Update jwk and oidc tests.

5 years ago · d231bfb764
parent a8f4ad1b8e
commit d231bfb764
3 changed files with 211 additions and 163 deletions
--- a/authority/provisioner/jwk_test.go
+++ b/authority/provisioner/jwk_test.go
@ -5,14 +5,12 @@ import (
 	"crypto"
 	"crypto/x509"
 	"errors"
-	"math"
 	"strings"
 	"testing"
 	"time"

 	"github.com/smallstep/assert"
 	"github.com/smallstep/cli/jose"
-	"golang.org/x/crypto/ssh"
 )

 var (
@ -331,6 +329,9 @@ func TestJWK_AuthorizeRenewal(t *testing.T) {
 }

 func TestJWK_AuthorizeSign_SSH(t *testing.T) {
+	tm, fn := mockNow()
+	defer fn()
+
 	p1, err := generateJWK()
 	assert.FatalError(t, err)
 	jwk, err := decryptJSONWebKey(p1.EncryptedKey)
@ -353,41 +354,59 @@ func TestJWK_AuthorizeSign_SSH(t *testing.T) {
 	signer, err := generateJSONWebKey()
 	assert.FatalError(t, err)

-	type args struct {
-		token string
+	userDuration := p1.claimer.DefaultUserSSHCertDuration()
+	hostDuration := p1.claimer.DefaultHostSSHCertDuration()
+	expectedUserOptions := &SSHOptions{
+		CertType: "user", Principals: []string{"name"},
+		ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration)),
 	}
-	type expected struct {
-		certType   uint32
-		principals []string
+	expectedHostOptions := &SSHOptions{
+		CertType: "host", Principals: []string{"smallstep.com"},
+		ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(hostDuration)),
+	}
+
+	type args struct {
+		token   string
+		sshOpts SSHOptions
 	}
 	tests := []struct {
-		name     string
-		prov     *JWK
-		args     args
-		expected expected
-		err      error
+		name        string
+		prov        *JWK
+		args        args
+		expected    *SSHOptions
+		wantErr     bool
+		wantSignErr bool
 	}{
-		{"ok-user", p1, args{t1}, expected{ssh.UserCert, []string{"name"}}, nil},
-		{"ok-host", p1, args{t2}, expected{ssh.HostCert, []string{"smallstep.com"}}, nil},
-		{"fail-signature", p1, args{failSig}, expected{}, errors.New("error parsing claims: square/go-jose: error in cryptographic primitive")},
+		{"user", p1, args{t1, SSHOptions{}}, expectedUserOptions, false, false},
+		{"user-type", p1, args{t1, SSHOptions{CertType: "user"}}, expectedUserOptions, false, false},
+		{"user-principals", p1, args{t1, SSHOptions{Principals: []string{"name"}}}, expectedUserOptions, false, false},
+		{"user-options", p1, args{t1, SSHOptions{CertType: "user", Principals: []string{"name"}}}, expectedUserOptions, false, false},
+		{"host", p1, args{t2, SSHOptions{}}, expectedHostOptions, false, false},
+		{"host-type", p1, args{t2, SSHOptions{CertType: "host"}}, expectedHostOptions, false, false},
+		{"host-principals", p1, args{t2, SSHOptions{Principals: []string{"smallstep.com"}}}, expectedHostOptions, false, false},
+		{"host-options", p1, args{t2, SSHOptions{CertType: "host", Principals: []string{"smallstep.com"}}}, expectedHostOptions, false, false},
+		{"fail-signature", p1, args{failSig, SSHOptions{}}, nil, true, false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ctx := NewContextWithMethod(context.Background(), SignSSHMethod)
-			if got, err := tt.prov.AuthorizeSign(ctx, tt.args.token); err != nil {
-				if assert.NotNil(t, tt.err) {
-					assert.HasPrefix(t, err.Error(), tt.err.Error())
-				}
+			got, err := tt.prov.AuthorizeSign(ctx, tt.args.token)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("OIDC.Authorize() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if err != nil {
+				assert.Nil(t, got)
 			} else if assert.NotNil(t, got) {
-				cert, err := signSSHCertificate(key.Public().Key, SSHOptions{}, got, signer.Key.(crypto.Signer))
-				assert.FatalError(t, err)
-				assert.NotNil(t, cert.Signature)
-				assert.Equals(t, tt.expected.certType, cert.CertType)
-				assert.Equals(t, tt.expected.principals, cert.ValidPrincipals)
-				if cert.CertType == ssh.UserCert {
-					assert.Len(t, 5, cert.Extensions)
+				cert, err := signSSHCertificate(key.Public().Key, tt.args.sshOpts, got, signer.Key.(crypto.Signer))
+				if (err != nil) != tt.wantSignErr {
+					t.Errorf("SignSSH error = %v, wantSignErr %v", err, tt.wantSignErr)
 				} else {
-					assert.Nil(t, cert.Extensions)
+					if tt.wantSignErr {
+						assert.Nil(t, cert)
+					} else {
+						assert.NoError(t, validateSSHCertificate(cert, tt.expected))
+					}
 				}
 			}
 		})
@ -395,17 +414,15 @@ func TestJWK_AuthorizeSign_SSH(t *testing.T) {
 }

