net-ssh 4.2.0 → 7.0.1

data/lib/net/ssh/authentication/ed25519.rb

@@ -1,160 +1,185 @@
-gem 'rbnacl', '>= 3.2.0', '< 5.0'
+gem 'ed25519', '~> 1.2'
 gem 'bcrypt_pbkdf', '~> 1.0' unless RUBY_PLATFORM == "java"
 
-begin
-  require 'rbnacl/libsodium'
-rescue LoadError # rubocop:disable Lint/HandleExceptions
-end
-
-require 'rbnacl'
-require 'rbnacl/signatures/ed25519/verify_key'
-require 'rbnacl/signatures/ed25519/signing_key'
-
-require 'rbnacl/hash'
+require 'ed25519'
 
 require 'base64'
 
 require 'net/ssh/transport/cipher_factory'
+require 'net/ssh/authentication/pub_key_fingerprint'
 require 'bcrypt_pbkdf' unless RUBY_PLATFORM == "java"
 
-module Net; module SSH; module Authentication
-module ED25519
-  class SigningKeyFromFile < RbNaCl::Signatures::Ed25519::SigningKey
-    def initialize(pk,sk)
-      @signing_key = sk
-      @verify_key = RbNaCl::Signatures::Ed25519::VerifyKey.new(pk)
-    end
-  end
+module Net
+  module SSH
+    module Authentication
+      module ED25519
+        class SigningKeyFromFile < SimpleDelegator
+          def initialize(pk, sk)
+            key = ::Ed25519::SigningKey.from_keypair(sk)
+            raise ArgumentError, "pk does not match sk" unless pk == key.verify_key.to_bytes
 
-  class PubKey
-    attr_reader :verify_key
+            super(key)
+          end
+        end
 
-    def initialize(data)
-      @verify_key = RbNaCl::Signatures::Ed25519::VerifyKey.new(data)
-    end
+        class OpenSSHPrivateKeyLoader
+          CipherFactory = Net::SSH::Transport::CipherFactory
 
-    def self.read_keyblob(buffer)
-      PubKey.new(buffer.read_string)
-    end
+          MBEGIN = "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+          MEND = "-----END OPENSSH PRIVATE KEY-----"
+          MAGIC = "openssh-key-v1"
 
-    def to_blob
-      Net::SSH::Buffer.from(:mstring,"ssh-ed25519",:string,@verify_key.to_bytes).to_s
-    end
+          class DecryptError < ArgumentError
+            def initialize(message, encrypted_key: false)
+              super(message)
+              @encrypted_key = encrypted_key
+            end
 
-    def ssh_type
-      "ssh-ed25519"
-    end
+            def encrypted_key?
+              return @encrypted_key
+            end
+          end
 
-    def ssh_signature_type
-      ssh_type
-    end
+          def self.read(datafull, password)
+            datafull = datafull.strip
+            raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
+            raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
 
-    def ssh_do_verify(sig,data)
-      @verify_key.verify(sig,data)
-    end
+            datab64 = datafull[MBEGIN.size...-MEND.size]
+            data = Base64.decode64(datab64)
+            raise ArgumentError.new("Expected #{MAGIC} at start of decoded private key") unless data.start_with?(MAGIC)
 
-    def to_pem
-      # TODO this is not pem
-      ssh_type + Base64.encode64(@verify_key.to_bytes)
-    end
+            buffer = Net::SSH::Buffer.new(data[MAGIC.size + 1..-1])
 
-    def fingerprint
-      @fingerprint ||= OpenSSL::Digest::MD5.hexdigest(to_blob).scan(/../).join(":")
-    end
-  end
+            ciphername = buffer.read_string
+            raise ArgumentError.new("#{ciphername} in private key is not supported") unless
+              CipherFactory.supported?(ciphername)
 
-  class PrivKey
-    CipherFactory = Net::SSH::Transport::CipherFactory
+            kdfname = buffer.read_string
+            raise ArgumentError.new("Expected #{kdfname} to be or none or bcrypt") unless %w[none bcrypt].include?(kdfname)
 
