ssh: refuse to parse certificates that use a certificate as signing key

According to draft-miller-ssh-cert-01, Section 2.1.1, certificates with certificate keys as signature keys are invalid Change-Id: I474524ea444deb78f2fa7c2682e47c0fd057f0b8 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/678716 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Filippo Valsorda <filippo@golang.org>
author: Nicola Murino <nicola.murino@gmail.com> 2025-06-04 12:39:12 +0200
committer: Gopher Robot <gobot@golang.org> 2025-06-30 09:02:50 -0700
commit: c6fce028266aa1271946a7dfde94cd71cf077d5e (patch)
tree: a528bed47b954a837edfb2687e1c592342b1015f /ssh/keys.go
parent: 0ae49b8145643036e0e6c266cf4edc0f543ea9e0 (diff)
download: go-x-crypto-c6fce028266aa1271946a7dfde94cd71cf077d5e.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/ssh/keys.go b/ssh/keys.go
index 566e09d..a28c0de 100644
--- a/ssh/keys.go
+++ b/ssh/keys.go
@@ -273,7 +273,7 @@ func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []str
 	return nil, "", nil, nil, errors.New("ssh: no key found")
 }
 
-// ParsePublicKey parses an SSH public key formatted for use in
+// ParsePublicKey parses an SSH public key or certificate formatted for use in
 // the SSH wire protocol according to RFC 4253, section 6.6.
 func ParsePublicKey(in []byte) (out PublicKey, err error) {
 	algo, in, ok := parseString(in)
author	Nicola Murino <nicola.murino@gmail.com>	2025-06-04 12:39:12 +0200
committer	Gopher Robot <gobot@golang.org>	2025-06-30 09:02:50 -0700
commit	c6fce028266aa1271946a7dfde94cd71cf077d5e (patch)
tree	a528bed47b954a837edfb2687e1c592342b1015f /ssh/keys.go
parent	0ae49b8145643036e0e6c266cf4edc0f543ea9e0 (diff)
download	go-x-crypto-c6fce028266aa1271946a7dfde94cd71cf077d5e.tar.xz