From d6f64630bc79f47b902b31bd8a7d22e2ab588a68 Mon Sep 17 00:00:00 2001
From: Steve Traylen <steve.traylen@cern.ch>
Date: Tue, 2 May 2023 21:03:20 +0200
Subject: [PATCH] Support signatures beyond rsa

Currently when signatures are verified they are assumed to be ssh-rsa.

We now respect the signature type when checking the signature.

In particular this allow signatures using rsa-sha2-256 to also be verified.

In the case where the signature type is not know we just attempt
`rsa-sha2-256` before `rsa-rsa`.
---
 lib/ssh/key/verifier.rb | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/lib/ssh/key/verifier.rb b/lib/ssh/key/verifier.rb
index f2b52be..c953015 100644
--- a/lib/ssh/key/verifier.rb
+++ b/lib/ssh/key/verifier.rb
@@ -92,15 +92,23 @@ def verify(signatures, original)
       inputs = [signatures]
     end
 
-    if inputs[0].is_a? SSH::Key::Signature
-      @logger.debug("verify 'signatures' is an array of Signatures")
-      inputs = inputs.collect { |i| i.signature }
-    end
-
     inputs.each do |signature|
       identities.each do |identity|
-        key = [signature, identity]
-        results[key] = identity.ssh_do_verify(signature, original)
+        if signature.is_a? SSH::Key::Signature
+          @logger.debug("verify 'signatures' is an array of Signatures")
+          key = [signature.signature, identity]
+          results[key] = identity.ssh_do_verify(signature.signature, original, signature.type.rstrip)
+        else
+          @logger.debug("verify 'signatures' is array of Strings")
+          key = [signature, identity]
+          if identity.ssh_do_verify(signature, original,  {:host_key => 'rsa-sha2-256'})
+             results[key] = true
+          elsif identity.ssh_do_verify(signature, original)
+             results[key] = true
+          else
+             results[key] = false
+          end
+        end
         @logger.info "Trying key #{identity.to_s.split("\n")[1]}... #{results[key]}"
       end
     end