandler) renewIdentityCertificate(r *http.Request) ([]Certificate, error) {
+	if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
+		return nil, nil
+	}
+
+	certChain, err := h.Authority.Renew(r.TLS.PeerCertificates[0])
+	if err != nil {
+		return nil, err
+	}
+
+	return certChainToPEM(certChain), nil
+}