hrr_rb_ssh 0.1.9 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 895f28010a8eb2c1e18c12369fd4c10922ba5a69ef0527ce165c97529eae0739
-  data.tar.gz: c6a0669ea1e9561e007ae22259d111ce011589e383cc0ac73b7678d5668b14cc
+  metadata.gz: fa22df4a3d01a18e8f66b69b73f5b189233de3d4c755f1d371f15043c0202c8f
+  data.tar.gz: e426371cf62d6d6705915a58b5811774e984be1f55b1e2f11db5925d0f14d08f
 SHA512:
-  metadata.gz: 3e41e26012c69eab8dbc2324fd71cd1212ebb56d87b76a30b4c7e59a4eba8627301bcfc18a26d42b7742784034f8ffbcf9ed06ca770a4717e05b7aac47e7780c
-  data.tar.gz: efd75bcd9eb57930c867880010eb6ffc9cb307080f4478df3ffa6363cf46845be9f0aa13a273d1abc161cfab60250562ae8d87ab9db068f7afe6c76382244ed9
+  metadata.gz: 3e47080fab89ae9eafab849adf065dfa4a2f58f18f189aaef269d4b8d50729acad8d7d0c5306e462e583200878da878b84b4579a63788e8dd9859501102c1440
+  data.tar.gz: 974b64d45859b689e6965d98ab749375ed082f6bbc72bc1ee59c1c2e6a8e59ca8bf7e25ff1304a6e9eb415763457dc9678447e363300d3106c63a84a7a9bbd03

data/.travis.yml

@@ -10,8 +10,18 @@ rvm:
   - 2.3
   - 2.4
   - 2.5
-before_install: gem install bundler -v 1.16.1
-install: bundle install --path vendor/bundle
+  - ruby-head
+os:
+  - linux
+matrix:
+  allow_failures:
+    - rvm: ruby-head
+before_install:
+  - gem update --system --no-document
+  - gem update --no-document
+install:
+  - gem install bundler --no-document
+  - bundle install --path vendor/bundle
 before_script:
   - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
   - chmod +x ./cc-test-reporter

data/README.md

@@ -72,13 +72,18 @@ The library is to run on a socket IO. To start SSH server, running a server IO a
 ```ruby
 options = Hash.new
 server = TCPServer.new 10022
-while true
-  t = Thread.new(server.accept) do |io|
-    tran = HrrRbSsh::Transport.new      io, HrrRbSsh::Transport::Mode::SERVER, options
-    auth = HrrRbSsh::Authentication.new tran, options
-    conn = HrrRbSsh::Connection.new     auth, options
-    conn.start
+loop do
+  Thread.new(server.accept) do |io|
+    pid = fork do
+      begin
+        server = HrrRbSsh::Server.new io, options
+        server.start
+      ensure
+        io.close
+      end
+    end
     io.close
+    Process.waitpid pid
   end
 end
 ```
@@ -216,7 +221,6 @@ It is also possible to define customized request handlers. For instance, echo se
 
 ```ruby
 conn_echo = HrrRbSsh::Connection::RequestHandler.new { |context|
-  context.io[2].close
   context.chain_proc { |chain|
     begin
       loop do
@@ -228,8 +232,6 @@ conn_echo = HrrRbSsh::Connection::RequestHandler.new { |context|
     rescue => e
       logger.error([e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join)
       exitstatus = 1
-    ensure
-      context.io[1].close
     end
     exitstatus
   }

data/demo/echo_server.rb

@@ -4,60 +4,68 @@
 require 'logger'
 require 'socket'
 
-begin
-  require 'hrr_rb_ssh'
-rescue LoadError
-  $:.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
-  require 'hrr_rb_ssh'
-end
-
-
-logger = Logger.new STDOUT
-logger.level = Logger::INFO
-HrrRbSsh::Logger.initialize logger
+def start_service io, logger=nil
+  begin
+    require 'hrr_rb_ssh'
+  rescue LoadError
+    $:.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+    require 'hrr_rb_ssh'
+  end
 
+  HrrRbSsh::Logger.initialize logger if logger
 
-auth_password = HrrRbSsh::Authentication::Authenticator.new { |context|
-  true # accept any user and password
-}
+  auth_password = HrrRbSsh::Authentication::Authenticator.new { |context|
+    true # accept any user and password
+  }
 
-conn_echo = HrrRbSsh::Connection::RequestHandler.new { |context|
-  context.io[2].close
-  context.chain_proc { |chain|
-    begin
-      loop do
-        buf = context.io[0].readpartial(10240)
-        break if buf.include?(0x04.chr) # break if ^D
