server: Add /user/ca route

The _GET /user/ca_ operation returns the public key of the user CA.
This can be used by hosts to "bootstrap" their trusted signing keys for
user authentication.

src/server/mod.rs

@@ -44,6 +44,7 @@ pub fn make_app(config: Configuration) -> Router {
         .route("/host/sign", post(host::sign_host_cert))
         .route("/user/oidc-config", get(user::get_oidc_config))
         .route("/user/sign", post(user::sign_user_cert))
+        .route("/user/ca", get(user::get_ca_pubkey))
         .with_state(ctx)
 }
 

src/server/user.rs

@@ -22,8 +22,8 @@ use ssh_key::Algorithm;
 use tracing::{debug, error, info, trace, warn};
 
 use super::error::SignKeyError;
-use super::{AuthError, Context};
 use super::oidc;
+use super::{AuthError, Context};
 use crate::ca;
 
 /// Response type for GET /user/openid-config
@@ -219,6 +219,28 @@ pub(super) async fn sign_user_cert(
     Ok(cert.to_openssh().map_err(ca::CertError::from)?)
 }
 
+/// Get the public key of the user CA
+///
+/// Returns a string representation of the CA public key.  This can be
+/// used by hosts to find the current public key to trust for
+/// authenticating users.
+pub(super) async fn get_ca_pubkey(
+    State(ctx): State<super::State>,
+) -> Result<String, SignKeyError> {
+    let config = &ctx.config;
+    let privkey = ca::load_private_key(
+        &config.ca.user.private_key_file,
+        config.ca.user.private_key_passphrase_file.as_ref(),
+    )
+    .await
+    .map_err(SignKeyError::LoadPrivateKey)?;
+    let pubkey = privkey.public_key()
+        .to_openssh()
+        .map_err(ca::LoadKeyError::SshKey)
+        .map_err(SignKeyError::LoadPrivateKey)?;
+    Ok(format!("{}\n", pubkey))
+}
+
 /// Get OIDC provider metadata (possibly from cache)
 ///
 /// This function will return metadata for the configured OIDC identity