net-ssh 4.1.0 → 6.1.0

data/lib/net/ssh/authentication/certificate.rb

@@ -1,169 +1,180 @@
 require 'securerandom'
 
-module Net; module SSH; module Authentication
-  # Class for representing an SSH certificate.
-  #
-  # http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.10&content-type=text/plain
-  class Certificate
-    attr_accessor :nonce
-    attr_accessor :key
-    attr_accessor :serial
-    attr_accessor :type
-    attr_accessor :key_id
-    attr_accessor :valid_principals
-    attr_accessor :valid_after
-    attr_accessor :valid_before
-    attr_accessor :critical_options
-    attr_accessor :extensions
-    attr_accessor :reserved
-    attr_accessor :signature_key
-    attr_accessor :signature
-
-    # Read a certificate blob associated with a key of the given type.
-    def self.read_certblob(buffer, type)
-      cert = Certificate.new
-      cert.nonce = buffer.read_string
-      cert.key = buffer.read_keyblob(type)
-      cert.serial = buffer.read_int64
-      cert.type = type_symbol(buffer.read_long)
-      cert.key_id = buffer.read_string
-      cert.valid_principals = buffer.read_buffer.read_all(&:read_string)
-      cert.valid_after = Time.at(buffer.read_int64)
-      cert.valid_before = Time.at(buffer.read_int64)
-      cert.critical_options = read_options(buffer)
-      cert.extensions = read_options(buffer)
-      cert.reserved = buffer.read_string
-      cert.signature_key = buffer.read_buffer.read_key
-      cert.signature = buffer.read_string
-      cert
-    end
-
-    def ssh_type
-      key.ssh_type + "-cert-v01@openssh.com"
-    end
-
-    def ssh_signature_type
-      key.ssh_type
-    end
-
-    # Serializes the certificate (and key).
-    def to_blob
-      Buffer.from(
-        :raw, to_blob_without_signature,
-        :string, signature
-      ).to_s
-    end
-
-    def ssh_do_sign(data)
-      key.ssh_do_sign(data)
-    end
-
-    def ssh_do_verify(sig, data)
-      key.ssh_do_verify(sig, data)
-    end
-
-    def to_pem
-      key.to_pem
-    end
-
-    def fingerprint
-      key.fingerprint
-    end
-
-    # Signs the certificate with key.
-    def sign!(key, sign_nonce=nil)
-      # ssh-keygen uses 32 bytes of nonce.
-      self.nonce = sign_nonce || SecureRandom.random_bytes(32)
-      self.signature_key = key
-      self.signature = Net::SSH::Buffer.from(
-        :string, key.ssh_signature_type,
-        :mstring, key.ssh_do_sign(to_blob_without_signature)
-      ).to_s
-      self
-    end
-
-    def sign(key, sign_nonce=nil)
-      cert = clone
-      cert.sign!(key, sign_nonce)
-    end
-
-    # Checks whether the certificate's signature was signed by signature key.
-    def signature_valid?
-      buffer = Buffer.new(signature)
-      buffer.read_string # skip signature format
-      signature_key.ssh_do_verify(buffer.read_string, to_blob_without_signature)
-    end
-
-    def self.read_options(buffer)
-      names = []
-      options = buffer.read_buffer.read_all do |b|
-        name = b.read_string
-        names << name
-        data = b.read_string
-        data = Buffer.new(data).read_string unless data.empty?
-        [name, data]
-      end
-
-      if names.sort != names
-        raise ArgumentError, "option/extension names must be in sorted order"
+module Net
+  module SSH
+    module Authentication
+      # Class for representing an SSH certificate.
+      #
+      # http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.10&content-type=text/plain
+      class Certificate
+        attr_accessor :nonce
+        attr_accessor :key
+        attr_accessor :serial
+        attr_accessor :type
+        attr_accessor :key_id
+        attr_accessor :valid_principals
+        attr_accessor :valid_after
+        attr_accessor :valid_before
+        attr_accessor :critical_options
+        attr_accessor :extensions
+        attr_accessor :reserved
+        attr_accessor :signature_key
+        attr_accessor :signature
+
+        # Read a certificate blob associated with a key of the given type.
+        def self.read_certblob(buffer, type)
+          cert = Certificate.new
+          cert.nonce = buffer.read_string
+          cert.key = buffer.read_keyblob(type)
+          cert.serial = buffer.read_int64
+          cert.type = type_symbol(buffer.read_long)
+          cert.key_id = buffer.read_string
+          cert.valid_principals = buffer.read_buffer.read_all(&:read_string)
+          cert.valid_after = Time.at(buffer.read_int64)
+          
+          cert.valid_before = if RUBY_PLATFORM == "java"
+                                # 0x20c49ba5e353f7 = 0x7fffffffffffffff/1000, the largest value possible for JRuby
+                                # JRuby Time.at multiplies the arg by 1000, and then stores it in a signed long.
+                                # 0x20c49ba5e353f7 = 292278994-08-17 01:12:55 -0600
+                                Time.at([0x20c49ba5e353f7, buffer.read_int64].min)
+                              else
+                                Time.at(buffer.read_int64)
+                              end
+
+          cert.critical_options = read_options(buffer)
+          cert.extensions = read_options(buffer)
+          cert.reserved = buffer.read_string
+          cert.signature_key = buffer.read_buffer.read_key
+          cert.signature = buffer.read_string
+          cert
+        end
+
+        def ssh_type
+          key.ssh_type + "-cert-v01@openssh.com"
+        end
+
+        def ssh_signature_type
