net-ssh 2.7.0 → 7.3.0

data/lib/net/ssh/key_factory.rb

@@ -1,120 +1,218 @@
 require 'net/ssh/transport/openssl'
 require 'net/ssh/prompt'
 
-module Net; module SSH
-
-  # A factory class for returning new Key classes. It is used for obtaining
-  # OpenSSL key instances via their SSH names, and for loading both public and
-  # private keys. It used used primarily by Net::SSH itself, internally, and
-  # will rarely (if ever) be directly used by consumers of the library.
-  #
-  #   klass = Net::SSH::KeyFactory.get("rsa")
-  #   assert klass.is_a?(OpenSSL::PKey::RSA)
-  #
-  #   key = Net::SSH::KeyFactory.load_public_key("~/.ssh/id_dsa.pub")
-  class KeyFactory
-    # Specifies the mapping of SSH names to OpenSSL key classes.
-    MAP = {
-      "dh"  => OpenSSL::PKey::DH,
-      "rsa" => OpenSSL::PKey::RSA,
-      "dsa" => OpenSSL::PKey::DSA,
-    }
-    if defined?(OpenSSL::PKey::EC)
-      MAP["ecdsa"] = OpenSSL::PKey::EC
-    end
+require 'net/ssh/authentication/ed25519_loader'
 
-    class <<self
-      include Prompt
+module Net
+  module SSH
+    # A factory class for returning new Key classes. It is used for obtaining
+    # OpenSSL key instances via their SSH names, and for loading both public and
+    # private keys. It used used primarily by Net::SSH itself, internally, and
+    # will rarely (if ever) be directly used by consumers of the library.
+    #
+    #   klass = Net::SSH::KeyFactory.get("rsa")
+    #   assert klass.is_a?(OpenSSL::PKey::RSA)
+    #
+    #   key = Net::SSH::KeyFactory.load_public_key("~/.ssh/id_dsa.pub")
+    class KeyFactory
+      # Specifies the mapping of SSH names to OpenSSL key classes.
+      MAP = {
+        'dh' => OpenSSL::PKey::DH,
+        'rsa' => OpenSSL::PKey::RSA,
+        'dsa' => OpenSSL::PKey::DSA,
+        'ecdsa' => OpenSSL::PKey::EC
+      }
+      MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
 
-      # Fetch an OpenSSL key instance by its SSH name. It will be a new,
-      # empty key of the given type.
-      def get(name)
-        MAP.fetch(name).new
-      end
+      class << self
+        # Fetch an OpenSSL key instance by its SSH name. It will be a new,
+        # empty key of the given type.
+        def get(name)
+          MAP.fetch(name).new
+        end
 
-      # Loads a private key from a file. It will correctly determine
-      # whether the file describes an RSA or DSA key, and will load it
-      # appropriately. The new key is returned. If the key itself is
-      # encrypted (requiring a passphrase to use), the user will be
-      # prompted to enter their password unless passphrase works. 
-      def load_private_key(filename, passphrase=nil, ask_passphrase=true)
-        data = File.read(File.expand_path(filename))
-        load_data_private_key(data, passphrase, ask_passphrase, filename)
-      end
+        # Loads a private key from a file. It will correctly determine
+        # whether the file describes an RSA or DSA key, and will load it
+        # appropriately. The new key is returned. If the key itself is
+        # encrypted (requiring a passphrase to use), the user will be
+        # prompted to enter their password unless passphrase works.
+        def load_private_key(filename, passphrase = nil, ask_passphrase = true, prompt = Prompt.default)
+          data = File.read(File.expand_path(filename))
+          load_data_private_key(data, passphrase, ask_passphrase, filename, prompt)
+        end
 
-      # Loads a private key. It will correctly determine
-      # whether the file describes an RSA or DSA key, and will load it
-      # appropriately. The new key is returned. If the key itself is
-      # encrypted (requiring a passphrase to use), the user will be
-      # prompted to enter their password unless passphrase works. 
-      def load_data_private_key(data, passphrase=nil, ask_passphrase=true, filename="")
-        if OpenSSL::PKey.respond_to?(:read)
-          pkey_read = true
-          error_class = ArgumentError
-        else
-          pkey_read = false
-          if data.match(/-----BEGIN DSA PRIVATE KEY-----/)
-            key_type = OpenSSL::PKey::DSA
-            error_class = OpenSSL::PKey::DSAError
-          elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
-            key_type = OpenSSL::PKey::RSA
-            error_class = OpenSSL::PKey::RSAError
-          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/) && defined?(OpenSSL::PKey::EC)
-            key_type = OpenSSL::PKey::EC
-            error_class = OpenSSL::PKey::ECError
-          elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
-            raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
-          else
-            raise OpenSSL::PKey::PKeyError, "not a private key (#{filename})"
+        # Loads a private key. It will correctly determine
+        # whether the file describes an RSA or DSA key, and will load it
+        # appropriately. The new key is returned. If the key itself is
+        # encrypted (requiring a passphrase to use), the user will be
+        # prompted to enter their password unless passphrase works.
+        def load_data_private_key(data, passphrase = nil, ask_passphrase = true, filename = "", prompt = Prompt.default)
+          key_type = classify_key(data, filename)
+
+          encrypted_key = nil
+          tries = 0
+
+          prompter = nil
+          result =
+            begin
+              key_type.read(data, passphrase || 'invalid')
+            rescue *key_type.error_classes => e
+              encrypted_key = !!key_type.encrypted_key?(data, e) if encrypted_key.nil?
+              if encrypted_key && ask_passphrase
+                tries += 1
+                if tries <= 3
+                  prompter ||= prompt.start(type: 'private_key', filename: filename, sha: Digest::SHA256.digest(data))
+                  passphrase = prompter.ask("Enter passphrase for #{filename}:", false)
+                  retry
+                else
+                  raise
+                end
+              else
+                raise
+              end
+            end
+          prompter.success if prompter
+          result
+        end
+
+        # Loads a public key from a file. It will correctly determine whether
+        # the file describes an RSA or DSA key, and will load it
+        # appropriately. The new public key is returned.
+        def load_public_key(filename)
+          data = File.read(File.expand_path(filename))
+          load_data_public_key(data, filename)
+        end
+
+        # Loads a public key. It will correctly determine whether
+        # the file describes an RSA or DSA key, and will load it
+        # appropriately. The new public key is returned.
+        def load_data_public_key(data, filename = "")
+          fields = data.split(/ /)
+
+          blob = nil
+          begin
+            blob = fields.shift
+          end while !blob.nil? && !/^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp\d+)(-cert-v01@openssh\.com)?$/.match(blob)
+          blob = fields.shift
+
+          raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?
+
+          blob = blob.unpack("m*").first
+          reader = Net::SSH::Buffer.new(blob)
+          reader.read_key or raise OpenSSL::PKey::PKeyError, "not a public key #{filename.inspect}"
+        end
+
+        private
+
+        # rubocop:disable Style/Documentation, Lint/DuplicateMethods
+        class KeyType
+          def self.read(key_data, passphrase)
+            raise Exception, "TODO subclasses should implement read"
+          end
+
+          def self.error_classes
+            raise Exception, "TODO subclasses should implement read"
+          end
+
+          def self.encrypted_key?(data, error)
+            raise Exception, "TODO subclasses should implement is_encrypted_key"
           end
         end
 