-        context.io[1].write buf
+  conn_echo = HrrRbSsh::Connection::RequestHandler.new { |context|
+    context.chain_proc { |chain|
+      begin
+        loop do
+          buf = context.io[0].readpartial(10240)
+          break if buf.include?(0x04.chr) # break if ^D
+          context.io[1].write buf
+        end
+        exitstatus = 0
+      rescue => e
+        logger.error([e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join)
+        exitstatus = 1
       end
-      exitstatus = 0
-    rescue => e
-      logger.error([e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join)
-      exitstatus = 1
-    ensure
-      context.io[1].close
-    end
-    exitstatus
+      exitstatus
+    }
   }
-}
 
-options = {}
-options['authentication_password_authenticator'] = auth_password
-options['connection_channel_request_shell']      = conn_echo
+  options = {}
+  options['authentication_password_authenticator'] = auth_password
+  options['connection_channel_request_shell']      = conn_echo
+
+  server = HrrRbSsh::Server.new io, options
+  server.start
+end
 
+logger = Logger.new STDOUT
+logger.level = Logger::INFO
 
 server = TCPServer.new 10022
-while true
-  t = Thread.new(server.accept) do |io|
+loop do
+  Thread.new(server.accept) do |io|
     begin
-      tran = HrrRbSsh::Transport.new      io, HrrRbSsh::Transport::Mode::SERVER
-      auth = HrrRbSsh::Authentication.new tran, options
-      conn = HrrRbSsh::Connection.new     auth, options
-      conn.start
+      pid = fork do
+        begin
+          start_service io, logger
+        rescue => e
+          logger.error { [e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join }
+          exit false
+        end
+      end
+      logger.info { "process #{pid} started" }
+      io.close rescue nil
+      pid, status = Process.waitpid2 pid
     rescue => e
-      logger.error([e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join)
+      logger.error { [e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join }
     ensure
-      io.close
+      status ||= nil
+      logger.info { "process #{pid} finished with status #{status.inspect}" }
     end
   end
 end

data/demo/server.rb

@@ -1,89 +1,108 @@
 # coding: utf-8
 # vim: et ts=2 sw=2
 
-require 'etc'
 require 'logger'
 require 'socket'
 
-begin
-  require 'hrr_rb_ssh'
-rescue LoadError
-  $:.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
-  require 'hrr_rb_ssh'
-end
 
+def start_service io, logger=nil
+  require 'etc'
 
-logger = Logger.new STDOUT
-logger.level = Logger::INFO
-HrrRbSsh::Logger.initialize logger
-
-
-tran_preferred_encryption_algorithms      = %w(aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc arcfour)
-tran_preferred_server_host_key_algorithms = %w(ecdsa-sha2-nistp521 ecdsa-sha2-nistp384 ecdsa-sha2-nistp256 ssh-rsa ssh-dss)
-tran_preferred_kex_algorithms             = %w(ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1)
-tran_preferred_mac_algorithms             = %w(hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96)
-tran_preferred_compression_algorithms     = %w(none zlib)
-
-auth_none = HrrRbSsh::Authentication::Authenticator.new { |context|
-  false
-}
-auth_publickey = HrrRbSsh::Authentication::Authenticator.new { |context|
-  users = ['user1', 'user2']
-  users.any?{ |username|
-    passwd = Etc.getpwnam(username)
-    homedir = passwd.dir
-    authorized_keys = HrrRbSsh::Compat::OpenSSH::AuthorizedKeys.new(File.read(File.join(homedir, '.ssh', 'authorized_keys')))
-    authorized_keys.any?{ |public_key|
-      context.verify username, public_key.algorithm_name, public_key.to_pem
+  begin
+    require 'hrr_rb_ssh'
+  rescue LoadError
+    $:.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+    require 'hrr_rb_ssh'
