Support host certificate keys (#703)

* Handle @cert-authority in known_hosts.

* Fix ClassCastException when receiving an ECDSA-CERT host key.

* Mention what exactly is not negotiated.

* Verify host key certificates during key exchange.

* Unit and integration tests for host key verification.

* Show sshd logs when integration test finishes.

* Review fixes: extract to private method, change strings.

src/itest/generate.sh

@@ -1,5 +1,10 @@
 #!/usr/bin/env bash
-# Don't call it frequently. It's rather a documentation how everything is generated.
+# This script is intended for generating SSH keys required for unit and integration tests. If you intend to add a new
+# key to the tests, please write its generation command there.
+#
+# All generation commands should generate only files that does not exist. If some key is already generated, the script
+# should not overwrite the key.
+
 set -e -o pipefail
 cd "${BASH_SOURCES[0]}"
 
@@ -13,6 +18,22 @@ function generate() {
   fi
 }
 
+function generate_cert() {
+  local private_key
+  local suffix
+  local cert
+  private_key="$1"
+  suffix="$2"
+  shift 2
+  cert="$private_key$suffix-cert.pub"
+  if [[ ! -f "$cert" ]]; then
+    cp "$private_key" "$private_key$suffix"
+    cp "$private_key.pub" "$private_key$suffix.pub"
+    generate "$cert" "$@" "$private_key$suffix.pub"
+    rm -f "$private_key$suffix" "$private_key$suffix.pub"
+  fi
+}
+
 generate resources/users_rsa_ca -t rsa -N ''
 if [[ -f resources/users_rsa_ca.pub ]]; then
   mv resources/users_rsa_ca.pub docker-image/test-container
@@ -41,6 +62,41 @@ for ca_algo in ecdsa rsa ed25519; do
       user_key="resources/keyfiles/certificates/id_${key_algo_pair}_${format}_signed_by_${ca_algo}"
       generate "$user_key" -N '' -t "$key_algo" -b "$bits" -m "$format" -C "$(basename "$user_key")"
       generate "${user_key}-cert.pub" -s "resources/keyfiles/certificates/CA_${ca_algo}.pem" -I "$(basename "$user_key")" -n sshj "${user_key}.pub"
+
+      # These certificates are to be used as host certificates of sshd.
+      generate_cert "$user_key" _host \
+        -s "resources/keyfiles/certificates/CA_${ca_algo}.pem" -I "$(basename "$user_key")" -h -n 127.0.0.1
     done
   done
 done
+
+mkdir -p docker-image/test-container/host_keys
+
+for key_algo_pair in "${key_algo_pairs[@]}"; do
+  key_algo="${key_algo_pair/_*/}"
+  bits="${key_algo_pair/*_/}"
+
+  user_key="resources/keyfiles/certificates/id_${key_algo_pair}_${format}_signed_by_rsa"
+  host_key="docker-image/test-container/host_keys/ssh_host_${key_algo_pair}_key"
+  if [[ ! -f "$host_key" ]]; then
+    cp -p "$user_key" "$host_key"
+    cp -p "${user_key}.pub" "${host_key}.pub"
+    cp -p "${user_key}_host-cert.pub" "${host_key}-cert.pub"
+  fi
+done
+
+(
+  cd resources/keyfiles/certificates
+
+  generate_cert id_ed25519_384_rfc4716_signed_by_rsa _host_valid_before_past \
+    -s "CA_rsa.pem" -I valid_before_past -h -n 127.0.0.1 -V 'always:20210101000000'
+
+  generate_cert id_ed25519_384_rfc4716_signed_by_rsa _host_valid_after_future \
+    -s "CA_rsa.pem" -I valid_after_future -h -n 127.0.0.1 -V '20990101000000:forever'
+
+  generate_cert id_ed25519_384_rfc4716_signed_by_rsa _host_no_principal \
+    -s "CA_rsa.pem" -I no_principal -h
+
+  generate_cert id_ed25519_384_rfc4716_signed_by_rsa _host_principal_wildcard_example_com \
+    -s "CA_rsa.pem" -I principal_wildcard_example_com -h -n '*.example.com'
+)