 func TestJWK_AuthorizeSign_SSHOptions(t *testing.T) {
+	tm, fn := mockNow()
+	defer fn()
+
 	p1, err := generateJWK()
 	assert.FatalError(t, err)
 	jwk, err := decryptJSONWebKey(p1.EncryptedKey)
 	assert.FatalError(t, err)

-	userDuration := p1.claimer.DefaultUserSSHCertDuration()
-	hostDuration := p1.claimer.DefaultHostSSHCertDuration()
-
-	now := time.Now()
-	sub, iss, aud := "subject@smallstep.com", p1.Name, testAudiences.Sign[0]
-	iat := now
+	sub, iss, aud, iat := "subject@smallstep.com", p1.Name, testAudiences.Sign[0], time.Now()

 	key, err := generateJSONWebKey()
 	assert.FatalError(t, err)
@ -413,6 +430,16 @@ func TestJWK_AuthorizeSign_SSHOptions(t *testing.T) {
 	signer, err := generateJSONWebKey()
 	assert.FatalError(t, err)

+	userDuration := p1.claimer.DefaultUserSSHCertDuration()
+	hostDuration := p1.claimer.DefaultHostSSHCertDuration()
+	expectedUserOptions := &SSHOptions{
+		CertType: "user", Principals: []string{"name"},
+		ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration)),
+	}
+	expectedHostOptions := &SSHOptions{
+		CertType: "host", Principals: []string{"smallstep.com"},
+		ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(hostDuration)),
+	}
 	type args struct {
 		sub, iss, aud string
 		iat           time.Time
@ -420,55 +447,57 @@ func TestJWK_AuthorizeSign_SSHOptions(t *testing.T) {
 		userSSHOpts   *SSHOptions
 		jwk           *jose.JSONWebKey
 	}
-	type expected struct {
-		certType    uint32
-		principals  []string
-		validAfter  time.Time
-		validBefore time.Time
-	}
 	tests := []struct {
 		name        string
 		prov        *JWK
 		args        args
-		expected    expected
+		expected    *SSHOptions
 		wantErr     bool
 		wantSignErr bool
 	}{
-		{"ok-user", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, expected{ssh.UserCert, []string{"name"}, now, now.Add(userDuration)}, false, false},
-		{"ok-host", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "host", Principals: []string{"smallstep.com"}}, &SSHOptions{}, jwk}, expected{ssh.HostCert, []string{"smallstep.com"}, now, now.Add(hostDuration)}, false, false},
-		{"ok-user-opts", p1, args{sub, iss, aud, iat, &SSHOptions{}, &SSHOptions{CertType: "user", Principals: []string{"name"}}, jwk}, expected{ssh.UserCert, []string{"name"}, now, now.Add(userDuration)}, false, false},
-		{"ok-host-opts", p1, args{sub, iss, aud, iat, &SSHOptions{}, &SSHOptions{CertType: "host", Principals: []string{"smallstep.com"}}, jwk}, expected{ssh.HostCert, []string{"smallstep.com"}, now, now.Add(hostDuration)}, false, false},
-		{"ok-user-mixed", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user"}, &SSHOptions{Principals: []string{"name"}}, jwk}, expected{ssh.UserCert, []string{"name"}, now, now.Add(userDuration)}, false, false},
-		{"ok-host-mixed", p1, args{sub, iss, aud, iat, &SSHOptions{Principals: []string{"smallstep.com"}}, &SSHOptions{CertType: "host"}, jwk}, expected{ssh.HostCert, []string{"smallstep.com"}, now, now.Add(hostDuration)}, false, false},
+		{"ok-user", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, expectedUserOptions, false, false},
+		{"ok-host", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "host", Principals: []string{"smallstep.com"}}, &SSHOptions{}, jwk}, expectedHostOptions, false, false},
+		{"ok-user-opts", p1, args{sub, iss, aud, iat, &SSHOptions{}, &SSHOptions{CertType: "user", Principals: []string{"name"}}, jwk}, expectedUserOptions, false, false},
+		{"ok-host-opts", p1, args{sub, iss, aud, iat, &SSHOptions{}, &SSHOptions{CertType: "host", Principals: []string{"smallstep.com"}}, jwk}, expectedHostOptions, false, false},
