feat(renew-cmd): added

server/Cargo.toml

@@ -35,7 +35,6 @@ tower-http = { version = "0.3.4", features = ["map-request-body", "trace", "util
 tracing = { version = "0.1.37", features = ["release_max_level_debug"] }
 tracing-subscriber = "0.3.16"
 ssh-cert-dist-common = { path = "../common" }
-shell-escape = "0.1.5"
 
 [dev-dependencies]
 tempfile = "3.3.0"

server/src/api.rs

@@ -15,14 +15,13 @@ use axum::extract::rejection::QueryRejection;
 use axum::extract::{Query, State};
 use chrono::Duration;
 
-use shell_escape::escape;
 use ssh_cert_dist_common::*;
 
 use axum::{http::StatusCode, response::IntoResponse, Json, Router};
 use axum_extra::routing::RouterExt;
 use clap::{Args, Parser};
 use jwt_compact::alg::{Hs256, Hs256Key};
-use jwt_compact::{AlgorithmExt};
+use jwt_compact::AlgorithmExt;
 use rand::{thread_rng, Rng};
 use serde::{Deserialize, Serialize};
 use ssh_key::{Certificate, Fingerprint, PublicKey};
@@ -31,7 +30,7 @@ use tower::ServiceBuilder;
 use tower_http::{trace::TraceLayer, ServiceBuilderExt};
 use tracing::{debug, info, trace};
 
-use self::extract::{CertificateBody, SignatureBody, JWTAuthenticated, JWTString};
+use self::extract::{CertificateBody, JWTAuthenticated, JWTString, SignatureBody};
 
 #[derive(Parser)]
 pub struct ApiArgs {
@@ -309,40 +308,6 @@ struct CertInfo {
 
 impl From<&Certificate> for CertInfo {
     fn from(cert: &Certificate) -> Self {
-        let validity = cert
-            .valid_before_time()
-            .duration_since(cert.valid_after_time())
-            .unwrap_or(Duration::zero().to_std().unwrap());
-        let expiry = cert.valid_before_time().checked_add(validity).unwrap();
-        let expiry_date = expiry.duration_since(UNIX_EPOCH).unwrap();
-        let host_key = if cert.cert_type().is_host() {
-            " -h"
-        } else {
-            ""
-        };
-        let opts = cert
-            .critical_options()
-            .iter()
-            .map(|(opt, val)| {
-                if val.is_empty() {
-                    opt.clone()
-                } else {
-                    format!("{opt}={val}")
-                }
-            })
-            .map(|arg| format!("-O {}", escape(arg.into())))
-            .collect::<Vec<_>>()
-            .join(" ");
-        let opts = opts.trim();
-        let renew_command = format!(
-            "ssh-keygen -s ./ca_key {host_key} -I {} -n {} -z {} -V {:#x}:{:#x} {opts} {}.pub",
-            escape(cert.key_id().into()),
-            escape(cert.valid_principals().join(",").into()),
-            cert.serial() + 1,
-            cert.valid_after(),
-            expiry_date.as_secs(),
-            escape(cert.key_id().into())
-        );
         CertInfo {
             principals: cert.valid_principals().to_vec(),
             ca: cert.signature_key().clone().into(),
@@ -351,7 +316,7 @@ impl From<&Certificate> for CertInfo {
             identity_hash: cert.public_key().fingerprint(ssh_key::HashAlg::Sha256),
             key_id: cert.key_id().to_string(),
             expiry: cert.valid_before_time(),
-            renew_command,
+            renew_command: renew_command(cert, "./ca", None),
         }
     }
 }
@@ -387,7 +352,6 @@ impl From<Query<PostCertsQuery>> for JWTString {
     }
 }
 
-
 /// POST with signed challenge
 async fn post_certs_identifier(
     PostCertInfo { identifier }: PostCertInfo,