keyParser: Properly parse ssh certificates

getPublicSSH() will simply pass through the original key blob.
getPublicPEM() will return raw public key data of the certificate's
  public key, without incorporating the additional metadata.

Author: TimWolla

lib/keyParser.js

@@ -1223,7 +1223,7 @@ function parseDER(data, baseType, comment, fullType) {
       if (n === false)
         return new Error('Malformed OpenSSH public key');
       pubPEM = genOpenSSLRSAPub(n, e);
-      pubSSH = genOpenSSHRSAPub(n, e);
+      pubSSH = data;
       algo = 'sha1';
       break;
     case 'ssh-dss':
@@ -1240,15 +1240,15 @@ function parseDER(data, baseType, comment, fullType) {
       if (y === false)
         return new Error('Malformed OpenSSH public key');
       pubPEM = genOpenSSLDSAPub(p, q, g, y);
-      pubSSH = genOpenSSHDSAPub(p, q, g, y);
+      pubSSH = data;
       algo = 'sha1';
       break;
     case 'ssh-ed25519':
       var edpub = utils.readString(data, data._pos);
       if (edpub === false || edpub.length !== 32)
         return new Error('Malformed OpenSSH public key');
       pubPEM = genOpenSSLEdPub(edpub);
-      pubSSH = genOpenSSHEdPub(edpub);
+      pubSSH = data;
       algo = null;
       break;
     case 'ecdsa-sha2-nistp256':
@@ -1271,7 +1271,7 @@ function parseDER(data, baseType, comment, fullType) {
       if (ecpub === false)
         return new Error('Malformed OpenSSH public key');
       pubPEM = genOpenSSLECDSAPub(oid, ecpub);
-      pubSSH = genOpenSSHECDSAPub(oid, ecpub);
+      pubSSH = data;
       break;
     default:
       return new Error('Unsupported OpenSSH public key type: ' + baseType);
@@ -1316,6 +1316,12 @@ OpenSSH_Public.prototype = BaseKey;
     var type = utils.readString(data, data._pos, 'ascii');
     if (type === false || type.indexOf(baseType) !== 0)
       return new Error('Malformed OpenSSH public key');
+    if (/-cert-v0[01]@openssh.com/.test(type)) {
+      var nonce = utils.readString(data, data._pos);
+      if (nonce === false) {
+        return new Error('Malformed OpenSSH certificate');
+      }
+    }
 
     return parseDER(data, baseType, comment, fullType);
   };

test/fixtures/openssh_cert_rsa-cert.pub

@@ -0,0 +1 @@
+ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgz5fIcgoIkQsJZQDfctoMKo7Iq/3X0DMXdPjncT7qzAAAAAADAQABAAABAQC23GMXX23QWyEy0GLUvR4fIXhyxqyfFfoJG/bBIi4br8CTkvAqkt6dMuOHOPKRlDwrMjcM0fIuSm87LDrZ1at1z0xtuVjHBoBXfp1FyGfKc2qFtqVnIX6pq2PFoVf8dcL/xR/OP9VMqx6O+PMv/jEXkENw6hEy0PtXuwYDg9VLI04QDtrx6v44BUbUvu8Qq9f8G5zcFBxMr8BdaPP6sdyWGVk05MRa7j+uC5zS3KS8dGV0PIOEeUmcVuhJsRRSVgBzzUq2mA1doui3GWA7vMQOyn4x89fMi3gXfjM8XMZA7Kc/35Nc0GxqtTYQT8G/axp2WdA7vyI1uz+4lk29ITW/AAAAAAAAAAAAAAABAAAAFHNzaDItc3RyZWFtcy1maXh0dXJlAAAAAAAAAABdNHdgAAAAAF00hcAAAAAdAAAADWZvcmNlLWNvbW1hbmQAAAAIAAAABGxzIC8AAAAdAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAqQ9PJtVu1y4XS8SvQnmV5va1RtiaSrcPdAcT7PE93lQMLpvsx2qDHSRy8KfqD2rZO9IjU8H6fEqKJEcuLkt+sECk3UlHLFgxhD7MYYW0KFpxfzoE8h5W/8qppXkqIu8uzwn3/+DcgTx2Ce6XN8B/yXBT1kFpnmpiRnyXS8CVKX0HMVYpdlsfUexy3BtXIphSUJsyYGs/1SUuybO0mYPguoYORtp0Od0/vScFgz/h6rzQtJgMsDns+XG4EoRmt1JMzdbBVEC/f154RCBqV2w1CGYlZ09nqOExZTEwGKktAImYn3LElqEcjzWf0PSBJ7awNVF/bGwMO+kQRJCfeKGlFwAAAQ8AAAAHc3NoLXJzYQAAAQCDThDHnBzeoEIlMYr7vzhl8hC7AxiXlsuLathqkYzn7H0AU5eGspfvJysV38vnXt/21TzFBorQ66be8cc/YHLfAaJqdpZEJWsxxqSRkVmAkpzaVN8k9OcVx9BqBS2VFwuanDoAw5JM2NEeZ6byQGd0cgWJcdGZ1K/EXzhYXCFcMPe1ye2Y2mdViDH+mellwuSw+H6Uq+UQbpbHf9fyJjReJ4Pu8C7PRMlD0JaZCFTKi58QlQcneOaQuVrtvZ4wDmvgLtWl+Zsqt9lUTpXZjwazXYDr8zyJ0cU+HMMVZ4E5StOKzTGg91jcOuChhZvkVOeJ2B4+KAsL2X9pu51iJj9h ssh certificate

