You need to sign in or sign up before continuing.

ssh_pki_copy_cert_to_privkey can fail key match

In ssh_pki_copy_cert_to_privkey, there is a call to ssh_key_cmp which takes the certkey and privkey as parameters. Unfortunately the order of these parameters matters and the current order fails for some combinations.

In my case, the cert was generated as a plain ssh-ed25519 pair and then the certificate was signed with an rsa CA certificate.

The resulting certificate imported with ssh_pki_import_pubkey_base64 giving a certkey->type of SSH_KEYTYPE_ED25519_CERT01 whereas the privkey->type is SSH_KEYTYPE_ED25519.

When ssh_pki_copy_cert_to_privkey gets to ssh_key_cmp, having the certkey as the first parameter doesn't call ssh_key_type_plain when checking for SSH_KEYTYPE_ED25519, so it falls through to pki_key_compare which says /* ed25519 keys handled globally */ and fails.

By switching the parameters to ssh_key_cmp such that the privkey is first, the k1->type is properly recognized as SSH_KEYTYPE_ED25519 and the proper comparison is made.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information