Using principal wildcards in gpg.ssh.allowedSignersFile

Using principal wildcards in gpg.ssh.allowedSignersFile

[Matthias Maier]

Dear all,

I am experimenting with git version 2.34.1 (and OpenSSH 8.8_p1) a bit
trying to set up a repository with SSH signatures for commits instead of
pgp. I have also tested the current "git next" branch.

The straight-forward setup (by having an "allowed_signers" file
naming individual e-mails and pubkeys) works as anticipated.

However, when trying to combine this with an SSH certificate authority
(which would be the use case I have in mind) I am not able to use an
e-mail wildcard in the "allowed_signers" file but have to specify full
e-mails instead. This, unfortunately, defeats a bit the purpose of
having an SSH certificate authority in the first place...

The corresponding low-level openssh facilities all seem to work
(including an e-mail wildcard in the ALLOWED SIGNERS file and
$ ssh-keygen -Y find-principals extracting the right e-mail).

I have attached full details how to reproduce below.

Can someone shed some light on this one?

Best,
Matthias



Steps to reproduce:

====================
Set up a minimal CA:
====================

  $ mkdir /tmp/signing-test
  $ cd /tmp/signing-test


A)  Set up two test pubkeys:

  $ ssh-keygen -t ed25519 -C "ca key" -f id_ca
  [...]
  $ ssh-keygen -t ed25519 -C "user key" -f id_user
  [...]


B)  Sign user key creating an SSH certificate:

  $ ssh-keygen -s id_ca -I "user key" -n "tamiko@43-1.org" id_user.pub
  Signed user key id_user-cert.pub: id "user key" serial 0 for tamiko@43-1.org valid forever

  $ ssh-keygen -L -f id_user-cert.pub
  id_user-cert.pub:
        Type: ssh-ed25519-cert-v01@openssh.com user certificate
        Public key: ED25519-CERT SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
        Signing CA: ED25519 SHA256:gix8Iux4j9Uf5fyTPdXbO/7EaLbpnhBczW3jw+2DHnw (using ssh-ed25519)
        Key ID: "user key"
        Principals:
                tamiko@43-1.org
  [...]


C)  Create allowed signers file:

  $ (printf '*@43-1.org cert-authority,namespaces="file,git" '; cat id_ca.pub) > allowed_signers

  ! Important: I used a wild card "*@43-1.org" for the principal!


D) Test setup:

  $ echo this is some random text > test.txt
  $ ssh-keygen -Y sign -f id_user-cert.pub -n file test.txt
  Signing file test.txt
  Write signature to test.txt.sig
  
  $ ssh-keygen -Y find-principals -f allowed_signers -n file -s test.txt.sig
  tamiko@43-1.org

  $ ssh-keygen -Y verify -f allowed_signers -I "tamiko@43-1.org" -n file -s test.txt.sig < test.txt
  Good "file" signature for tamiko@43-1.org with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
  

=======================
Set up a git repository
=======================

E) Set up an empty repository somewhere
  
  $ cd /tmp
  $ git init signing-test-repo
  $ cd signing-test-repo
  
  and modify .git/config to look like this:

        [core]
                repositoryformatversion = 0
                filemode = true
                bare = false
                logallrefupdates = true
        [commit]
                gpgsign = true
        [user]
                signingkey = /tmp/signing-test/id_user-cert.pub
        [gpg]
                format = ssh
        [gpg "ssh"]
                allowedSignersFile = /tmp/signing-test/allowed_signers


F) make a commit

  $ git commit -a --allow-empty -m "my shiny new ssh key signed commit"

  $ git log --show-signature
  Good "git" signature with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
  /tmp/signing-test/allowed_signers:1: no valid principals found
  No principal matched.
  Author: Matthias Maier <tamiko@43-1.org>
  Date:   Mon Dec 13 23:51:03 2021 -0600


G) modify allowd_signers entry to read "tamiko@43-1.org" instead of the wildcard "*@43-1.org":

