From 0db3be9c9b32c11c0dda24ee060251103fafe0fe Mon Sep 17 00:00:00 2001
From: Jarno Elonen <elonen@iki.fi>
Date: Sat, 17 Aug 2024 21:38:23 +0300
Subject: [PATCH] Revert ssh CA config to unified user/host key, but keep the
 support for split

---
 hsm-conf.yml          | 51 ++++++++++---------------------------------
 hsm_secrets/config.py |  5 ++---
 run-tests.sh          |  4 ++--
 3 files changed, 15 insertions(+), 45 deletions(-)

diff --git a/hsm-conf.yml b/hsm-conf.yml
index f04c697..f769116 100644
--- a/hsm-conf.yml
+++ b/hsm-conf.yml
@@ -21,10 +21,9 @@ general:
         nac: 3
         gpg: 4
         codesign: 5
-        ssh_user: 6
-        ssh_host: 7
-        password_derivation: 8
-        encryption: 9
+        ssh: 6
+        password_derivation: 7
+        encryption: 8
 
     x509_defaults:
         ca: true
@@ -129,7 +128,7 @@ admin:
 user_keys:
     - label: user_john.doe
       id: 0xE001
-      domains: ['tls', 'nac', 'gpg', 'codesign', 'ssh_user', 'ssh_host', 'password_derivation', 'encryption']
+      domains: ['tls', 'nac', 'gpg', 'codesign', 'ssh', 'password_derivation', 'encryption']
       capabilities:
         - sign-ssh-certificate          # For SSH certificate creation
         - sign-hmac                     # For password derivation
@@ -579,12 +578,12 @@ codesign:
 # OpenSSH certificates are in proprietary format, so these are not signed by the X.509 root CAs.
 ssh:
     default_user_ca: 0x0720
-    default_host_ca: 0x0721
+    default_host_ca: 0x0720   # You could separate these, but given the HSM, having to change one but not the other is unlikely
     root_ca_keys:
         -
-            label: ssh-rsa-user-ca-root-key
+            label: ssh-rsa-ca-root-key
             id: 0x0710
-            domains: ['ssh_user']
+            domains: ['ssh']
             algorithm: rsa4096
             capabilities:
                 - sign-ssh-certificate
@@ -592,46 +591,18 @@ ssh:
                 - sign-pkcs
                 - exportable-under-wrap
         -
-            label: ssh-ed25519-user-ca-root-key
+            label: ssh-ed25519-ca-root-key
             id: 0x0720
-            domains: ['ssh_user']
+            domains: ['ssh']
             algorithm: ed25519
             capabilities:
                 - sign-ssh-certificate
                 - sign-eddsa
                 - exportable-under-wrap
         -
-            label: ssh-ecp384-user-ca-root-key
+            label: ssh-ecp384-ca-root-key
             id: 0x0730
-            domains: ['ssh_user']
-            algorithm: ecp384
-            capabilities:
-                - sign-ssh-certificate
-                - sign-ecdsa
-                - exportable-under-wrap
-        -
-            label: ssh-rsa-host-ca-root-key
-            id: 0x0711
-            domains: ['ssh_host']
-            algorithm: rsa4096
-            capabilities:
-                - sign-ssh-certificate
-                - sign-pss
-                - sign-pkcs
-                - exportable-under-wrap
-        -
-            label: ssh-ed25519-host-ca-root-key
-            id: 0x0721
-            domains: ['ssh_host']
-            algorithm: ed25519
-            capabilities:
-                - sign-ssh-certificate
-                - sign-eddsa
-                - exportable-under-wrap
-        -
-            label: ssh-ecp384-host-ca-root-key
-            id: 0x0731
-            domains: ['ssh_host']
+            domains: ['ssh']
             algorithm: ecp384
             capabilities:
                 - sign-ssh-certificate
diff --git a/hsm_secrets/config.py b/hsm_secrets/config.py
index d7479ed..55effa6 100644
--- a/hsm_secrets/config.py
+++ b/hsm_secrets/config.py
@@ -128,7 +128,7 @@ def algorithm_from_name(algo: Union['AsymmetricAlgorithm', 'SymmetricAlgorithm',
 HSMKeyID = Annotated[int, Field(strict=True, gt=0, lt=0xFFFF)]
 HSMKeyLabel = Annotated[str, Field(max_length=40)]
 HSMDomainNum = Annotated[int, Field(strict=True, gt=0, lt=17)]
-HSMDomainName = Literal["all", "x509", "tls", "nac", "gpg", "codesign", "ssh_user", "ssh_host", "password_derivation", "encryption"]
+HSMDomainName = Literal["all", "x509", "tls", "nac", "gpg", "codesign", "ssh", "password_derivation", "encryption"]
 
 class HSMDomains(NoExtraBaseModel):
     x509: HSMDomainNum
@@ -136,8 +136,7 @@ class HSMDomains(NoExtraBaseModel):
     nac: HSMDomainNum
     gpg: HSMDomainNum
     codesign: HSMDomainNum
-    ssh_user: HSMDomainNum
-    ssh_host: HSMDomainNum
+    ssh: HSMDomainNum
     password_derivation: HSMDomainNum
     encryption: HSMDomainNum
 
diff --git a/run-tests.sh b/run-tests.sh
index eed9266..8b2f06a 100755
--- a/run-tests.sh
+++ b/run-tests.sh
@@ -104,14 +104,14 @@ EOF
 
     local count=$(run_cmd -q hsm compare | grep -c '\[x\]')
     assert_success
-    [ "$count" -eq 39 ] || { echo "Expected 39 objects, but found $count"; return 1; }
+    [ "$count" -eq 36 ] || { echo "Expected 36 objects, but found $count"; return 1; }
 
     # Remove default admin key
     run_cmd hsm default-admin-disable
     assert_success
     local count=$(run_cmd -q hsm compare | grep -c '\[x\]')
     assert_success
-    [ "$count" -eq 38 ] || { echo "Expected 38 objects, but found $count"; return 1; }
+    [ "$count" -eq 35 ] || { echo "Expected 35 objects, but found $count"; return 1; }
 }
 
 test_tls_certificates() {