+          key.ssh_type
+        end
+
+        # Serializes the certificate (and key).
+        def to_blob
+          Buffer.from(
+            :raw, to_blob_without_signature,
+            :string, signature
+          ).to_s
+        end
+
+        def ssh_do_sign(data)
+          key.ssh_do_sign(data)
+        end
+
+        def ssh_do_verify(sig, data)
+          key.ssh_do_verify(sig, data)
+        end
+
+        def to_pem
+          key.to_pem
+        end
+
+        def fingerprint
+          key.fingerprint
+        end
+
+        # Signs the certificate with key.
+        def sign!(key, sign_nonce=nil)
+          # ssh-keygen uses 32 bytes of nonce.
+          self.nonce = sign_nonce || SecureRandom.random_bytes(32)
+          self.signature_key = key
+          self.signature = Net::SSH::Buffer.from(
+            :string, key.ssh_signature_type,
+            :mstring, key.ssh_do_sign(to_blob_without_signature)
+          ).to_s
+          self
+        end
+
+        def sign(key, sign_nonce=nil)
+          cert = clone
+          cert.sign!(key, sign_nonce)
+        end
+
+        # Checks whether the certificate's signature was signed by signature key.
+        def signature_valid?
+          buffer = Buffer.new(signature)
+          buffer.read_string # skip signature format
+          signature_key.ssh_do_verify(buffer.read_string, to_blob_without_signature)
+        end
+
+        def self.read_options(buffer)
+          names = []
+          options = buffer.read_buffer.read_all do |b|
+            name = b.read_string
+            names << name
+            data = b.read_string
+            data = Buffer.new(data).read_string unless data.empty?
+            [name, data]
+          end
+
+          raise ArgumentError, "option/extension names must be in sorted order" if names.sort != names
+
+          Hash[options]
+        end
+        private_class_method :read_options
+
+        def self.type_symbol(type)
+          types = { 1 => :user, 2 => :host }
+          raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+          types.fetch(type)
+        end
+        private_class_method :type_symbol
+
+        private
+
+        def type_value(type)
+          types = { user: 1, host: 2 }
+          raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+          types.fetch(type)
+        end
+
+        def ssh_time(t)
+          # Times in certificates are represented as a uint64.
+          [[t.to_i, 0].max, 2 << 64 - 1].min
+        end
+
+        def to_blob_without_signature
+          Buffer.from(
+            :string, ssh_type,
+            :string, nonce,
+            :raw, key_without_type,
+            :int64, serial,
+            :long, type_value(type),
+            :string, key_id,
+            :string, valid_principals.inject(Buffer.new) { |acc, elem| acc.write_string(elem) }.to_s,
+            :int64, ssh_time(valid_after),
+            :int64, ssh_time(valid_before),
+            :string, options_to_blob(critical_options),
+            :string, options_to_blob(extensions),
+            :string, reserved,
+            :string, signature_key.to_blob
+          ).to_s
+        end
+
+        def key_without_type
+          # key.to_blob gives us e.g. "ssh-rsa,<key>" but we just want "<key>".
+          tmp = Buffer.new(key.to_blob)
+          tmp.read_string # skip the underlying key type
+          tmp.read
+        end
+
+        def options_to_blob(options)
+          options.keys.sort.inject(Buffer.new) do |b, name|
+            b.write_string(name)
+            data = options.fetch(name)
+            data = Buffer.from(:string, data).to_s unless data.empty?
+            b.write_string(data)
+          end.to_s
+        end
       end
-
-      Hash[options]
-    end
-    private_class_method :read_options
-
-    def self.type_symbol(type)
-      types = {1 => :user, 2 => :host}
-      raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
-      types.fetch(type)
-    end
-    private_class_method :type_symbol
-
-    private
-
-    def type_value(type)
-      types = {user: 1, host: 2}
-      raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
-      types.fetch(type)
-    end
-
-    def ssh_time(t)
-      # Times in certificates are represented as a uint64.
-      [[t.to_i, 0].max, 2<<64 - 1].min
-    end
-
-    def to_blob_without_signature
-      Buffer.from(
-        :string, ssh_type,
-        :string, nonce,
-        :raw, key_without_type,
-        :int64, serial,
-        :long, type_value(type),
-        :string, key_id,
-        :string, valid_principals.inject(Buffer.new) { |acc, elem| acc.write_string(elem) }.to_s,
-        :int64, ssh_time(valid_after),
-        :int64, ssh_time(valid_before),
-        :string, options_to_blob(critical_options),
-        :string, options_to_blob(extensions),
-        :string, reserved,
-        :string, signature_key.to_blob
-      ).to_s
-    end
-
-    def key_without_type
-      # key.to_blob gives us e.g. "ssh-rsa,<key>" but we just want "<key>".
-      tmp = Buffer.new(key.to_blob)
-      tmp.read_string # skip the underlying key type
-      tmp.read
-    end
-
-    def options_to_blob(options)
-      options.keys.sort.inject(Buffer.new) do |b, name|
-        b.write_string(name)
-        data = options.fetch(name)
-        data = Buffer.from(:string, data).to_s unless data.empty?
-        b.write_string(data)
-      end.to_s
     end
   end
-end; end; end
+end