  $ git log --show-signature
  Good "git" signature for tamiko@43-1.org with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
  Author: Matthias Maier <tamiko@43-1.org>
  Date:   Mon Dec 13 23:51:03 2021 -0600

Re: Using principal wildcards in gpg.ssh.allowedSignersFile

[Fabian Stelzer]

On 17.12.2021 00:20, Matthias Maier wrote:
>Dear all,
>
>I am experimenting with git version 2.34.1 (and OpenSSH 8.8_p1) a bit
>trying to set up a repository with SSH signatures for commits instead of
>pgp. I have also tested the current "git next" branch.
>
>The straight-forward setup (by having an "allowed_signers" file
>naming individual e-mails and pubkeys) works as anticipated.
>
>However, when trying to combine this with an SSH certificate authority
>(which would be the use case I have in mind) I am not able to use an
>e-mail wildcard in the "allowed_signers" file but have to specify full
>e-mails instead. This, unfortunately, defeats a bit the purpose of
>having an SSH certificate authority in the first place...
>

Thanks for your report. I tested the described behaviour and I think this is 
a bug in openssh. find-principals will never match on a CA cert with 
wildcard principals whereas wildcards for non-CA keys work just fine. I've 
emailed the openssh maintainer about it and will prepare a patch.

>Steps to reproduce:
>
>====================
>Set up a minimal CA:
>====================
>
>  $ mkdir /tmp/signing-test
>  $ cd /tmp/signing-test
>
>
>A)  Set up two test pubkeys:
>
>  $ ssh-keygen -t ed25519 -C "ca key" -f id_ca
>  [...]
>  $ ssh-keygen -t ed25519 -C "user key" -f id_user
>  [...]
>
>
>B)  Sign user key creating an SSH certificate:
>  [...]
>
>C)  Create allowed signers file:
>
>  $ (printf '*@43-1.org cert-authority,namespaces="file,git" '; cat id_ca.pub) > allowed_signers
>
>  ! Important: I used a wild card "*@43-1.org" for the principal!
>
>
>D) Test setup:
>
>  $ echo this is some random text > test.txt
>  $ ssh-keygen -Y sign -f id_user-cert.pub -n file test.txt
>  Signing file test.txt
>  Write signature to test.txt.sig
>
>  $ ssh-keygen -Y find-principals -f allowed_signers -n file -s test.txt.sig
>  tamiko@43-1.org

Are you sure the allowed_signers file was exactly what you generated before 
for this command? If I follow your steps this will not produce a principal 
for me with neither openssh-8.8.1, nor master. Can you run this with `-vvv` 
which will show a bit more ssh internal output?
In the openssh code for find-principals wildcard principals are filtered for 
CA certs. I'm not sure why and have asked them about it.

By the way, find-principals will not consider the namespace parameter.
This has another bug in the current master producing a segfault for which 
I've already sent a patch. But this should be unrelated to your issue.

>
>  $ ssh-keygen -Y verify -f allowed_signers -I "tamiko@43-1.org" -n file -s test.txt.sig < test.txt
>  Good "file" signature for tamiko@43-1.org with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
>
>
>=======================
>Set up a git repository
>=======================
>
>E) Set up an empty repository somewhere
>
>  $ cd /tmp
>  $ git init signing-test-repo
>  $ cd signing-test-repo
>
>  and modify .git/config to look like this:
>
>        [core]
>                repositoryformatversion = 0
>                filemode = true
>                bare = false
>                logallrefupdates = true
>        [commit]
>                gpgsign = true
>        [user]
>                signingkey = /tmp/signing-test/id_user-cert.pub
>        [gpg]
>                format = ssh
>        [gpg "ssh"]
>                allowedSignersFile = /tmp/signing-test/allowed_signers
>
>
>F) make a commit
>
>  $ git commit -a --allow-empty -m "my shiny new ssh key signed commit"
>
>  $ git log --show-signature
>  Good "git" signature with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
>  /tmp/signing-test/allowed_signers:1: no valid principals found
>  No principal matched.
>  Author: Matthias Maier <tamiko@43-1.org>
>  Date:   Mon Dec 13 23:51:03 2021 -0600

Just FYI: if you add GIT_TRACE=1 to the git commands you can see the 
executed ssh-keygen commands, which can help to see whats going on.