+		{"ok-user-mixed", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user"}, &SSHOptions{Principals: []string{"name"}}, jwk}, expectedUserOptions, false, false},
+		{"ok-host-mixed", p1, args{sub, iss, aud, iat, &SSHOptions{Principals: []string{"smallstep.com"}}, &SSHOptions{CertType: "host"}, jwk}, expectedHostOptions, false, false},
 		{"ok-user-validAfter", p1, args{sub, iss, aud, iat, &SSHOptions{
 			CertType: "user", Principals: []string{"name"},
 		}, &SSHOptions{
-			ValidAfter: NewTimeDuration(now.Add(-time.Hour)),
-		}, jwk}, expected{ssh.UserCert, []string{"name"}, now.Add(-time.Hour), now.Add(userDuration - time.Hour)}, false, false},
+			ValidAfter: NewTimeDuration(tm.Add(-time.Hour)),
+		}, jwk}, &SSHOptions{
+			CertType: "user", Principals: []string{"name"}, ValidAfter: NewTimeDuration(tm.Add(-time.Hour)), ValidBefore: NewTimeDuration(tm.Add(userDuration - time.Hour)),
+		}, false, false},
 		{"ok-user-validBefore", p1, args{sub, iss, aud, iat, &SSHOptions{
 			CertType: "user", Principals: []string{"name"},
 		}, &SSHOptions{
-			ValidBefore: NewTimeDuration(now.Add(time.Hour)),
-		}, jwk}, expected{ssh.UserCert, []string{"name"}, now, now.Add(time.Hour)}, false, false},
+			ValidBefore: NewTimeDuration(tm.Add(time.Hour)),
+		}, jwk}, &SSHOptions{
+			CertType: "user", Principals: []string{"name"}, ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(time.Hour)),
+		}, false, false},
 		{"ok-user-validAfter-validBefore", p1, args{sub, iss, aud, iat, &SSHOptions{
 			CertType: "user", Principals: []string{"name"},
 		}, &SSHOptions{
-			ValidAfter: NewTimeDuration(now.Add(10 * time.Minute)), ValidBefore: NewTimeDuration(now.Add(time.Hour)),
-		}, jwk}, expected{ssh.UserCert, []string{"name"}, now.Add(10 * time.Minute), now.Add(time.Hour)}, false, false},
+			ValidAfter: NewTimeDuration(tm.Add(10 * time.Minute)), ValidBefore: NewTimeDuration(tm.Add(time.Hour)),
+		}, jwk}, &SSHOptions{
+			CertType: "user", Principals: []string{"name"}, ValidAfter: NewTimeDuration(tm.Add(10 * time.Minute)), ValidBefore: NewTimeDuration(tm.Add(time.Hour)),
+		}, false, false},
 		{"ok-user-match", p1, args{sub, iss, aud, iat, &SSHOptions{
-			CertType: "user", Principals: []string{"name"}, ValidAfter: NewTimeDuration(now), ValidBefore: NewTimeDuration(now.Add(1 * time.Hour)),
+			CertType: "user", Principals: []string{"name"}, ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(1 * time.Hour)),
 		}, &SSHOptions{
-			CertType: "user", Principals: []string{"name"}, ValidAfter: NewTimeDuration(now), ValidBefore: NewTimeDuration(now.Add(1 * time.Hour)),
-		}, jwk}, expected{ssh.UserCert, []string{"name"}, now, now.Add(1 * time.Hour)}, false, false},
-		{"fail-certType", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{CertType: "host"}, jwk}, expected{}, false, true},
-		{"fail-principals", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{Principals: []string{"root"}}, jwk}, expected{}, false, true},
-		{"fail-validAfter", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}, ValidAfter: NewTimeDuration(now)}, &SSHOptions{ValidAfter: NewTimeDuration(now.Add(time.Hour))}, jwk}, expected{}, false, true},
-		{"fail-validBefore", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}, ValidBefore: NewTimeDuration(now.Add(time.Hour))}, &SSHOptions{ValidBefore: NewTimeDuration(now.Add(10 * time.Hour))}, jwk}, expected{}, false, true},
-		{"fail-subject", p1, args{"", iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, expected{}, true, false},
-		{"fail-issuer", p1, args{sub, "invalid", aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, expected{}, true, false},
