Allow users to define certificate comment in agent (#1158)

redrac · web-flow · commit 32bdf40111e6 · 2024-05-14T11:20:26.000-07:00
* Allow users to define certificate comment in agent

Added a comment flag which allows users to set the comment for a
certificate when it gets added to an agent. It defaults to current
behavior if not set, which is it uses the subject as the comment.
This allows users who interact with mutliple CAs with the same
identity (email) to have multiple certificates in the agent. It
also allows for use cases when users generate SSH certs with different
extensions to load multiple certificates in their agent.
diff --git a/command/ssh/certificate.go b/command/ssh/certificate.go
@@ -37,12 +37,12 @@ func certificateCommand() cli.Command {
 		UsageText: `**step ssh certificate** <key-id> <key-file>
 [**--host**] [--**host-id**] [**--sign**] [**--principal**=<string>]
 [**--password-file**=<file>] [**--provisioner-password-file**=<file>]
-[**--add-user**] [**--not-before**=<time|duration>]
+[**--add-user**] [**--not-before**=<time|duration>] [**--comment**=<comment>]
 [**--not-after**=<time|duration>] [**--token**=<token>] [**--issuer**=<name>]
 [**--no-password**] [**--insecure**] [**--force**] [**--x5c-cert**=<file>]
 [**--x5c-key**=<file>] [**--k8ssa-token-path**=<file>] [**--no-agent**]
-[**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]
-[**--kty**=<key-type>] [**--curve**=<curve>] [**--size**=<size>]`,
+[**--kty**=<key-type>] [**--curve**=<curve>] [**--size**=<size>]
+[**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]`,
 
 		Description: `**step ssh certificate** command generates an SSH key pair and creates a
 certificate using [step certificates](https://github.com/smallstep/certificates).
@@ -184,6 +184,10 @@ $  step ssh certificate --kty OKP --curve Ed25519 mariano@work id_ed25519
 			sshPrivateKeyFlag,
 			sshProvisionerPasswordFlag,
 			sshSignFlag,
+                        flags.KTY,
+			flags.Curve,
+			flags.Size,
+                        flags.Comment,
 			flags.KMSUri,
 			flags.X5cCert,
 			flags.X5cKey,
@@ -199,9 +203,6 @@ $  step ssh certificate --kty OKP --curve Ed25519 mariano@work id_ed25519
 			flags.CaURL,
 			flags.Root,
 			flags.Context,
-			flags.KTY,
-			flags.Curve,
-			flags.Size,
 		},
 	}
 }
@@ -219,6 +220,11 @@ func certificateAction(ctx *cli.Context) error {
 	pubFile := baseName + ".pub"
 	crtFile := baseName + "-cert.pub"
 
+	comment := ctx.String("comment")
+	if comment == "" {
+		comment = subject
+	}
+
 	// Flags
 	token := ctx.String("token")
 	isHost := ctx.Bool("host")
@@ -502,7 +508,7 @@ func certificateAction(ctx *cli.Context) error {
 			ui.Printf(`{{ "%s" | red }} {{ "SSH Agent:" | bold }} %v`+"\n", ui.IconBad, err)
 		} else {
 			defer agent.Close()
-			if err := agent.AddCertificate(subject, resp.Certificate.Certificate, priv); err != nil {
+			if err := agent.AddCertificate(comment, resp.Certificate.Certificate, priv); err != nil {
 				ui.Printf(`{{ "%s" | red }} {{ "SSH Agent:" | bold }} %v`+"\n", ui.IconBad, err)
 			} else {
 				ui.PrintSelected("SSH Agent", "yes")
diff --git a/command/ssh/login.go b/command/ssh/login.go
@@ -28,10 +28,10 @@ func loginCommand() cli.Command {
 		UsageText: `**step ssh login** [<identity>]
 [**--token**=<token>] [**--provisioner**=<name>] [**--provisioner-password-file**=<file>]
 [**--principal**=<string>] [**--not-before**=<time|duration>] [**--not-after**=<time|duration>]
+[**--kty**=<key-type>] [**--curve**=<curve>] [**--size**=<size>] [**--comment**=<comment>]
 [**--set**=<key=value>] [**--set-file**=<file>] [**--force**] [**--insecure**]
 [**--offline**] [**--ca-config**=<file>]
-[**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]
-[**--kty**=<key-type>] [**--curve**=<curve>] [**--size**=<size>]`,
+[**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]`,
 		Description: `**step ssh login** generates a new SSH key pair and send a request to [step
 certificates](https://github.com/smallstep/certificates) to sign a user
 certificate. This certificate will be automatically added to the SSH agent.
@@ -68,13 +68,17 @@ Request a new SSH certificate with multiple principals:
 $ step ssh login --principal admin --principal bob bob@smallstep.com
 '''
 