>
>
>G) modify allowd_signers entry to read "tamiko@43-1.org" instead of the wildcard "*@43-1.org":
>
>  $ git log --show-signature
>  Good "git" signature for tamiko@43-1.org with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
>  Author: Matthias Maier <tamiko@43-1.org>
>  Date:   Mon Dec 13 23:51:03 2021 -0600

Re: Using principal wildcards in gpg.ssh.allowedSignersFile

[Matthias Maier]

Hi Fabian,

Thanks for doing the bug report to openssh!


On Fri, Dec 17, 2021, at 03:42 CST, Fabian Stelzer <fs@gigacodes.de> wrote:

> [...]

>>  $ ssh-keygen -Y find-principals -f allowed_signers -n file -s test.txt.sig
>>  tamiko@43-1.org
>
> Are you sure the allowed_signers file was exactly what you generated
> before for this command? If I follow your steps this will not produce
> a principal for me with neither openssh-8.8.1, nor master. Can you run
> this with `-vvv` which will show a bit more ssh internal output?
> In the openssh code for find-principals wildcard principals are
> filtered for CA certs. I'm not sure why and have asked them about it.
>
> By the way, find-principals will not consider the namespace parameter.
> This has another bug in the current master producing a segfault for
> which I've already sent a patch. But this should be unrelated to your
> issue.

You're absolutely right - I did confuse myself. The find-principals call
does not work:

    % ssh-keygen -vvv -Y find-principals -f allowed_signers -n file -s test.txt.sig
    debug3: allowed_signers:1: options cert-authority,namespaces="file,git"
    debug1: allowed_signers:1: principal "*@43-1.org" not authorized: contains wildcards
    allowed_signers:1: no valid principals found
    debug1: allowed_signers:1: cert_filter_principals: invalid certificate
    No principal matched.

I agree. It is interesting that they explicitly filter wildcards for the
find-principals call. Let's see what openssh upstream has to say.


> [...]
>
> Just FYI: if you add GIT_TRACE=1 to the git commands you can see the
> executed ssh-keygen commands, which can help to see whats going on.

Ah, that's neat!


Best,
Matthias

Re: Using principal wildcards in gpg.ssh.allowedSignersFile

[Fabian Stelzer]

On 17.12.2021 10:42, Fabian Stelzer wrote:
>On 17.12.2021 00:20, Matthias Maier wrote:
>>Dear all,
>>
>>I am experimenting with git version 2.34.1 (and OpenSSH 8.8_p1) a bit
>>trying to set up a repository with SSH signatures for commits instead of
>>pgp. I have also tested the current "git next" branch.
>>
>>The straight-forward setup (by having an "allowed_signers" file
>>naming individual e-mails and pubkeys) works as anticipated.
>>
>>However, when trying to combine this with an SSH certificate authority
>>(which would be the use case I have in mind) I am not able to use an
>>e-mail wildcard in the "allowed_signers" file but have to specify full
>>e-mails instead. This, unfortunately, defeats a bit the purpose of
>>having an SSH certificate authority in the first place...
>>
>
>Thanks for your report. I tested the described behaviour and I think 
>this is a bug in openssh. find-principals will never match on a CA 
>cert with wildcard principals whereas wildcards for non-CA keys work 
>just fine. I've emailed the openssh maintainer about it and will 
>prepare a patch.

Just for reference to the git list:
This issue was fixed with 
https://github.com/openssh/openssh-portable/commit/15b7199a1fd37eff4c695e09d573f3db9f4274b7
which should be in the next openssh release.