-    MBEGIN = "-----BEGIN OPENSSH PRIVATE KEY-----\n"
-    MEND = "-----END OPENSSH PRIVATE KEY-----\n"
-    MAGIC = "openssh-key-v1"
+            kdfopts = Net::SSH::Buffer.new(buffer.read_string)
+            num_keys = buffer.read_long
+            raise ArgumentError.new("Only 1 key is supported in ssh keys #{num_keys} was in private key") unless num_keys == 1
 
-    attr_reader :sign_key
+            _pubkey = buffer.read_string
 
-    def initialize(datafull,password)
-      raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
-      raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
-      datab64 = datafull[MBEGIN.size ... -MEND.size]
-      data = Base64.decode64(datab64)
-      raise ArgumentError.new("Expected #{MAGIC} at start of decoded private key") unless data.start_with?(MAGIC)
-      buffer = Net::SSH::Buffer.new(data[MAGIC.size+1 .. -1])
+            len = buffer.read_long
 
-      ciphername = buffer.read_string
-      raise ArgumentError.new("#{ciphername} in private key is not supported") unless
-        CipherFactory.supported?(ciphername)
+            keylen, blocksize, ivlen = CipherFactory.get_lengths(ciphername, iv_len: true)
+            raise ArgumentError.new("Private key len:#{len} is not a multiple of #{blocksize}") if
+              ((len < blocksize) || ((blocksize > 0) && (len % blocksize) != 0))
 
-      kdfname = buffer.read_string
-      raise ArgumentError.new("Expected #{kdfname} to be or none or bcrypt") unless %w(none bcrypt).include?(kdfname)
+            if kdfname == 'bcrypt'
+              salt = kdfopts.read_string
+              rounds = kdfopts.read_long
 
-      kdfopts = Net::SSH::Buffer.new(buffer.read_string)
-      num_keys = buffer.read_long
-      raise ArgumentError.new("Only 1 key is supported in ssh keys #{num_keys} was in private key") unless num_keys == 1
-      _pubkey = buffer.read_string
+              raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
 
-      len = buffer.read_long
+              key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
+            else
+              key = '\x00' * (keylen + ivlen)
+            end
 
-      keylen, blocksize, ivlen = CipherFactory.get_lengths(ciphername, iv_len: true)
-      raise ArgumentError.new("Private key len:#{len} is not a multiple of #{blocksize}") if
-        ((len < blocksize) || ((blocksize > 0) && (len % blocksize) != 0))
+            cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv: key[keylen...keylen + ivlen], decrypt: true)
 
-      if kdfname == 'bcrypt'
-        salt = kdfopts.read_string
-        rounds = kdfopts.read_long
+            decoded = cipher.update(buffer.remainder_as_buffer.to_s)
+            decoded << cipher.final
 
-        raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
-        key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
-      else
-        key = '\x00' * (keylen + ivlen)
-      end
+            decoded = Net::SSH::Buffer.new(decoded)
+            check1 = decoded.read_long
+            check2 = decoded.read_long
 
-      cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv:key[keylen...keylen+ivlen], decrypt: true)
+            raise DecryptError.new("Decrypt failed on private key", encrypted_key: kdfname == 'bcrypt') if (check1 != check2)
 
-      decoded = cipher.update(buffer.remainder_as_buffer.to_s)
-      decoded << cipher.final
+            type_name = decoded.read_string
+            case type_name
+            when "ssh-ed25519"
+              PrivKey.new(decoded)
+            else
+              decoded.read_private_keyblob(type_name)
+            end
+          end
+        end
 
-      decoded = Net::SSH::Buffer.new(decoded)
-      check1 = decoded.read_long
-      check2 = decoded.read_long
+        class PubKey
+          include Net::SSH::Authentication::PubKeyFingerprint
 
-      raise ArgumentError, "Decrypt failed on private key" if (check1 != check2)
+          attr_reader :verify_key
 
-      _type_name = decoded.read_string
-      pk = decoded.read_string
-      sk = decoded.read_string
-      _comment = decoded.read_string
+          def initialize(data)
+            @verify_key = ::Ed25519::VerifyKey.new(data)
+          end
 