test/fixtures/openssh_cert_rsa-cert.pub.result

@@ -0,0 +1,7 @@
+{
+  "type": "ssh-rsa-cert-v01@openssh.com",
+  "comment": "ssh certificate",
+  "public": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAttxjF19t0FshMtBi1L0e\nHyF4csasnxX6CRv2wSIuG6/Ak5LwKpLenTLjhzjykZQ8KzI3DNHyLkpvOyw62dWr\ndc9MbblYxwaAV36dRchnynNqhbalZyF+qatjxaFX/HXC/8Ufzj/VTKsejvjzL/4x\nF5BDcOoRMtD7V7sGA4PVSyNOEA7a8er+OAVG1L7vEKvX/Buc3BQcTK/AXWjz+rHc\nlhlZNOTEWu4/rguc0tykvHRldDyDhHlJnFboSbEUUlYAc81KtpgNXaLotxlgO7zE\nDsp+MfPXzIt4F34zPFzGQOynP9+TXNBsarU2EE/Bv2sadlnQO78iNbs/uJZNvSE1\nvwIDAQAB\n-----END PUBLIC KEY-----",
+  "publicSSH": "AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgz5fIcgoIkQsJZQDfctoMKo7Iq/3X0DMXdPjncT7qzAAAAAADAQABAAABAQC23GMXX23QWyEy0GLUvR4fIXhyxqyfFfoJG/bBIi4br8CTkvAqkt6dMuOHOPKRlDwrMjcM0fIuSm87LDrZ1at1z0xtuVjHBoBXfp1FyGfKc2qFtqVnIX6pq2PFoVf8dcL/xR/OP9VMqx6O+PMv/jEXkENw6hEy0PtXuwYDg9VLI04QDtrx6v44BUbUvu8Qq9f8G5zcFBxMr8BdaPP6sdyWGVk05MRa7j+uC5zS3KS8dGV0PIOEeUmcVuhJsRRSVgBzzUq2mA1doui3GWA7vMQOyn4x89fMi3gXfjM8XMZA7Kc/35Nc0GxqtTYQT8G/axp2WdA7vyI1uz+4lk29ITW/AAAAAAAAAAAAAAABAAAAFHNzaDItc3RyZWFtcy1maXh0dXJlAAAAAAAAAABdNHdgAAAAAF00hcAAAAAdAAAADWZvcmNlLWNvbW1hbmQAAAAIAAAABGxzIC8AAAAdAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAqQ9PJtVu1y4XS8SvQnmV5va1RtiaSrcPdAcT7PE93lQMLpvsx2qDHSRy8KfqD2rZO9IjU8H6fEqKJEcuLkt+sECk3UlHLFgxhD7MYYW0KFpxfzoE8h5W/8qppXkqIu8uzwn3/+DcgTx2Ce6XN8B/yXBT1kFpnmpiRnyXS8CVKX0HMVYpdlsfUexy3BtXIphSUJsyYGs/1SUuybO0mYPguoYORtp0Od0/vScFgz/h6rzQtJgMsDns+XG4EoRmt1JMzdbBVEC/f154RCBqV2w1CGYlZ09nqOExZTEwGKktAImYn3LElqEcjzWf0PSBJ7awNVF/bGwMO+kQRJCfeKGlFwAAAQ8AAAAHc3NoLXJzYQAAAQCDThDHnBzeoEIlMYr7vzhl8hC7AxiXlsuLathqkYzn7H0AU5eGspfvJysV38vnXt/21TzFBorQ66be8cc/YHLfAaJqdpZEJWsxxqSRkVmAkpzaVN8k9OcVx9BqBS2VFwuanDoAw5JM2NEeZ6byQGd0cgWJcdGZ1K/EXzhYXCFcMPe1ye2Y2mdViDH+mellwuSw+H6Uq+UQbpbHf9fyJjReJ4Pu8C7PRMlD0JaZCFTKi58QlQcneOaQuVrtvZ4wDmvgLtWl+Zsqt9lUTpXZjwazXYDr8zyJ0cU+HMMVZ4E5StOKzTGg91jcOuChhZvkVOeJ2B4+KAsL2X9pu51iJj9h",
+  "private": null
+}