From 47a941fa56e79d687bdb686c94af7acf578137c3 Mon Sep 17 00:00:00 2001
From: Dave Russell <forfuncsake@gmail.com>
Date: Tue, 4 Mar 2025 17:01:08 +1100
Subject: [PATCH] parse: Allow use of the wildcard CA in Certificate section

OpenSSH allows the use of an empty CA, known as the wildcard CA in a certificate section. All subsections then apply for certs from any and all CAs.
---
 parse.go | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/parse.go b/parse.go
index 67fe8a6..82c68e2 100644
--- a/parse.go
+++ b/parse.go
@@ -118,11 +118,14 @@ func parseCertificateSection(in []byte) (*KRLCertificateSection, error) {
 	if err := ssh.Unmarshal(in, &header); err != nil {
 		return nil, fmt.Errorf("krl: while parsing certificate section header: %v", err)
 	}
-	ca, err := ssh.ParsePublicKey(header.CAKey)
-	if err != nil {
-		return nil, fmt.Errorf("krl: while parsing CA key: %v", err)
+	k := new(KRLCertificateSection)
+	if len(header.CAKey) > 0 {
+		ca, err := ssh.ParsePublicKey(header.CAKey)
+		if err != nil {
+			return nil, fmt.Errorf("krl: while parsing CA key: %v", err)
+		}
+		k.CA = ca
 	}
-	k := &KRLCertificateSection{CA: ca}
 	in = header.Rest
 	for len(in) > 0 {
 		var section krlCertificateSection