-      @pk = pk
-      @sign_key = SigningKeyFromFile.new(pk,sk)
-    end
+          def self.read_keyblob(buffer)
+            PubKey.new(buffer.read_string)
+          end
 
-    def to_blob
-      public_key.to_blob
-    end
+          def to_blob
+            Net::SSH::Buffer.from(:mstring, "ssh-ed25519".dup, :string, @verify_key.to_bytes).to_s
+          end
 
-    def ssh_type
-      "ssh-ed25519"
-    end
+          def ssh_type
+            "ssh-ed25519"
+          end
 
-    def ssh_signature_type
-      ssh_type
-    end
+          def ssh_signature_type
+            ssh_type
+          end
 
-    def public_key
-      PubKey.new(@pk)
-    end
+          def ssh_do_verify(sig, data, options = {})
+            @verify_key.verify(sig, data)
+          end
 
-    def ssh_do_sign(data)
-      @sign_key.sign(data)
-    end
+          def to_pem
+            # TODO this is not pem
+            ssh_type + Base64.encode64(@verify_key.to_bytes)
+          end
+        end
 
-    def self.read(data,password)
-      self.new(data,password)
-    end
+        class PrivKey
+          CipherFactory = Net::SSH::Transport::CipherFactory
+
+          MBEGIN = "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+          MEND = "-----END OPENSSH PRIVATE KEY-----\n"
+          MAGIC = "openssh-key-v1"
+
+          attr_reader :sign_key
 
-    def self.read_keyblob(buffer)
-      ED25519::PubKey.read_keyblob(buffer)
+          def initialize(buffer)
+            pk = buffer.read_string
+            sk = buffer.read_string
+            _comment = buffer.read_string
+
+            @pk = pk
+            @sign_key = SigningKeyFromFile.new(pk, sk)
+          end
+
+          def to_blob
+            public_key.to_blob
+          end
+
+          def ssh_type
+            "ssh-ed25519"
+          end
+
+          def ssh_signature_type
+            ssh_type
+          end
+
+          def public_key
+            PubKey.new(@pk)
+          end
+
+          def ssh_do_sign(data, sig_alg = nil)
+            @sign_key.sign(data)
+          end
+
+          def self.read(data, password)
+            OpenSSHPrivateKeyLoader.read(data, password)
+          end
+        end
+      end
     end
   end
 end
-end; end; end

data/lib/net/ssh/authentication/ed25519_loader.rb

@@ -1,31 +1,31 @@
-module Net; module SSH; module Authentication
+module Net
+  module SSH
+    module Authentication
+      # Loads ED25519 support which requires optinal dependecies like
+      # ed25519, bcrypt_pbkdf
+      module ED25519Loader
+        begin
+          require 'net/ssh/authentication/ed25519'
+          LOADED = true
+          ERROR = nil
+        rescue LoadError => e
+          ERROR = e
+          LOADED = false
+        end
 
-# Loads ED25519 support which requires optinal dependecies like
-# rbnacl, bcrypt_pbkdf
-module ED25519Loader
+        def self.raiseUnlessLoaded(message)
+          description = ERROR.is_a?(LoadError) ? dependenciesRequiredForED25519 : ''
+          description << "#{ERROR.class} : \"#{ERROR.message}\"\n" if ERROR
+          raise NotImplementedError, "#{message}\n#{description}" unless LOADED
+        end
 
