From 76c4e55b15b6cf872c7d9763787fdcaf0a96df71 Mon Sep 17 00:00:00 2001
From: Blacknon <blacknon@orebibou.com>
Date: Sat, 11 May 2019 00:23:39 +0900
Subject: [PATCH] add Cert Auth

---
 conf/conf.go               |  6 +--
 ssh/connect.go             |  4 +-
 ssh/connect_craete_auth.go | 83 ++++++++++++++++++++++++++++++++------
 3 files changed, 77 insertions(+), 16 deletions(-)

diff --git a/conf/conf.go b/conf/conf.go
index 3dc9f5b0..bc1c3a32 100644
--- a/conf/conf.go
+++ b/conf/conf.go
@@ -58,8 +58,8 @@ type ServerConfig struct {
 	KeyPass         string   `toml:"keypass"`
 	Keys            []string `toml:"keys"` // "keypath::passphase"
 	Cert            string   `toml:"cert"`
-	CertKey         string   `toml:"certkey"` // "keypath::passphase"
-	Certs           []string `toml:"certs"`   // "certpath::keypath::passphase"
+	CertKey         string   `toml:"certkey"`
+	CertKeyPass     string   `toml:"certkeypass"`
 	AgentAuth       bool     `toml:"agentauth"`
 	SSHAgentUse     bool     `toml:"ssh_agent"`
 	SSHAgentKeyPath []string `toml:"ssh_agent_key"` // "keypath::passphase"
@@ -201,7 +201,7 @@ func checkFormatServerConf(c Config) (isFormat bool) {
 
 func checkFormatServerConfAuth(c ServerConfig) (isFormat bool) {
 	isFormat = false
-	if c.Pass != "" || c.Key != "" {
+	if c.Pass != "" || c.Key != "" || c.Cert != "" {
 		isFormat = true
 	}
 
diff --git a/ssh/connect.go b/ssh/connect.go
index b2c5bd5f..822855bf 100644
--- a/ssh/connect.go
+++ b/ssh/connect.go
@@ -159,7 +159,9 @@ func (c *Connect) createClientConfig(server string) (clientConfig *ssh.ClientCon
 
 	auth, err := c.createSshAuth(server)
 	if err != nil {
-		return clientConfig, err
+		if len(auth) == 0 {
+			return clientConfig, err
+		}
 	}
 
 	// create ssh ClientConfig
diff --git a/ssh/connect_craete_auth.go b/ssh/connect_craete_auth.go
index a96f6a61..078c4f76 100644
--- a/ssh/connect_craete_auth.go
+++ b/ssh/connect_craete_auth.go
@@ -1,6 +1,7 @@
 package ssh
 
 import (
+	"fmt"
 	"io/ioutil"
 	"net"
 	"os"
@@ -24,9 +25,10 @@ func (c *Connect) createSshAuth(server string) (auth []ssh.AuthMethod, err error
 	if conf.Key != "" {
 		authMethod, err := createSshAuthPublicKey(conf.Key, conf.KeyPass)
 		if err != nil {
-			return auth, err
+			fmt.Fprintf(os.Stderr, "%s's create public key ssh.AuthMethod err: %s\n", server, err)
+		} else {
+			auth = append(auth, authMethod)
 		}
-		auth = append(auth, authMethod)
 	}
 
 	// public key (multiple)
@@ -35,9 +37,19 @@ func (c *Connect) createSshAuth(server string) (auth []ssh.AuthMethod, err error
 			keyPathArray := strings.SplitN(key, "::", 2)
 			authMethod, err := createSshAuthPublicKey(keyPathArray[0], keyPathArray[1])
 			if err != nil {
-				return auth, err
+				fmt.Fprintf(os.Stderr, "%s's create public keys ssh.AuthMethod err: %s\n", server, err)
+			} else {
+				auth = append(auth, authMethod)
 			}
+		}
+	}
 
+	// cert
+	if conf.Cert != "" {
+		authMethod, err := createSshAuthCertificate(conf.Cert, conf.CertKey, conf.CertKey)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "%s's create certificate ssh.AuthMethod err: %s\n", server, err)
+		} else {
 			auth = append(auth, authMethod)
 		}
 	}
@@ -61,16 +73,19 @@ func (c *Connect) createSshAuth(server string) (auth []ssh.AuthMethod, err error
 		if err != nil {
 			signers, err = c.sshAgent.Signers()
 			if err != nil {
-				return auth, err
+				fmt.Fprintf(os.Stderr, "%s's create sshAgent ssh.AuthMethod err: %s\n", server, err)
+
+			} else {
+				auth = append(auth, ssh.PublicKeys(signers...))
 			}
 		} else {
 			signers, err = c.sshExtendedAgent.Signers()
-
 			if err != nil {
-				return auth, err
+				fmt.Fprintf(os.Stderr, "%s's create sshAgent ssh.AuthMethod err: %s\n", server, err)
+			} else {
+				auth = append(auth, ssh.PublicKeys(signers...))
 			}
 		}
-		auth = append(auth, ssh.PublicKeys(signers...))
 	}
 
 	if conf.PKCS11Use {
@@ -78,11 +93,11 @@ func (c *Connect) createSshAuth(server string) (auth []ssh.AuthMethod, err error
 		var signers []ssh.Signer
 		signers, err := c.getSshSignerFromPkcs11(server)
 		if err != nil {
-			return auth, err
-		}
-
-		for _, signer := range signers {
-			auth = append(auth, ssh.PublicKeys(signer))
+			fmt.Fprintf(os.Stderr, "%s's create pkcs11 ssh.AuthMethod err: %s\n", server, err)
+		} else {
+			for _, signer := range signers {
+				auth = append(auth, ssh.PublicKeys(signer))
+			}
 		}
 	}
 
@@ -130,4 +145,48 @@ func createSshAuthCertificate(cert, key, pass string) (auth ssh.AuthMethod, err
 	if err != nil {
 		return auth, err
 	}
+
+	// Create PrivateKey Signer
+	var keySigner ssh.Signer
+	if pass != "" {
+		keySigner, err = ssh.ParsePrivateKeyWithPassphrase(keyData, []byte(pass))
+	} else {
+		keySigner, err = ssh.ParsePrivateKey(keyData)
+	}
+
+	// check err
+	if err != nil {
+		return auth, err
+	}
+
+	// Read Cert file
+	certData, err := ioutil.ReadFile(cert)
+	if err != nil {
+		return auth, err
+	}
+
+	// Create PublicKey from Cert
+	pubkey, _, _, _, err := ssh.ParseAuthorizedKey(certData)
+	if err != nil {
+		return auth, err
+	}
+
+	// Create Certificate Struct
+	certificate, ok := pubkey.(*ssh.Certificate)
+	if !ok {
+		err = fmt.Errorf("%s\n", "Error: Not create certificate struct data")
+		return auth, err
+	}
+
+	// Create Certificate Signer
+	signer, err := ssh.NewCertSigner(certificate, keySigner)
+	if err != nil {
+		return auth, err
+	}
+
+	// Create AuthMethod
+	auth = ssh.PublicKeys(signer)
+
+	return
+
 }