+  end
+
+  HrrRbSsh::Logger.initialize logger if logger
+
+  tran_preferred_encryption_algorithms      = %w(aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc arcfour)
+  tran_preferred_server_host_key_algorithms = %w(ecdsa-sha2-nistp521 ecdsa-sha2-nistp384 ecdsa-sha2-nistp256 ssh-rsa ssh-dss)
+  tran_preferred_kex_algorithms             = %w(ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1)
+  tran_preferred_mac_algorithms             = %w(hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96)
+  tran_preferred_compression_algorithms     = %w(none zlib)
+
+  auth_none = HrrRbSsh::Authentication::Authenticator.new { |context|
+    false
+  }
+  auth_publickey = HrrRbSsh::Authentication::Authenticator.new { |context|
+    users = ['user1', 'user2']
+    users.any?{ |username|
+      passwd = Etc.getpwnam(username)
+      homedir = passwd.dir
+      authorized_keys = HrrRbSsh::Compat::OpenSSH::AuthorizedKeys.new(File.read(File.join(homedir, '.ssh', 'authorized_keys')))
+      authorized_keys.any?{ |public_key|
+        context.verify username, public_key.algorithm_name, public_key.to_pem
+      }
     }
   }
-}
-auth_password = HrrRbSsh::Authentication::Authenticator.new { |context|
-  user_and_pass = [
-    ['user1',  'password1'],
-    ['user2',  'password2'],
-  ]
-  user_and_pass.any? { |user, pass|
-    context.verify user, pass
+  auth_password = HrrRbSsh::Authentication::Authenticator.new { |context|
+    user_and_pass = [
+      ['user1',  'password1'],
+      ['user2',  'password2'],
+    ]
+    user_and_pass.any? { |user, pass|
+      context.verify user, pass
+    }
   }
-}
 
 
-options = {}
+  options = {}
 
-options['transport_preferred_encryption_algorithms']      = tran_preferred_encryption_algorithms
-options['transport_preferred_server_host_key_algorithms'] = tran_preferred_server_host_key_algorithms
-options['transport_preferred_kex_algorithms']             = tran_preferred_kex_algorithms
-options['transport_preferred_mac_algorithms']             = tran_preferred_mac_algorithms
-options['transport_preferred_compression_algorithms']     = tran_preferred_compression_algorithms
+  options['transport_preferred_encryption_algorithms']      = tran_preferred_encryption_algorithms
+  options['transport_preferred_server_host_key_algorithms'] = tran_preferred_server_host_key_algorithms
+  options['transport_preferred_kex_algorithms']             = tran_preferred_kex_algorithms
+  options['transport_preferred_mac_algorithms']             = tran_preferred_mac_algorithms
+  options['transport_preferred_compression_algorithms']     = tran_preferred_compression_algorithms
 
-options['transport_server_secret_host_keys'] = {}
-options['transport_server_secret_host_keys']['ecdsa-sha2-nistp256'] = <<-'EOB'
+  options['transport_server_secret_host_keys'] = {}
+  options['transport_server_secret_host_keys']['ecdsa-sha2-nistp256'] = <<-'EOB'
 -----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIFFtGZHk6A8anZkLCJan9YBlB63uCIN/ZcQNCaJout8loAoGCCqGSM49
 AwEHoUQDQgAEk8m548Xga+XGEmRx7P71xGlxCfgjPj3XVOw+fXPXRgA03a5yDJEp
 OfeosJOO9twerD7pPhmXREkygblPsEXaVA==
 -----END EC PRIVATE KEY-----
-EOB
+  EOB
 
-options['authentication_none_authenticator']      = auth_none
-options['authentication_publickey_authenticator'] = auth_publickey
-options['authentication_password_authenticator']  = auth_password
+  options['authentication_none_authenticator']      = auth_none
+  options['authentication_publickey_authenticator'] = auth_publickey
+  options['authentication_password_authenticator']  = auth_password
 
-options['connection_channel_request_pty_req']       = HrrRbSsh::Connection::RequestHandler::ReferencePtyReqRequestHandler.new
-options['connection_channel_request_env']           = HrrRbSsh::Connection::RequestHandler::ReferenceEnvRequestHandler.new