-begin
-  require 'net/ssh/authentication/ed25519'
-  LOADED = true
-  ERROR = nil
-rescue LoadError => e
-  ERROR = e
-  LOADED = false
+        def self.dependenciesRequiredForED25519
+          result = "net-ssh requires the following gems for ed25519 support:\n"
+          result << " * ed25519 (>= 1.2, < 2.0)\n"
+          result << " * bcrypt_pbkdf (>= 1.0, < 2.0)\n" unless RUBY_PLATFORM == "java"
+          result << "See https://github.com/net-ssh/net-ssh/issues/565 for more information\n"
+        end
+      end
+    end
+  end
 end
-
-def self.raiseUnlessLoaded(message)
-  description = ERROR.is_a?(LoadError) ? dependenciesRequiredForED25519 : ''
-  description << "#{ERROR.class} : \"#{ERROR.message}\"\n" if ERROR
-  raise NotImplementedError, "#{message}\n#{description}" unless LOADED
-end
-
-def self.dependenciesRequiredForED25519
-  result = "net-ssh requires the following gems for ed25519 support:\n"
-  result << " * rbnacl (>= 3.2, < 5.0)\n"
-  result << " * rbnacl-libsodium, if your system doesn't have libsodium installed.\n"
-  result << " * bcrypt_pbkdf (>= 1.0, < 2.0)\n" unless RUBY_PLATFORM == "java"
-  result << "See https://github.com/net-ssh/net-ssh/issues/478 for more information\n"
-end
-
-end
-end; end; end

data/lib/net/ssh/authentication/key_manager.rb

@@ -6,7 +6,6 @@ require 'net/ssh/authentication/agent'
 module Net
   module SSH
     module Authentication
-
       # A trivial exception class used to report errors in the key manager.
       class KeyManagerError < Net::SSH::Exception; end
 
@@ -30,6 +29,9 @@ module Net
         # The list of user key data that will be examined
         attr_reader :key_data
 
+        # The list of user key certificate files that will be examined
+        attr_reader :keycert_files
+
         # The map of loaded identities
         attr_reader :known_identities
 
@@ -39,11 +41,12 @@ module Net
         # Create a new KeyManager. By default, the manager will
         # use the ssh-agent if it is running and the `:use_agent` option
         # is not false.
-        def initialize(logger, options={})
+        def initialize(logger, options = {})
           self.logger = logger
           @key_files = []
           @key_data = []
-          @use_agent = !(options[:use_agent] == false)
+          @keycert_files = []
+          @use_agent = options[:use_agent] != false
           @known_identities = {}
           @agent = nil
           @options = options
@@ -66,6 +69,12 @@ module Net
           self
         end
 
+        # Add the given keycert_file to the list of keycert files that will be used.
+        def add_keycert(keycert_file)
+          keycert_files.push(File.expand_path(keycert_file)).uniq!
+          self
+        end
+
         # Add the given key_file to the list of keys that will be used.
         def add_key_data(key_data_)
           key_data.push(key_data_).uniq!
@@ -108,7 +117,7 @@ module Net
               user_identities.delete(corresponding_user_identity) if corresponding_user_identity
 
               if !options[:keys_only] || corresponding_user_identity
-                known_identities[key] = { from: :agent }
+                known_identities[key] = { from: :agent, identity: key }
                 yield key
               end
             end
@@ -122,6 +131,21 @@ module Net
             yield key
           end
 
+          known_identity_blobs = known_identities.keys.map(&:to_blob)
+          keycert_files.each do |keycert_file|
+            keycert = KeyFactory.load_public_key(keycert_file)
+            next if known_identity_blobs.include?(keycert.to_blob)
+
+            (_, corresponding_identity) = known_identities.detect { |public_key, _|
+              public_key.to_pem == keycert.to_pem
+            }
+
+            if corresponding_identity
+              known_identities[keycert] = corresponding_identity
+              yield keycert
+            end
+          end
+
           self
         end
 
@@ -134,25 +158,39 @@ module Net
         # Regardless of the identity's origin or who does the signing, this
         # will always return the signature in an SSH2-specified "signature
         # blob" format.
-        def sign(identity, data)
+        def sign(identity, data, sig_alg = nil)
           info = known_identities[identity] or raise KeyManagerError, "the given identity is unknown to the key manager"
 
           if info[:key].nil? && info[:from] == :file
             begin
-              info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], !options[:non_interactive])
+              info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], !options[:non_interactive], options[:password_prompt])
             rescue OpenSSL::OpenSSLError, Exception => e
               raise KeyManagerError, "the given identity is known, but the private key could not be loaded: #{e.class} (#{e.message})"
             end
           end
 