-		{"fail-audience", p1, args{sub, iss, "invalid", iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, expected{}, true, false},
-		{"fail-expired", p1, args{sub, iss, aud, iat.Add(-6 * time.Minute), &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, expected{}, true, false},
-		{"fail-notBefore", p1, args{sub, iss, aud, iat.Add(5 * time.Minute), &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, expected{}, true, false},
+			CertType: "user", Principals: []string{"name"}, ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(1 * time.Hour)),
+		}, jwk}, &SSHOptions{
+			CertType: "user", Principals: []string{"name"}, ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(time.Hour)),
+		}, false, false},
+		{"fail-certType", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{CertType: "host"}, jwk}, nil, false, true},
+		{"fail-principals", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{Principals: []string{"root"}}, jwk}, nil, false, true},
+		{"fail-validAfter", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}, ValidAfter: NewTimeDuration(tm)}, &SSHOptions{ValidAfter: NewTimeDuration(tm.Add(time.Hour))}, jwk}, nil, false, true},
+		{"fail-validBefore", p1, args{sub, iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}, ValidBefore: NewTimeDuration(tm.Add(time.Hour))}, &SSHOptions{ValidBefore: NewTimeDuration(tm.Add(10 * time.Hour))}, jwk}, nil, false, true},
+		{"fail-subject", p1, args{"", iss, aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, nil, true, false},
+		{"fail-issuer", p1, args{sub, "invalid", aud, iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, nil, true, false},
+		{"fail-audience", p1, args{sub, iss, "invalid", iat, &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, nil, true, false},
+		{"fail-expired", p1, args{sub, iss, aud, iat.Add(-6 * time.Minute), &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, nil, true, false},
+		{"fail-notBefore", p1, args{sub, iss, aud, iat.Add(5 * time.Minute), &SSHOptions{CertType: "user", Principals: []string{"name"}}, &SSHOptions{}, jwk}, nil, true, false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@ -482,26 +511,17 @@ func TestJWK_AuthorizeSign_SSHOptions(t *testing.T) {
 				if tt.args.userSSHOpts != nil {
 					opts = *tt.args.userSSHOpts
 				}
-				if cert, err := signSSHCertificate(key.Public().Key, opts, got, signer.Key.(crypto.Signer)); (err != nil) != tt.wantSignErr {
+				cert, err := signSSHCertificate(key.Public().Key, opts, got, signer.Key.(crypto.Signer))
+				if (err != nil) != tt.wantSignErr {
 					t.Errorf("SignSSH error = %v, wantSignErr %v", err, tt.wantSignErr)
-				} else if !tt.wantSignErr && assert.NotNil(t, cert) {
-					assert.NotNil(t, cert.Signature)
-					assert.NotNil(t, cert.SignatureKey)
-					assert.Equals(t, tt.expected.certType, cert.CertType)
-					assert.Equals(t, tt.expected.principals, cert.ValidPrincipals)
-					assert.True(t, equalsUint64Delta(uint64(tt.expected.validAfter.Unix()), cert.ValidAfter, 60))
-					assert.True(t, equalsUint64Delta(uint64(tt.expected.validBefore.Unix()), cert.ValidBefore, 60))
-					if cert.CertType == ssh.UserCert {
-						assert.Len(t, 5, cert.Extensions)
+				} else {
+					if tt.wantSignErr {
+						assert.Nil(t, cert)
 					} else {
-						assert.Nil(t, cert.Extensions)
+						assert.NoError(t, validateSSHCertificate(cert, tt.expected))
 					}
 				}
 			}
 		})
 	}
 }
-
-func equalsUint64Delta(a, b uint64, delta uint64) bool {
-	return math.Abs(float64(a)-float64(b)) <= float64(delta)
-}
--- a/authority/provisioner/oidc_test.go
+++ b/authority/provisioner/oidc_test.go
@ -2,6 +2,7 @@ package provisioner