>>Steps to reproduce:
>>
>>====================
>>Set up a minimal CA:
>>====================
>>
>> $ mkdir /tmp/signing-test
>> $ cd /tmp/signing-test
>>
>>
>>A)  Set up two test pubkeys:
>>
>> $ ssh-keygen -t ed25519 -C "ca key" -f id_ca
>> [...]
>> $ ssh-keygen -t ed25519 -C "user key" -f id_user
>> [...]
>>
>>
>>B)  Sign user key creating an SSH certificate:
>> [...]
>>
>>C)  Create allowed signers file:
>>
>> $ (printf '*@43-1.org cert-authority,namespaces="file,git" '; cat id_ca.pub) > allowed_signers
>>
>> ! Important: I used a wild card "*@43-1.org" for the principal!
>>
>>
>>D) Test setup:
>>
>> $ echo this is some random text > test.txt
>> $ ssh-keygen -Y sign -f id_user-cert.pub -n file test.txt
>> Signing file test.txt
>> Write signature to test.txt.sig
>>
>> $ ssh-keygen -Y find-principals -f allowed_signers -n file -s test.txt.sig
>> tamiko@43-1.org
>
>Are you sure the allowed_signers file was exactly what you generated 
>before for this command? If I follow your steps this will not produce 
>a principal for me with neither openssh-8.8.1, nor master. Can you run 
>this with `-vvv` which will show a bit more ssh internal output?
>In the openssh code for find-principals wildcard principals are 
>filtered for CA certs. I'm not sure why and have asked them about it.
>
>By the way, find-principals will not consider the namespace parameter.
>This has another bug in the current master producing a segfault for 
>which I've already sent a patch. But this should be unrelated to your 
>issue.
>
>>
>> $ ssh-keygen -Y verify -f allowed_signers -I "tamiko@43-1.org" -n file -s test.txt.sig < test.txt
>> Good "file" signature for tamiko@43-1.org with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
>>
>>
>>=======================
>>Set up a git repository
>>=======================
>>
>>E) Set up an empty repository somewhere
>>
>> $ cd /tmp
>> $ git init signing-test-repo
>> $ cd signing-test-repo
>>
>> and modify .git/config to look like this:
>>
>>       [core]
>>               repositoryformatversion = 0
>>               filemode = true
>>               bare = false
>>               logallrefupdates = true
>>       [commit]
>>               gpgsign = true
>>       [user]
>>               signingkey = /tmp/signing-test/id_user-cert.pub
>>       [gpg]
>>               format = ssh
>>       [gpg "ssh"]
>>               allowedSignersFile = /tmp/signing-test/allowed_signers
>>
>>
>>F) make a commit
>>
>> $ git commit -a --allow-empty -m "my shiny new ssh key signed commit"
>>
>> $ git log --show-signature
>> Good "git" signature with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
>> /tmp/signing-test/allowed_signers:1: no valid principals found
>> No principal matched.
>> Author: Matthias Maier <tamiko@43-1.org>
>> Date:   Mon Dec 13 23:51:03 2021 -0600
>
>Just FYI: if you add GIT_TRACE=1 to the git commands you can see the 
>executed ssh-keygen commands, which can help to see whats going on.
>
>>
>>
>>G) modify allowd_signers entry to read "tamiko@43-1.org" instead of the wildcard "*@43-1.org":
>>
>> $ git log --show-signature
>> Good "git" signature for tamiko@43-1.org with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
>> Author: Matthias Maier <tamiko@43-1.org>
>> Date:   Mon Dec 13 23:51:03 2021 -0600

Re: Using principal wildcards in gpg.ssh.allowedSignersFile

[Junio C Hamano]

Fabian Stelzer <fs@gigacodes.de> writes:

>> Thanks for your report. I tested the described behaviour and I think
>> this is a bug in openssh. find-principals will never match on a CA 
>> cert with wildcard principals whereas wildcards for non-CA keys work
>> just fine. I've emailed the openssh maintainer about it and will 
>>prepare a patch.
>
> Just for reference to the git list:
> This issue was fixed with
> https://github.com/openssh/openssh-portable/commit/15b7199a1fd37eff4c695e09d573f3db9f4274b7
> which should be in the next openssh release.

Thanks for a heads-up.