-options['connection_channel_request_shell']         = HrrRbSsh::Connection::RequestHandler::ReferenceShellRequestHandler.new
-options['connection_channel_request_exec']          = HrrRbSsh::Connection::RequestHandler::ReferenceExecRequestHandler.new
-options['connection_channel_request_window_change'] = HrrRbSsh::Connection::RequestHandler::ReferenceWindowChangeRequestHandler.new
+  options['connection_channel_request_pty_req']       = HrrRbSsh::Connection::RequestHandler::ReferencePtyReqRequestHandler.new
+  options['connection_channel_request_env']           = HrrRbSsh::Connection::RequestHandler::ReferenceEnvRequestHandler.new
+  options['connection_channel_request_shell']         = HrrRbSsh::Connection::RequestHandler::ReferenceShellRequestHandler.new
+  options['connection_channel_request_exec']          = HrrRbSsh::Connection::RequestHandler::ReferenceExecRequestHandler.new
+  options['connection_channel_request_window_change'] = HrrRbSsh::Connection::RequestHandler::ReferenceWindowChangeRequestHandler.new
+
+  server = HrrRbSsh::Server.new io, options
+  server.start
+end
 
 
+logger = Logger.new STDOUT
+logger.level = Logger::INFO
+
 server = TCPServer.new 10022
-while true
-  t = Thread.new(server.accept) do |io|
-    tran = HrrRbSsh::Transport.new      io, HrrRbSsh::Transport::Mode::SERVER, options
-    auth = HrrRbSsh::Authentication.new tran, options
-    conn = HrrRbSsh::Connection.new     auth, options
-    conn.start
-    io.close
+loop do
+  Thread.new(server.accept) do |io|
+    begin
+      pid = fork do
+        begin
+          start_service io, logger
+        rescue => e
+          logger.error { [e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join }
+          exit false
+        end
+      end
+      logger.info { "process #{pid} started" }
+      io.close rescue nil
+      pid, status = Process.waitpid2 pid
+    rescue => e
+      logger.error { [e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join }
+    ensure
+      status ||= nil
+      logger.info { "process #{pid} finished with status #{status.inspect}" }
+    end
   end
 end

data/demo/subsystem_echo_server.rb

@@ -4,69 +4,76 @@
 require 'logger'
 require 'socket'
 
-begin
-  require 'hrr_rb_ssh'
-rescue LoadError
-  $:.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
-  require 'hrr_rb_ssh'
-end
-
-
-logger = Logger.new STDOUT
-logger.level = Logger::INFO
-HrrRbSsh::Logger.initialize logger
+def start_service io, logger=nil
+  begin
+    require 'hrr_rb_ssh'
+  rescue LoadError
+    $:.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+    require 'hrr_rb_ssh'
+  end
 
+  HrrRbSsh::Logger.initialize logger if logger
 
-auth_password = HrrRbSsh::Authentication::Authenticator.new { |context|
-  true # accept any user and password
-}
+  auth_password = HrrRbSsh::Authentication::Authenticator.new { |context|
+    true # accept any user and password
+  }
 
-conn_echo = HrrRbSsh::Connection::RequestHandler.new { |context|
-  context.io[2].close
-  context.chain_proc { |chain|
-    case context.subsystem_name
-    when 'echo'
-      begin
-        loop do
-          begin
-            buf = context.io[0].readpartial(10240)
-          rescue EOFError
-            break
+  conn_echo = HrrRbSsh::Connection::RequestHandler.new { |context|
+    context.chain_proc { |chain|
+      case context.subsystem_name
+      when 'echo'
+        begin
+          loop do
+            begin
+              buf = context.io[0].readpartial(10240)
+            rescue EOFError
+              break
+            end
+            context.io[1].write buf
           end
-          context.io[1].write buf
+          exitstatus = 0
+        rescue => e