 import (
 	"context"
+	"crypto"
 	"crypto/x509"
 	"fmt"
 	"strings"
@ -297,6 +298,117 @@ func TestOIDC_AuthorizeSign(t *testing.T) {
 	}
 }

+func TestOIDC_AuthorizeSign_SSH(t *testing.T) {
+	tm, fn := mockNow()
+	defer fn()
+
+	srv := generateJWKServer(2)
+	defer srv.Close()
+
+	var keys jose.JSONWebKeySet
+	assert.FatalError(t, getAndDecode(srv.URL+"/private", &keys))
+
+	// Create test provisioners
+	p1, err := generateOIDC()
+	assert.FatalError(t, err)
+	p2, err := generateOIDC()
+	assert.FatalError(t, err)
+	p3, err := generateOIDC()
+	assert.FatalError(t, err)
+	// Admin + Domains
+	p3.Admins = []string{"name@smallstep.com", "root@example.com"}
+	p3.Domains = []string{"smallstep.com"}
+
+	// Update configuration endpoints and initialize
+	config := Config{Claims: globalProvisionerClaims}
+	p1.ConfigurationEndpoint = srv.URL + "/.well-known/openid-configuration"
+	p2.ConfigurationEndpoint = srv.URL + "/.well-known/openid-configuration"
+	p3.ConfigurationEndpoint = srv.URL + "/.well-known/openid-configuration"
+	assert.FatalError(t, p1.Init(config))
+	assert.FatalError(t, p2.Init(config))
+	assert.FatalError(t, p3.Init(config))
+
+	t1, err := generateSimpleToken("the-issuer", p1.ClientID, &keys.Keys[0])
+	assert.FatalError(t, err)
+	// Admin email not in domains
+	okAdmin, err := generateToken("subject", "the-issuer", p3.ClientID, "root@example.com", []string{}, time.Now(), &keys.Keys[0])
+	assert.FatalError(t, err)
+	// Invalid email
+	failEmail, err := generateToken("subject", "the-issuer", p3.ClientID, "", []string{}, time.Now(), &keys.Keys[0])
+	assert.FatalError(t, err)
+
+	key, err := generateJSONWebKey()
+	assert.FatalError(t, err)
+
+	signer, err := generateJSONWebKey()
+	assert.FatalError(t, err)
+
+	userDuration := p1.claimer.DefaultUserSSHCertDuration()
+	hostDuration := p1.claimer.DefaultHostSSHCertDuration()
+	expectedUserOptions := &SSHOptions{
+		CertType: "user", Principals: []string{"name"},
+		ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration)),
+	}
+	expectedAdminOptions := &SSHOptions{
+		CertType: "user", Principals: []string{"root"},
+		ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration)),
+	}
+	expectedHostOptions := &SSHOptions{
+		CertType: "host", Principals: []string{"smallstep.com"},
+		ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(hostDuration)),
+	}
+
+	type args struct {
+		token   string
+		sshOpts SSHOptions
+	}
+	tests := []struct {
+		name        string
+		prov        *OIDC
+		args        args
+		expected    *SSHOptions
+		wantErr     bool
+		wantSignErr bool
+	}{
+		{"ok", p1, args{t1, SSHOptions{}}, expectedUserOptions, false, false},
+		{"ok-user", p1, args{t1, SSHOptions{CertType: "user"}}, expectedUserOptions, false, false},
+		{"ok-principals", p1, args{t1, SSHOptions{Principals: []string{"name"}}}, expectedUserOptions, false, false},
+		{"ok-options", p1, args{t1, SSHOptions{CertType: "user", Principals: []string{"name"}}}, expectedUserOptions, false, false},
+		{"admin", p3, args{okAdmin, SSHOptions{}}, expectedAdminOptions, false, false},
+		{"admin-user", p3, args{okAdmin, SSHOptions{CertType: "user"}}, expectedAdminOptions, false, false},
+		{"admin-principals", p3, args{okAdmin, SSHOptions{Principals: []string{"root"}}}, expectedAdminOptions, false, false},
+		{"admin-options", p3, args{okAdmin, SSHOptions{CertType: "user", Principals: []string{"name"}}}, expectedUserOptions, false, false},
+		{"admin-host", p3, args{okAdmin, SSHOptions{CertType: "host", Principals: []string{"smallstep.com"}}}, expectedHostOptions, false, false},
+		{"fail-user-host", p1, args{t1, SSHOptions{CertType: "host"}}, nil, false, true},
+		{"fail-user-principals", p1, args{t1, SSHOptions{Principals: []string{"root"}}}, nil, false, true},
+		{"fail-email", p3, args{failEmail, SSHOptions{}}, nil, true, false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := NewContextWithMethod(context.Background(), SignSSHMethod)
+			got, err := tt.prov.AuthorizeSign(ctx, tt.args.token)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("OIDC.Authorize() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if err != nil {
+				assert.Nil(t, got)
+			} else if assert.NotNil(t, got) {
+				cert, err := signSSHCertificate(key.Public().Key, tt.args.sshOpts, got, signer.Key.(crypto.Signer))
+				if (err != nil) != tt.wantSignErr {
+					t.Errorf("SignSSH error = %v, wantSignErr %v", err, tt.wantSignErr)
+				} else {
+					if tt.wantSignErr {
+						assert.Nil(t, cert)
+					} else {
+						assert.NoError(t, validateSSHCertificate(cert, tt.expected))
+					}
+				}
+			}
+		})
+	}
+}
+
 func TestOIDC_AuthorizeRevoke(t *testing.T) {
 	srv := generateJWKServer(2)
 	defer srv.Close()
--- a/authority/provisioner/utils_test.go
+++ b/authority/provisioner/utils_test.go
@ -14,8 +14,6 @@ import (
 	"net/http/httptest"
 	"time"

