add Cert Auth

blacknon · May 10, 2019 · 76c4e55 · 76c4e55
1 parent 06d3ee5
commit 76c4e55
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 16 deletions.
diff --git a/conf/conf.go b/conf/conf.go
@@ -58,8 +58,8 @@ type ServerConfig struct {
 	KeyPass         string   `toml:"keypass"`
 	Keys            []string `toml:"keys"` // "keypath::passphase"
 	Cert            string   `toml:"cert"`
-	CertKey         string   `toml:"certkey"` // "keypath::passphase"
-	Certs           []string `toml:"certs"`   // "certpath::keypath::passphase"
+	CertKey         string   `toml:"certkey"`
+	CertKeyPass     string   `toml:"certkeypass"`
 	AgentAuth       bool     `toml:"agentauth"`
 	SSHAgentUse     bool     `toml:"ssh_agent"`
 	SSHAgentKeyPath []string `toml:"ssh_agent_key"` // "keypath::passphase"
@@ -201,7 +201,7 @@ func checkFormatServerConf(c Config) (isFormat bool) {
 
 func checkFormatServerConfAuth(c ServerConfig) (isFormat bool) {
 	isFormat = false
-	if c.Pass != "" || c.Key != "" {
+	if c.Pass != "" || c.Key != "" || c.Cert != "" {
 		isFormat = true
 	}
 

diff --git a/ssh/connect.go b/ssh/connect.go
@@ -159,7 +159,9 @@ func (c *Connect) createClientConfig(server string) (clientConfig *ssh.ClientCon
 
 	auth, err := c.createSshAuth(server)
 	if err != nil {
-		return clientConfig, err
+		if len(auth) == 0 {
+			return clientConfig, err
+		}
 	}
 
 	// create ssh ClientConfig

diff --git a/ssh/connect_craete_auth.go b/ssh/connect_craete_auth.go
@@ -1,6 +1,7 @@
 package ssh
 
 import (
+	"fmt"
 	"io/ioutil"
 	"net"
 	"os"
@@ -24,9 +25,10 @@ func (c *Connect) createSshAuth(server string) (auth []ssh.AuthMethod, err error
 	if conf.Key != "" {
 		authMethod, err := createSshAuthPublicKey(conf.Key, conf.KeyPass)
 		if err != nil {
-			return auth, err
+			fmt.Fprintf(os.Stderr, "%s's create public key ssh.AuthMethod err: %s\n", server, err)
+		} else {
+			auth = append(auth, authMethod)
 		}
-		auth = append(auth, authMethod)
 	}
 
 	// public key (multiple)
@@ -35,9 +37,19 @@ func (c *Connect) createSshAuth(server string) (auth []ssh.AuthMethod, err error
 			keyPathArray := strings.SplitN(key, "::", 2)
 			authMethod, err := createSshAuthPublicKey(keyPathArray[0], keyPathArray[1])
 			if err != nil {
-				return auth, err
+				fmt.Fprintf(os.Stderr, "%s's create public keys ssh.AuthMethod err: %s\n", server, err)
+			} else {
+				auth = append(auth, authMethod)
 			}
+		}
+	}
 
+	// cert
+	if conf.Cert != "" {
+		authMethod, err := createSshAuthCertificate(conf.Cert, conf.CertKey, conf.CertKey)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "%s's create certificate ssh.AuthMethod err: %s\n", server, err)
+		} else {
 			auth = append(auth, authMethod)
 		}
 	}
@@ -61,28 +73,31 @@ func (c *Connect) createSshAuth(server string) (auth []ssh.AuthMethod, err error
 		if err != nil {
 			signers, err = c.sshAgent.Signers()
 			if err != nil {
-				return auth, err
+				fmt.Fprintf(os.Stderr, "%s's create sshAgent ssh.AuthMethod err: %s\n", server, err)
+
+			} else {
+				auth = append(auth, ssh.PublicKeys(signers...))
 			}
 		} else {
 			signers, err = c.sshExtendedAgent.Signers()
-
 			if err != nil {
-				return auth, err
+				fmt.Fprintf(os.Stderr, "%s's create sshAgent ssh.AuthMethod err: %s\n", server, err)
+			} else {
+				auth = append(auth, ssh.PublicKeys(signers...))
 			}
 		}
-		auth = append(auth, ssh.PublicKeys(signers...))
 	}
 
 	if conf.PKCS11Use {
 		// @TODO: confのチェック時にPKCS11のProviderのPATHチェックを行う
 		var signers []ssh.Signer
 		signers, err := c.getSshSignerFromPkcs11(server)
 		if err != nil {
-			return auth, err
-		}
-
-		for _, signer := range signers {
-			auth = append(auth, ssh.PublicKeys(signer))
+			fmt.Fprintf(os.Stderr, "%s's create pkcs11 ssh.AuthMethod err: %s\n", server, err)
+		} else {
+			for _, signer := range signers {
+				auth = append(auth, ssh.PublicKeys(signer))
+			}
 		}
 	}
 
@@ -130,4 +145,48 @@ func createSshAuthCertificate(cert, key, pass string) (auth ssh.AuthMethod, err
 	if err != nil {
 		return auth, err
 	}
+
+	// Create PrivateKey Signer
+	var keySigner ssh.Signer
+	if pass != "" {
+		keySigner, err = ssh.ParsePrivateKeyWithPassphrase(keyData, []byte(pass))
+	} else {
+		keySigner, err = ssh.ParsePrivateKey(keyData)
+	}
+
+	// check err
+	if err != nil {
+		return auth, err
+	}
+
+	// Read Cert file
+	certData, err := ioutil.ReadFile(cert)
+	if err != nil {
+		return auth, err
+	}
+
+	// Create PublicKey from Cert
+	pubkey, _, _, _, err := ssh.ParseAuthorizedKey(certData)
+	if err != nil {
+		return auth, err
+	}
+
+	// Create Certificate Struct
+	certificate, ok := pubkey.(*ssh.Certificate)
+	if !ok {
+		err = fmt.Errorf("%s\n", "Error: Not create certificate struct data")
+		return auth, err
+	}
+
+	// Create Certificate Signer
+	signer, err := ssh.NewCertSigner(certificate, keySigner)
+	if err != nil {
+		return auth, err
+	}
+
+	// Create AuthMethod
+	auth = ssh.PublicKeys(signer)
+
+	return
+
 }