+          logger.error([e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join)
+          exitstatus = 1
         end
+      else
         exitstatus = 0
-      rescue => e
-        logger.error([e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join)
-        exitstatus = 1
-      ensure
-        context.io[1].close
       end
-    else
-      context.io[1].close
-      exitstatus = 0
-    end
-    exitstatus
+      exitstatus
+    }
   }
-}
 
-options = {}
-options['authentication_password_authenticator'] = auth_password
-options['connection_channel_request_subsystem']  = conn_echo
+  options = {}
+  options['authentication_password_authenticator'] = auth_password
+  options['connection_channel_request_subsystem']  = conn_echo
 
+  server = HrrRbSsh::Server.new io, options
+  server.start
+end
+
+logger = Logger.new STDOUT
+logger.level = Logger::INFO
 
 server = TCPServer.new 10022
 while true
-  t = Thread.new(server.accept) do |io|
+  Thread.new(server.accept) do |io|
     begin
-      tran = HrrRbSsh::Transport.new      io, HrrRbSsh::Transport::Mode::SERVER
-      auth = HrrRbSsh::Authentication.new tran, options
-      conn = HrrRbSsh::Connection.new     auth, options
-      conn.start
+      pid = fork do
+        begin
+          start_service io, logger
+        rescue => e
+          logger.error { [e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join }
+          exit false
+        end
+      end
+      logger.info { "process #{pid} started" }
+      io.close rescue nil
+      pid, status = Process.waitpid2 pid
     rescue => e
-      logger.error([e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join)
+      logger.error { [e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join }
     ensure
-      io.close
+      status ||= nil
+      logger.info { "process #{pid} finished with status #{status.inspect}" }
     end
   end
 end

data/lib/hrr_rb_ssh/{transport/server_host_key_algorithm/ecdsa_sha2_nistp521 → algorithm/publickey/ecdsa_sha2}/ecdsa_signature_blob.rb

@@ -5,9 +5,9 @@ require 'hrr_rb_ssh/data_type'
 require 'hrr_rb_ssh/codable'
 
 module HrrRbSsh
-  class Transport
-    class ServerHostKeyAlgorithm
-      class EcdsaSha2Nistp521
+  module Algorithm
+    class Publickey
+      module EcdsaSha2
         module EcdsaSignatureBlob
           class << self
             include Codable

data/lib/hrr_rb_ssh/{transport/server_host_key_algorithm/ecdsa_sha2_nistp256 → algorithm/publickey/ecdsa_sha2}/public_key_blob.rb

@@ -5,16 +5,16 @@ require 'hrr_rb_ssh/data_type'
 require 'hrr_rb_ssh/codable'
 
 module HrrRbSsh
-  class Transport
-    class ServerHostKeyAlgorithm
-      class EcdsaSha2Nistp256
+  module Algorithm
+    class Publickey
+      module EcdsaSha2
         module PublicKeyBlob
           class << self
             include Codable
           end
           DEFINITION = [
-            [DataType::String, :'ecdsa-sha2-[identifier]'],
-            [DataType::String, :'[identifier]'],
+            [DataType::String, :'public key algorithm name'],
+            [DataType::String, :'identifier'],
             [DataType::String, :'Q'],
           ]
         end
@@ -22,4 +22,3 @@ module HrrRbSsh
     end
   end
 end
-

data/lib/hrr_rb_ssh/{transport/server_host_key_algorithm/ecdsa_sha2_nistp256 → algorithm/publickey/ecdsa_sha2}/signature.rb

@@ -5,16 +5,16 @@ require 'hrr_rb_ssh/data_type'
 require 'hrr_rb_ssh/codable'
 
 module HrrRbSsh
-  class Transport
-    class ServerHostKeyAlgorithm
-      class EcdsaSha2Nistp256
+  module Algorithm
+    class Publickey
+      module EcdsaSha2
         module Signature
           class << self
             include Codable
           end
           DEFINITION = [
-            [DataType::String, :'ecdsa-sha2-[identifier]'],