data/lib/net/ssh/authentication/constants.rb

@@ -1,18 +1,21 @@
-module Net; module SSH; module Authentication
+module Net
+  module SSH
+    module Authentication
 
-  # Describes the constants used by the Net::SSH::Authentication components
-  # of the Net::SSH library. Individual authentication method implemenations
-  # may define yet more constants that are specific to their implementation.
-  module Constants
-    USERAUTH_REQUEST          = 50
-    USERAUTH_FAILURE          = 51
-    USERAUTH_SUCCESS          = 52
-    USERAUTH_BANNER           = 53
+      # Describes the constants used by the Net::SSH::Authentication components
+      # of the Net::SSH library. Individual authentication method implemenations
+      # may define yet more constants that are specific to their implementation.
+      module Constants
+        USERAUTH_REQUEST          = 50
+        USERAUTH_FAILURE          = 51
+        USERAUTH_SUCCESS          = 52
+        USERAUTH_BANNER           = 53
 
-    USERAUTH_PASSWD_CHANGEREQ = 60
-    USERAUTH_PK_OK            = 60
+        USERAUTH_PASSWD_CHANGEREQ = 60
+        USERAUTH_PK_OK            = 60
 
-    USERAUTH_METHOD_RANGE     = 60..79
+        USERAUTH_METHOD_RANGE     = 60..79
+      end
+    end
   end
-
-end; end; end
+end

data/lib/net/ssh/authentication/ed25519.rb

@@ -1,160 +1,181 @@
-gem 'rbnacl', '>= 3.2.0', '< 5.0'
+gem 'ed25519', '~> 1.2'
 gem 'bcrypt_pbkdf', '~> 1.0' unless RUBY_PLATFORM == "java"
 
-begin
-  require 'rbnacl/libsodium'
-rescue LoadError # rubocop:disable Lint/HandleExceptions
-end
-
-require 'rbnacl'
-require 'rbnacl/signatures/ed25519/verify_key'
-require 'rbnacl/signatures/ed25519/signing_key'
-
-require 'rbnacl/hash'
+require 'ed25519'
 
 require 'base64'
 
 require 'net/ssh/transport/cipher_factory'
+require 'net/ssh/authentication/pub_key_fingerprint'
 require 'bcrypt_pbkdf' unless RUBY_PLATFORM == "java"
 