-        encrypted_key = data.match(/ENCRYPTED/)
-        tries = 0
+        class OpenSSHPrivateKeyType < KeyType
+          def self.read(key_data, passphrase)
+            Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader.read(key_data, passphrase)
+          end
 
-        begin
-          if pkey_read
-            return OpenSSL::PKey.read(data, passphrase || 'invalid')
-          else
-            return key_type.new(data, passphrase || 'invalid')
-          end
-        rescue error_class
-          if encrypted_key && ask_passphrase
-            tries += 1
-            if tries <= 3
-              passphrase = prompt("Enter passphrase for #{filename}:", false)
-              retry
-            else
-              raise
-            end
-          else
-            raise
+          def self.error_classes
+            [Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError]
+          end
+
+          def self.encrypted_key?(key_data, decode_error)
+            decode_error.is_a?(Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError) && decode_error.encrypted_key?
           end
         end
-      end
 
-      # Loads a public key from a file. It will correctly determine whether
-      # the file describes an RSA or DSA key, and will load it
-      # appropriately. The new public key is returned.
-      def load_public_key(filename)
-        data = File.read(File.expand_path(filename))
-        load_data_public_key(data, filename)
-      end
+        class OpenSSLKeyTypeBase < KeyType
+          def self.open_ssl_class
+            raise Exception, "TODO: subclasses should implement"
+          end
+
+          def self.read(key_data, passphrase)
+            open_ssl_class.new(key_data, passphrase)
+          end
+
+          def self.encrypted_key?(key_data, error)
+            key_data.match(/ENCRYPTED/)
+          end
+        end
+
+        class OpenSSLPKeyType < OpenSSLKeyTypeBase
+          def self.read(key_data, passphrase)
+            open_ssl_class.read(key_data, passphrase)
+          end
+
+          def self.open_ssl_class
+            OpenSSL::PKey
+          end
 
-      # Loads a public key. It will correctly determine whether
-      # the file describes an RSA or DSA key, and will load it
-      # appropriately. The new public key is returned.
-      def load_data_public_key(data, filename="")
-        _, blob = data.split(/ /)
+          def self.error_classes
+            [ArgumentError, OpenSSL::PKey::PKeyError]
+          end
+        end
+
+        class OpenSSLDSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::DSA
+          end
 
-        raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?
+          def self.error_classes
+            [OpenSSL::PKey::DSAError]
+          end
+        end
+
+        class OpenSSLRSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::RSA
+          end
 
-        blob = blob.unpack("m*").first
-        reader = Net::SSH::Buffer.new(blob)
-        reader.read_key or raise OpenSSL::PKey::PKeyError, "not a public key #{filename.inspect}"
+          def self.error_classes
+            [OpenSSL::PKey::RSAError]
+          end
+        end
+
+        class OpenSSLECKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::EC
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::ECError]
+          end
+        end
+        # rubocop:enable Style/Documentation, Lint/DuplicateMethods
+
+        # Determine whether the file describes an RSA or DSA key, and return how load it
+        # appropriately.
+        def classify_key(data, filename)
+          if data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
+            Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("OpenSSH keys only supported if ED25519 is available")
+            return OpenSSHPrivateKeyType
+          elsif OpenSSL::PKey.respond_to?(:read)
+            return OpenSSLPKeyType
+          elsif data.match(/-----BEGIN DSA PRIVATE KEY-----/)
+            return OpenSSLDSAKeyType
+          elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
+            return OpenSSLRSAKeyType
+          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/)
+            return OpenSSLECKeyType
+          elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
+            raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
+          else
+            raise OpenSSL::PKey::PKeyError, "not a private key (#{filename})"
+          end
+        end
       end
     end
-
   end
-
-end; end
+end