-	"golang.org/x/crypto/ssh"
-
 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/crypto/randutil"
 	"github.com/smallstep/cli/jose"
@ -732,85 +730,3 @@ func generateJWKServer(n int) *httptest.Server {
 	srv.Start()
 	return srv
 }
-
-func signSSHCertificate(key crypto.PublicKey, opts SSHOptions, signOpts []SignOption, signKey crypto.Signer) (*ssh.Certificate, error) {
-	pub, err := ssh.NewPublicKey(key)
-	if err != nil {
-		return nil, err
-	}
-
-	var mods []SSHCertificateModifier
-	var validators []SSHCertificateValidator
-
-	for _, op := range signOpts {
-		switch o := op.(type) {
-		// modify the ssh.Certificate
-		case SSHCertificateModifier:
-			mods = append(mods, o)
-		// modify the ssh.Certificate given the SSHOptions
-		case SSHCertificateOptionModifier:
-			mods = append(mods, o.Option(opts))
-		// validate the ssh.Certificate
-		case SSHCertificateValidator:
-			validators = append(validators, o)
-		// validate the given SSHOptions
-		case SSHCertificateOptionsValidator:
-			if err := o.Valid(opts); err != nil {
-				return nil, err
-			}
-		default:
-			return nil, errors.Errorf("signSSH: invalid extra option type %T", o)
-		}
-	}
-
-	// Build base certificate with the key and some random values
-	cert := &ssh.Certificate{
-		Nonce:  []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 0},
-		Key:    pub,
-		Serial: 1234567890,
-	}
-
-	// Use opts to modify the certificate
-	if err := opts.Modify(cert); err != nil {
-		return nil, err
-	}
-
-	// Use provisioner modifiers
-	for _, m := range mods {
-		if err := m.Modify(cert); err != nil {
-			return nil, err
-		}
-	}
-
-	// Get signer from authority keys
-	var signer ssh.Signer
-	switch cert.CertType {
-	case ssh.UserCert:
-		signer, err = ssh.NewSignerFromSigner(signKey)
-	case ssh.HostCert:
-		signer, err = ssh.NewSignerFromSigner(signKey)
-	default:
-		return nil, errors.Errorf("unexpected ssh certificate type: %d", cert.CertType)
-	}
-	cert.SignatureKey = signer.PublicKey()
-
-	// Get bytes for signing trailing the signature length.
-	data := cert.Marshal()
-	data = data[:len(data)-4]
-
-	// Sign the certificate
-	sig, err := signer.Sign(rand.Reader, data)
-	if err != nil {
-		return nil, err
-	}
-	cert.Signature = sig
-
-	// User provisioners validators
-	for _, v := range validators {
-		if err := v.Valid(cert); err != nil {
-			return nil, err
-		}
-	}
-
-	return cert, nil
-}