-module Net; module SSH; module Authentication
-module ED25519
-  class SigningKeyFromFile < RbNaCl::Signatures::Ed25519::SigningKey
-    def initialize(pk,sk)
-      @signing_key = sk
-      @verify_key = RbNaCl::Signatures::Ed25519::VerifyKey.new(pk)
-    end
-  end
-
-  class PubKey
-    attr_reader :verify_key
-
-    def initialize(data)
-      @verify_key = RbNaCl::Signatures::Ed25519::VerifyKey.new(data)
-    end
-
-    def self.read_keyblob(buffer)
-      PubKey.new(buffer.read_string)
-    end
-
-    def to_blob
-      Net::SSH::Buffer.from(:mstring,"ssh-ed25519",:string,@verify_key.to_bytes).to_s
-    end
-
-    def ssh_type
-      "ssh-ed25519"
-    end
-
-    def ssh_signature_type
-      ssh_type
-    end
-
-    def ssh_do_verify(sig,data)
-      @verify_key.verify(sig,data)
-    end
-
-    def to_pem
-      # TODO this is not pem
-      ssh_type + Base64.encode64(@verify_key.to_bytes)
-    end
-
-    def fingerprint
-      @fingerprint ||= OpenSSL::Digest::MD5.hexdigest(to_blob).scan(/../).join(":")
-    end
-  end
-
-  class PrivKey
-    CipherFactory = Net::SSH::Transport::CipherFactory
+module Net
+  module SSH
+    module Authentication
+      module ED25519
+        class SigningKeyFromFile < SimpleDelegator
+          def initialize(pk,sk)
+            key = ::Ed25519::SigningKey.from_keypair(sk)
+            raise ArgumentError, "pk does not match sk" unless pk == key.verify_key.to_bytes
+
+            super(key)
+          end
+        end
+
+        class OpenSSHPrivateKeyLoader
+          CipherFactory = Net::SSH::Transport::CipherFactory
+
+          MBEGIN = "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+          MEND = "-----END OPENSSH PRIVATE KEY-----"
+          MAGIC = "openssh-key-v1"
+
+          class DecryptError < ArgumentError
+            def initialize(message, encrypted_key: false)
+              super(message)
+              @encrypted_key = encrypted_key
+            end
+
+            def encrypted_key?
+              return @encrypted_key
+            end
+          end
+
+          def self.read(datafull, password)
+            datafull = datafull.strip
+            raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
+            raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
+            datab64 = datafull[MBEGIN.size...-MEND.size]
+            data = Base64.decode64(datab64)
+            raise ArgumentError.new("Expected #{MAGIC} at start of decoded private key") unless data.start_with?(MAGIC)
+            buffer = Net::SSH::Buffer.new(data[MAGIC.size + 1..-1])
+
+            ciphername = buffer.read_string
+            raise ArgumentError.new("#{ciphername} in private key is not supported") unless
+              CipherFactory.supported?(ciphername)
+
+            kdfname = buffer.read_string
+            raise ArgumentError.new("Expected #{kdfname} to be or none or bcrypt") unless %w[none bcrypt].include?(kdfname)
+
+            kdfopts = Net::SSH::Buffer.new(buffer.read_string)
+            num_keys = buffer.read_long
+            raise ArgumentError.new("Only 1 key is supported in ssh keys #{num_keys} was in private key") unless num_keys == 1
+            _pubkey = buffer.read_string
+
+            len = buffer.read_long
+
+            keylen, blocksize, ivlen = CipherFactory.get_lengths(ciphername, iv_len: true)
+            raise ArgumentError.new("Private key len:#{len} is not a multiple of #{blocksize}") if
+              ((len < blocksize) || ((blocksize > 0) && (len % blocksize) != 0))
+
+            if kdfname == 'bcrypt'
+              salt = kdfopts.read_string
+              rounds = kdfopts.read_long
+
+              raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
+              key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
+            else
+              key = '\x00' * (keylen + ivlen)
+            end
+
+            cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv:key[keylen...keylen + ivlen], decrypt: true)
+
+            decoded = cipher.update(buffer.remainder_as_buffer.to_s)
+            decoded << cipher.final
+
+            decoded = Net::SSH::Buffer.new(decoded)
+            check1 = decoded.read_long
+            check2 = decoded.read_long
+
+            raise DecryptError.new("Decrypt failed on private key", encrypted_key: kdfname == 'bcrypt') if (check1 != check2)
+
+            type_name = decoded.read_string
+            case type_name
+            when "ssh-ed25519"
+              PrivKey.new(decoded)
+            else
+              decoded.read_private_keyblob(type_name)
+            end
+          end
+        end
+
+        class PubKey
+          include Net::SSH::Authentication::PubKeyFingerprint
+
+          attr_reader :verify_key
+
+          def initialize(data)
+            @verify_key = ::Ed25519::VerifyKey.new(data)
+          end
+
+          def self.read_keyblob(buffer)
+            PubKey.new(buffer.read_string)
+          end
+
+          def to_blob
+            Net::SSH::Buffer.from(:mstring,"ssh-ed25519",:string,@verify_key.to_bytes).to_s
+          end
+
+          def ssh_type
+            "ssh-ed25519"
+          end
+
+          def ssh_signature_type
+            ssh_type
+          end
+
+          def ssh_do_verify(sig,data)
+            @verify_key.verify(sig,data)
+          end
+
+          def to_pem
+            # TODO this is not pem
+            ssh_type + Base64.encode64(@verify_key.to_bytes)
+          end
+        end
+
+        class PrivKey
+          CipherFactory = Net::SSH::Transport::CipherFactory
+
+          MBEGIN = "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+          MEND = "-----END OPENSSH PRIVATE KEY-----\n"
+          MAGIC = "openssh-key-v1"
+
+          attr_reader :sign_key
+
+          def initialize(buffer)
+            pk = buffer.read_string
+            sk = buffer.read_string
+            _comment = buffer.read_string
 