+Request a new SSH certificate and set a custom comment in the agent
+'''
+$ step ssh login --comment my-custom-comment bob@smallstep.com
+'''
+
 Request a new SSH certificate with an EC key and P-521 curve:
 '''
 $  step ssh certificate --kty EC --curve "P-521" mariano@work id_ecdsa
 '''
 
 Request a new SSH certificate with an Octet Key Pair and Ed25519 curve:
-
 '''
 $  step ssh certificate --kty OKP --curve Ed25519 mariano@work id_ed25519
 '''`,
@@ -95,6 +99,7 @@ $  step ssh certificate --kty OKP --curve Ed25519 mariano@work id_ed25519
 			flags.CaURL,
 			flags.Root,
 			flags.Context,
+			flags.Comment,
 			flags.KTY,
 			flags.Curve,
 			flags.Size,
@@ -119,6 +124,11 @@ func loginAction(ctx *cli.Context) error {
 		principals = []string{subject}
 	}
 
+	comment := ctx.String("comment")
+	if comment == "" {
+		comment = subject
+	}
+
 	// Flags
 	token := ctx.String("token")
 	isAddUser := ctx.Bool("add-user")
@@ -163,7 +173,7 @@ func loginAction(ctx *cli.Context) error {
 		}
 
 		// Just return if key is present
-		if key, err := agent.GetKey(subject, opts...); err == nil {
+		if key, err := agent.GetKey(comment, opts...); err == nil {
 			ui.Printf("The key %s is already present in the SSH agent.\n", key.String())
 			return nil
 		}
@@ -270,15 +280,15 @@ func loginAction(ctx *cli.Context) error {
 	}
 
 	// Attempt to add key to agent if private key defined.
-	if err := agent.AddCertificate(subject, resp.Certificate.Certificate, priv); err != nil {
+	if err := agent.AddCertificate(comment, resp.Certificate.Certificate, priv); err != nil {
 		ui.Printf(`{{ "%s" | red }} {{ "SSH Agent:" | bold }} %v`+"\n", ui.IconBad, err)
 	} else {
 		ui.PrintSelected("SSH Agent", "yes")
 	}
 	if isAddUser {
 		if resp.AddUserCertificate == nil {
 			ui.Printf(`{{ "%s" | red }} {{ "Add User Certificate:" | bold }} failed to create a provisioner certificate`+"\n", ui.IconBad)
-		} else if err := agent.AddCertificate(subject, resp.AddUserCertificate.Certificate, auPriv); err != nil {
+		} else if err := agent.AddCertificate(comment, resp.AddUserCertificate.Certificate, auPriv); err != nil {
 			ui.Printf(`{{ "%s" | red }} {{ "Add User Certificate:" | bold }} %v`+"\n", ui.IconBad, err)
 		} else {
 			ui.PrintSelected("Add User Certificate", "yes")
diff --git a/flags/flags.go b/flags/flags.go
@@ -462,6 +462,11 @@ flag exists so it can be configured in $STEPPATH/config/defaults.json.`,
 		Name:  "attestation-uri",
 		Usage: "The KMS <uri> used for attestation.",
 	}
+
+	Comment = cli.StringFlag{
+		Name:  "comment",
+		Usage: "The comment used when adding the certificate to an agent. Defaults to the subject if not provided.",
+	}
 )
 
 // FingerprintFormatFlag returns a flag for configuring the fingerprint format.

Original file line number	Diff line number	Diff line change
@@ -462,6 +462,11 @@ flag exists so it can be configured in $STEPPATH/config/defaults.json.`,
`462`	`462`	`Name: "attestation-uri",`
`463`	`463`	`Usage: "The KMS <uri> used for attestation.",`
`464`	`464`	`}`
	`465`	`+`
	`466`	`+ Comment = cli.StringFlag{`
	`467`	`+ Name: "comment",`
	`468`	`+ Usage: "The comment used when adding the certificate to an agent. Defaults to the subject if not provided.",`
	`469`	`+ }`
`465`	`470`	`)`
`466`	`471`
`467`	`472`	`// FingerprintFormatFlag returns a flag for configuring the fingerprint format.`