           if info[:key]
-            return Net::SSH::Buffer.from(:string, identity.ssh_signature_type,
-              :mstring, info[:key].ssh_do_sign(data.to_s)).to_s
+            if sig_alg.nil?
+              signed = info[:key].ssh_do_sign(data.to_s)
+              sig_alg = identity.ssh_signature_type
+            else
+              signed = info[:key].ssh_do_sign(data.to_s, sig_alg)
+            end
+            return Net::SSH::Buffer.from(:string, sig_alg,
+                                         :mstring, signed).to_s
           end
 
           if info[:from] == :agent
             raise KeyManagerError, "the agent is no longer available" unless agent
-            return agent.sign(identity, data.to_s)
+
+            case sig_alg
+            when "rsa-sha2-512"
+              return agent.sign(info[:identity], data.to_s, Net::SSH::Authentication::Agent::SSH_AGENT_RSA_SHA2_512)
+            when "rsa-sha2-256"
+              return agent.sign(info[:identity], data.to_s, Net::SSH::Authentication::Agent::SSH_AGENT_RSA_SHA2_256)
+            else
+              return agent.sign(info[:identity], data.to_s)
+            end
           end
 
           raise KeyManagerError, "[BUG] can't determine identity origin (#{info.inspect})"
@@ -176,12 +214,17 @@ module Net
         # or if the agent is otherwise not available.
         def agent
           return unless use_agent?
-          @agent ||= Agent.connect(logger, options[:agent_socket_factory])
+
+          @agent ||= Agent.connect(logger, options[:agent_socket_factory], options[:identity_agent])
         rescue AgentNotAvailable
           @use_agent = false
           nil
         end
 
+        def no_keys?
+          key_files.empty? && key_data.empty?
+        end
+
         private
 
         # Prepares identities from user key_files for loading, preserving their order and sources.
@@ -219,34 +262,35 @@ module Net
         # Load prepared identities. Private key decryption errors ignored if ignore_decryption_errors
         def load_identities(identities, ask_passphrase, ignore_decryption_errors)
           identities.map do |identity|
-            begin
-              case identity[:load_from]
-              when :pubkey_file
-                key = KeyFactory.load_public_key(identity[:pubkey_file])
-                { public_key: key, from: :file, file: identity[:privkey_file] }
-              when :privkey_file
-                private_key = KeyFactory.load_private_key(identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt])
-                key = private_key.send(:public_key)
-                { public_key: key, from: :file, file: identity[:privkey_file], key: private_key }
-              when :data
-                private_key = KeyFactory.load_data_private_key(identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt])
-                key = private_key.send(:public_key)
-                { public_key: key, from: :key_data, data: identity[:data], key: private_key }
-              else
-                identity
-              end
-
-            rescue OpenSSL::PKey::RSAError, OpenSSL::PKey::DSAError, OpenSSL::PKey::ECError, OpenSSL::PKey::PKeyError, ArgumentError => e
-              if ignore_decryption_errors
-                identity
-              else
-                process_identity_loading_error(identity, e)
-                nil
-              end
-            rescue Exception => e
+            case identity[:load_from]
+            when :pubkey_file
+              key = KeyFactory.load_public_key(identity[:pubkey_file])
+              { public_key: key, from: :file, file: identity[:privkey_file] }
+            when :privkey_file
+              private_key = KeyFactory.load_private_key(
+                identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt]
+              )
+              key = private_key.send(:public_key)
+              { public_key: key, from: :file, file: identity[:privkey_file], key: private_key }
+            when :data
+              private_key = KeyFactory.load_data_private_key(
+                identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt]
+              )
+              key = private_key.send(:public_key)
+              { public_key: key, from: :key_data, data: identity[:data], key: private_key }
+            else
+              identity
+            end
+          rescue OpenSSL::PKey::RSAError, OpenSSL::PKey::DSAError, OpenSSL::PKey::ECError, OpenSSL::PKey::PKeyError, ArgumentError => e
+            if ignore_decryption_errors
+              identity
+            else
               process_identity_loading_error(identity, e)
               nil
             end
+          rescue Exception => e
+            process_identity_loading_error(identity, e)
+            nil
           end.compact
         end
 
@@ -260,7 +304,6 @@ module Net
             raise e
           end
         end
-
       end
     end
   end