-    MBEGIN = "-----BEGIN OPENSSH PRIVATE KEY-----\n"
-    MEND = "-----END OPENSSH PRIVATE KEY-----\n"
-    MAGIC = "openssh-key-v1"
+            @pk = pk
+            @sign_key = SigningKeyFromFile.new(pk,sk)
+          end
 
-    attr_reader :sign_key
+          def to_blob
+            public_key.to_blob
+          end
 
-    def initialize(datafull,password)
-      raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
-      raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
-      datab64 = datafull[MBEGIN.size ... -MEND.size]
-      data = Base64.decode64(datab64)
-      raise ArgumentError.new("Expected #{MAGIC} at start of decoded private key") unless data.start_with?(MAGIC)
-      buffer = Net::SSH::Buffer.new(data[MAGIC.size+1 .. -1])
+          def ssh_type
+            "ssh-ed25519"
+          end
 
-      ciphername = buffer.read_string
-      raise ArgumentError.new("#{ciphername} in private key is not supported") unless
-        CipherFactory.supported?(ciphername)
+          def ssh_signature_type
+            ssh_type
+          end
 
-      kdfname = buffer.read_string
-      raise ArgumentError.new("Expected #{kdfname} to be or none or bcrypt") unless %w(none bcrypt).include?(kdfname)
+          def public_key
+            PubKey.new(@pk)
+          end
 
-      kdfopts = Net::SSH::Buffer.new(buffer.read_string)
-      num_keys = buffer.read_long
-      raise ArgumentError.new("Only 1 key is supported in ssh keys #{num_keys} was in private key") unless num_keys == 1
-      _pubkey = buffer.read_string
+          def ssh_do_sign(data)
+            @sign_key.sign(data)
+          end
 
-      len = buffer.read_long
-
-      keylen, blocksize, ivlen = CipherFactory.get_lengths(ciphername, iv_len: true)
-      raise ArgumentError.new("Private key len:#{len} is not a multiple of #{blocksize}") if
-        ((len < blocksize) || ((blocksize > 0) && (len % blocksize) != 0))
-
-      if kdfname == 'bcrypt'
-        salt = kdfopts.read_string
-        rounds = kdfopts.read_long
-
-        raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
-        key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
-      else
-        key = '\x00' * (keylen + ivlen)
+          def self.read(data, password)
+            OpenSSHPrivateKeyLoader.read(data, password)
+          end
+        end
       end
-
-      cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv:key[keylen...keylen+ivlen], decrypt: true)
-
-      decoded = cipher.update(buffer.remainder_as_buffer.to_s)
-      decoded << cipher.final
-
-      decoded = Net::SSH::Buffer.new(decoded)
-      check1 = decoded.read_long
-      check2 = decoded.read_long
-
-      raise ArgumentError, "Decrypt failed on private key" if (check1 != check2)
-
-      _type_name = decoded.read_string
-      pk = decoded.read_string
-      sk = decoded.read_string
-      _comment = decoded.read_string
-
-      @pk = pk
-      @sign_key = SigningKeyFromFile.new(pk,sk)
-    end
-
-    def to_blob
-      public_key.to_blob
-    end
-
-    def ssh_type
-      "ssh-ed25519"
-    end
-
-    def ssh_signature_type
-      ssh_type
-    end
-
-    def public_key
-      PubKey.new(@pk)
-    end
-
-    def ssh_do_sign(data)
-      @sign_key.sign(data)
-    end
-
-    def self.read(data,password)
-      self.new(data,password)
-    end
-
-    def self.read_keyblob(buffer)
-      ED25519::PubKey.read_keyblob(buffer)
     end
   end
 end
-end; end; end