Encoding Error with SSH Certificate in Agent

[lorenzleutgeb]

rad, the CLI for Radicle, has recently switched to ssh-agent-lib 0.5.2 for interfacing with SSH Agent. @larswirzenius ran into an issue with rad auth:

$ rad auth
✗ Error: Agent: Protocol error: SSH encoding error: character encoding invalid

This seems to hit ssh_encoding::Error::CharacterEncoding which is defined in ssh-encoding/src/error.rs:18.

The command errors very early, just after receiving the list of keys from the agent. @larswirzenius managed to minimize this. Two items in the list remain part of the picture:

1. id_personal.pub.txt
2. id_personal-cert.pub.txt

With only id_personal.pub loaded, the error does not occur. With both id_personal.pub and id_personal-cert.pub loaded, the error does occur. It seems to be impossible to load id_personal-cert.pub without id_personal.pub, so this natural next step in minimization could not be tested.

An strace rad auth gives the exact bytes that were exchanged and lead to the error, see strace.txt. rad auth first requests a list of keys (strace escapes 11u8 as \v which stands for "vertical tab", see ASCII). Then the response arrives, which is not understood.

[lorenzleutgeb]

Looks like this might be resolved by #101

[wiktor-k]

Ack. This seems to be a known issue, I've already mentioned that in Zulip but the tl;dr is that newer versions of Rust Crypto crates resolve this by parsing certificates as KeyData objects. I've been waiting for a stable release for some time as I don't want to make API breaks that then need to be reverted but since this is a pressing matter the calculations change.

We'll test the #101 with @larswirzenius 🚀

[larswirzenius]

@lorenzleutgeb made a patch for rad to me to try this, and it seems to work for me.

[wiktor-k]

I'll close this with #106 and add a note (known issues) that certificates with no expiry are still not supported due to ssh-key bug that has been fixed in a non stable version of ssh-key as of today.