-            [DataType::String, :'ecdsa_signature_blob'],
+            [DataType::String, :'public key algorithm name'],
+            [DataType::String, :'ecdsa signature blob'],
           ]
         end
       end

data/lib/hrr_rb_ssh/algorithm/publickey/ecdsa_sha2.rb

@@ -0,0 +1,85 @@
+# coding: utf-8
+# vim: et ts=2 sw=2
+
+require 'hrr_rb_ssh/logger'
+require 'hrr_rb_ssh/data_type'
+
+module HrrRbSsh
+  module Algorithm
+    class Publickey
+      module EcdsaSha2
+        def initialize arg
+          begin
+            new_by_key_str arg
+          rescue OpenSSL::PKey::ECError
+            new_by_public_key_blob arg
+          end
+        end
+
+        def new_by_key_str key_str
+          @publickey = OpenSSL::PKey::EC.new(key_str.delete(0.chr))
+        end
+
+        def new_by_public_key_blob public_key_blob
+          public_key_blob_h = PublicKeyBlob.decode(public_key_blob)
+          @publickey = OpenSSL::PKey::EC.new(self.class::CURVE_NAME)
+          @publickey.public_key = OpenSSL::PKey::EC::Point.new(@publickey.group, OpenSSL::BN.new(public_key_blob_h[:'Q'], 2))
+        end
+
+        def to_pem
+          @publickey.to_pem
+        end
+
+        def to_public_key_blob
+          public_key_blob_h = {
+            :'public key algorithm name' => self.class::NAME,
+            :'identifier'                => self.class::IDENTIFIER,
+            :'Q'                         => @publickey.public_key.to_bn.to_s(2)
+          }
+          PublicKeyBlob.encode(public_key_blob_h)
+        end
+
+        def ecdsa_signature_blob signature_blob
+          hash = OpenSSL::Digest.digest(self.class::DIGEST, signature_blob)
+          sign_der = @publickey.dsa_sign_asn1(hash)
+          sign_asn1 = OpenSSL::ASN1.decode(sign_der)
+          r = sign_asn1.value[0].value.to_i
+          s = sign_asn1.value[1].value.to_i
+          ecdsa_signature_blob_h = {
+            :'r' => r,
+            :'s' => s,
+          }
+          EcdsaSignatureBlob.encode ecdsa_signature_blob_h
+        end
+
+        def sign signature_blob
+          signature_h = {
+            :'public key algorithm name' => self.class::NAME,
+            :'ecdsa signature blob'      => ecdsa_signature_blob(signature_blob),
+          }
+          Signature.encode signature_h
+        end
+
+        def verify signature, signature_blob
+          signature_h = Signature.decode signature
+          ecdsa_signature_blob_h = EcdsaSignatureBlob.decode signature_h[:'ecdsa signature blob']
+          r = ecdsa_signature_blob_h[:'r']
+          s = ecdsa_signature_blob_h[:'s']
+          sign_asn1 = OpenSSL::ASN1::Sequence.new(
+            [
+              OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(r)),
+              OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(s)),
+            ]
+          )
+          sign_der = sign_asn1.to_der
+          hash = OpenSSL::Digest.digest(self.class::DIGEST, signature_blob)
+          signature_h[:'public key algorithm name'] == self.class::NAME && @publickey.dsa_verify_asn1(hash, sign_der)
+        end
+      end
+    end
+  end
+end
+
+require 'hrr_rb_ssh/algorithm/publickey/ecdsa_sha2/public_key_blob'
+require 'hrr_rb_ssh/algorithm/publickey/ecdsa_sha2/signature'
+require 'hrr_rb_ssh/algorithm/publickey/ecdsa_sha2/ecdsa_signature_blob'

data/lib/hrr_rb_ssh/algorithm/publickey/ecdsa_sha2_nistp256.rb

@@ -0,0 +1,19 @@
+# coding: utf-8
+# vim: et ts=2 sw=2
+
+require 'hrr_rb_ssh/algorithm/publickey/ecdsa_sha2'
+
+module HrrRbSsh
+  module Algorithm
+    class Publickey
+      class EcdsaSha2Nistp256 < Publickey
+        NAME = 'ecdsa-sha2-nistp256'
+        DIGEST = 'sha256'
+        IDENTIFIER = 'nistp256'
+        CURVE_NAME = 'prime256v1'
+
+        include EcdsaSha2
+      end
+    end
+  end
+end