Add imported "change nonce" warning

Author: scheibling

src/sshkey_tools/cert.py

@@ -166,6 +166,9 @@ def decode(cls, data: bytes) -> Tuple["CertificateHeader", bytes]:
 
         public_key, data = getattr(_FIELD, target_class[1]).from_decode(data)
         cl_instance.public_key = public_key
+        
+        cl_instance.nonce._was_imported = True
+        cl_instance.nonce._imported_as = cl_instance.get("nonce")
 
         return cl_instance, data
 

src/sshkey_tools/fields.py

@@ -777,6 +777,15 @@ class NonceField(BytestringField):
 
     DEFAULT = generate_secure_nonce
     DATA_TYPE = (str, bytes)
+    
+    _was_imported = bool
+    _imported_as = (str, bytes)
+
+    def was_imported(self) -> bool:
+        """
+        Returns whether the certificate was imported or not
+        """
+        return isinstance(self._was_imported, bool) and self._was_imported
 
     def __validate_value__(self) -> Union[bool, Exception]:
         """
@@ -792,6 +801,11 @@ def __validate_value__(self) -> Union[bool, Exception]:
                 "Expected a nonce of at least 32 bytes"
             )
 
+        if self.was_imported() and self._imported_as == self.value:
+            print("""[Notice] This certificate was imported. Before re-signing,"""
+                  """ it is recommended to change the nonce to a new value to """
+                  """protect the integrity of the private key in the long run.""")
+
         return True
 
 

tests/test_certificates.py

@@ -561,7 +561,7 @@ def test_cert_type_assignment(self):
         self.assertIsInstance(ecdsa_cert, _CERT.EcdsaCertificate)
         self.assertIsInstance(ed25519_cert, _CERT.Ed25519Certificate)
 
-    def assertCertificateCreated(self, sub_type, ca_type):
+    def getReloadedCertificate(self, sub_type, ca_type):
         sub_pubkey = getattr(self, f"{sub_type}_user")
         ca_privkey = getattr(self, f"{ca_type}_ca")
 
@@ -590,6 +590,11 @@ def assertCertificateCreated(self, sub_type, ca_type):
         reloaded_cert = _CERT.SSHCertificate.from_file(
             f"tests/certificates/{sub_type}_{ca_type}-cert.pub"
         )
+        
+        return certificate, reloaded_cert
+
+    def assertCertificateCreated(self, sub_type, ca_type):
+        certificate, reloaded_cert = self.getReloadedCertificate(sub_type, ca_type)
 
         self.assertEqual(certificate.get_signable(), reloaded_cert.get_signable())
 
@@ -602,6 +607,22 @@ def test_certificate_creation(self):
                     )
                 )
                 self.assertCertificateCreated(user_type, ca_type)
+    
+    def test_certificate_import_sets_nonce_imported(self):
+        for ca_type in CERTIFICATE_TYPES:
+            for user_type in CERTIFICATE_TYPES:
+                print(
+                    "Testing certificate import for {} CA and {} user".format(
+                        ca_type, user_type
+                    )
+                )
+                
+                cert, reloaded_cert = self.getReloadedCertificate(user_type, ca_type)
+                
+                self.assertFalse(cert.header.nonce.was_imported())
+                self.assertTrue(reloaded_cert.header.nonce.was_imported())
+                
+                
 
 
 if __name__ == "__main__":