Revert ssh CA config to unified user/host key, but keep the support f…

…or split
elonen · Aug 17, 2024 · 0db3be9 · 0db3be9
1 parent b395939
commit 0db3be9
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 45 deletions.
diff --git a/hsm-conf.yml b/hsm-conf.yml
@@ -21,10 +21,9 @@ general:
         nac: 3
         gpg: 4
         codesign: 5
-        ssh_user: 6
-        ssh_host: 7
-        password_derivation: 8
-        encryption: 9
+        ssh: 6
+        password_derivation: 7
+        encryption: 8
 
     x509_defaults:
         ca: true
@@ -129,7 +128,7 @@ admin:
 user_keys:
     - label: user_john.doe
       id: 0xE001
-      domains: ['tls', 'nac', 'gpg', 'codesign', 'ssh_user', 'ssh_host', 'password_derivation', 'encryption']
+      domains: ['tls', 'nac', 'gpg', 'codesign', 'ssh', 'password_derivation', 'encryption']
       capabilities:
         - sign-ssh-certificate          # For SSH certificate creation
         - sign-hmac                     # For password derivation
@@ -579,59 +578,31 @@ codesign:
 # OpenSSH certificates are in proprietary format, so these are not signed by the X.509 root CAs.
 ssh:
     default_user_ca: 0x0720
-    default_host_ca: 0x0721
+    default_host_ca: 0x0720   # You could separate these, but given the HSM, having to change one but not the other is unlikely
     root_ca_keys:
         -
-            label: ssh-rsa-user-ca-root-key
+            label: ssh-rsa-ca-root-key
             id: 0x0710
-            domains: ['ssh_user']
+            domains: ['ssh']
             algorithm: rsa4096
             capabilities:
                 - sign-ssh-certificate
                 - sign-pss
                 - sign-pkcs
                 - exportable-under-wrap
         -
-            label: ssh-ed25519-user-ca-root-key
+            label: ssh-ed25519-ca-root-key
             id: 0x0720
-            domains: ['ssh_user']
+            domains: ['ssh']
             algorithm: ed25519
             capabilities:
                 - sign-ssh-certificate
                 - sign-eddsa
                 - exportable-under-wrap
         -
-            label: ssh-ecp384-user-ca-root-key
+            label: ssh-ecp384-ca-root-key
             id: 0x0730
-            domains: ['ssh_user']
-            algorithm: ecp384
-            capabilities:
-                - sign-ssh-certificate
-                - sign-ecdsa
-                - exportable-under-wrap
-        -
-            label: ssh-rsa-host-ca-root-key
-            id: 0x0711
-            domains: ['ssh_host']
-            algorithm: rsa4096
-            capabilities:
-                - sign-ssh-certificate
-                - sign-pss
-                - sign-pkcs
-                - exportable-under-wrap
-        -
-            label: ssh-ed25519-host-ca-root-key
-            id: 0x0721
-            domains: ['ssh_host']
-            algorithm: ed25519
-            capabilities:
-                - sign-ssh-certificate
-                - sign-eddsa
-                - exportable-under-wrap
-        -
-            label: ssh-ecp384-host-ca-root-key
-            id: 0x0731
-            domains: ['ssh_host']
+            domains: ['ssh']
             algorithm: ecp384
             capabilities:
                 - sign-ssh-certificate

diff --git a/hsm_secrets/config.py b/hsm_secrets/config.py
@@ -128,16 +128,15 @@ def algorithm_from_name(algo: Union['AsymmetricAlgorithm', 'SymmetricAlgorithm',
 HSMKeyID = Annotated[int, Field(strict=True, gt=0, lt=0xFFFF)]
 HSMKeyLabel = Annotated[str, Field(max_length=40)]
 HSMDomainNum = Annotated[int, Field(strict=True, gt=0, lt=17)]
-HSMDomainName = Literal["all", "x509", "tls", "nac", "gpg", "codesign", "ssh_user", "ssh_host", "password_derivation", "encryption"]
+HSMDomainName = Literal["all", "x509", "tls", "nac", "gpg", "codesign", "ssh", "password_derivation", "encryption"]
 
 class HSMDomains(NoExtraBaseModel):
     x509: HSMDomainNum
     tls: HSMDomainNum
     nac: HSMDomainNum
     gpg: HSMDomainNum
     codesign: HSMDomainNum
-    ssh_user: HSMDomainNum
-    ssh_host: HSMDomainNum
+    ssh: HSMDomainNum
     password_derivation: HSMDomainNum
     encryption: HSMDomainNum
 

diff --git a/run-tests.sh b/run-tests.sh
@@ -104,14 +104,14 @@ EOF
 
     local count=$(run_cmd -q hsm compare | grep -c '\[x\]')
     assert_success
-    [ "$count" -eq 39 ] || { echo "Expected 39 objects, but found $count"; return 1; }
+    [ "$count" -eq 36 ] || { echo "Expected 36 objects, but found $count"; return 1; }
 
     # Remove default admin key
     run_cmd hsm default-admin-disable
     assert_success
     local count=$(run_cmd -q hsm compare | grep -c '\[x\]')
     assert_success
-    [ "$count" -eq 38 ] || { echo "Expected 38 objects, but found $count"; return 1; }
+    [ "$count" -eq 35 ] || { echo "Expected 35 objects, but found $count"; return 1; }
 }
 
 test_tls_certificates() {