From f17bfdf57dee05cabfdec08b0d9c6d3ce7d22a96 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Mon, 8 May 2023 13:45:53 +0200 Subject: [PATCH] Reformat the SSH certificate logging output for read- and parsability --- api/api.go | 23 +++++++++++++++++------ api/api_test.go | 6 +++--- 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/api/api.go b/api/api.go index 7a80dc44..36c835cc 100644 --- a/api/api.go +++ b/api/api.go @@ -508,21 +508,32 @@ func LogCertificate(w http.ResponseWriter, cert *x509.Certificate) { func LogSSHCertificate(w http.ResponseWriter, cert *ssh.Certificate) { if rl, ok := w.(logging.ResponseLogger); ok { mak := bytes.TrimSpace(ssh.MarshalAuthorizedKey(cert)) - certType := "user" - if cert.CertType == ssh.HostCert { - certType = "host" + var certificate string + parts := strings.Split(string(mak), " ") + if len(parts) > 1 { + certificate = parts[1] } + var userOrHost string + if cert.CertType == ssh.HostCert { + userOrHost = "host" + } else { + userOrHost = "user" + } + certificateType := fmt.Sprintf("%s %s certificate", parts[0], userOrHost) // e.g. ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate m := map[string]interface{}{ "serial": cert.Serial, "principals": cert.ValidPrincipals, "valid-from": time.Unix(int64(cert.ValidAfter), 0).Format(time.RFC3339), "valid-to": time.Unix(int64(cert.ValidBefore), 0).Format(time.RFC3339), - "certificate": string(mak), - "certificate-type": certType, + "certificate": certificate, + "certificate-type": certificateType, } fingerprint, err := sshutil.FormatFingerprint(mak, sshutil.DefaultFingerprint) if err == nil { - m["public-key"] = fingerprint + fpParts := strings.Split(fingerprint, " ") + if len(fpParts) > 3 { + m["public-key"] = fmt.Sprintf("%s %s", fpParts[1], fpParts[len(fpParts)-1]) + } } rl.WithFields(m) } diff --git a/api/api_test.go b/api/api_test.go index d1451623..1c90d91b 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -1680,9 +1680,9 @@ func TestLogSSHCertificate(t *testing.T) { fields := rl.Fields() sassert.Equal(t, uint64(14376510277651266987), fields["serial"]) sassert.Equal(t, []string{"herman"}, fields["principals"]) - sassert.Equal(t, "user", fields["certificate-type"]) + sassert.Equal(t, "ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate", fields["certificate-type"]) sassert.Equal(t, time.Unix(1674129191, 0).Format(time.RFC3339), fields["valid-from"]) sassert.Equal(t, time.Unix(1674186851, 0).Format(time.RFC3339), fields["valid-to"]) - sassert.Equal(t, "ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI", fields["certificate"]) - sassert.Equal(t, "256 SHA256:RvkDPGwl/G9d7LUFm1kmWhvOD9I/moPq4yxcb0STwr0 no comment (ECDSA-CERT)", fields["public-key"]) + sassert.Equal(t, "AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI", fields["certificate"]) + sassert.Equal(t, "SHA256:RvkDPGwl/G9d7LUFm1kmWhvOD9I/moPq4yxcb0STwr0 (ECDSA-CERT)", fields["public-key"]) }