openssl-additions 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e579a780c0c156cf7e9921d632043963b784ba0fdf5c01ebd877e6ab4f49d4f4
-  data.tar.gz: b984f65aabc9d6715cb1e9a86b4f8cb18f670990b360bf1f80d7a2ec6b767a71
+  metadata.gz: c2919b9f7c9b0a1a2166bcb5bd1e7273f7ac23b9efc05473c2a6ef4647b4b24d
+  data.tar.gz: cf8c7640fde294f77a01643a68d4befb4511db17d6f6fa38c37100de04d59c25
 SHA512:
-  metadata.gz: 8beaadc77e7a316a32d019c06653122f25c309eced92f2908e2c58a738bdc77d5b91d66659e2ff7e421bf50503cd7027afe35e10c0b48d9d002d5c20bc5c5d16
-  data.tar.gz: d0b27c304bd94da7c91a124c2dce1815f11354e30753f895872db19a12f73d02c2c572f63b0e250752521db482b803ea545dee4252395b612834c260fbf1cff9
+  metadata.gz: 92dbce64ce5e27996a9cbe3208fba4a62e3a36da5a3cf4188942bfe7e77c4e9509f0692b226962341d7e15a7532e48072481115be3b9e502b36c41a7166eba6c
+  data.tar.gz: add7918b67e7e5e369a89a0231bb32d775434244d11e0daac325330e4adbdeca9606efec686f308c79a1d38b236775766ca7299a406a8b69a0847acd7a00c4f2

data/lib/openssl/pkey.rb

@@ -1,254 +1 @@
-require "openssl"
-
-# Enhancements to the core asymmetric key handling.
-module OpenSSL::PKey
-  # A mapping of the "SSH" names for various curves, to their OpenSSL
-  # equivalents.
-  SSH_CURVE_NAME_MAP = {
-    "nistp256" => "prime256v1",
-    "nistp384" => "secp384r1",
-    "nistp521" => "secp521r1",
-  }
-
-  # Create a new `OpenSSL::PKey` from an SSH public or private key.
-  #
-  # Given an OpenSSH 2 public key (with or without the `ssh-rsa` / `ecdsa-etc`
-  # prefix), or an encrypted or unencrypted OpenSSH private key, create an
-  # equivalent instance of an `OpenSSL::PKey::PKey` subclass which represents
-  # the same key parameters.
-  #
-  # @param s [String] the SSH public or private key to convert.  Public keys
-  #   should be in their usual all-on-one-line bas64-encoded form, with or
-  #   without the key type prefix.  Private keys must have the `-----BEGIN/END
-  #   OPENSSH PRIVATE KEY-----` delimiters.
-  #
-  # @param passphrase [String] if an encrypted private key is provided, this
-  #   passphrase will be used to try and decrypt the key.  If the passphrase
-  #   is incorrect, an exception will be raised.
-  #
-  # @yield if the key data passed is an encrypted private key and no passphrase
-  #   was given, the block (if provided) will be called, and whatever the value
-  #   of that block call is, it will be used to try and decrypt the private
-  #   key.
-  #
-  # @return [OpenSSL::PKey::PKey] the OpenSSL-compatible key object.
-  #
-  # @raise [OpenSSL::PKey::PKeyError] if anything went wrong with the decoding
-  #   process.
-  #
-  def self.from_ssh_key(s, &blk)
-    if s =~ /\A-----BEGIN OPENSSH PRIVATE KEY-----/
-      decode_private_ssh_key(s, &blk)
-    else
-      decode_public_ssh_key(s)
-    end
-  end
-
-  private
-
-  def self.decode_private_ssh_key(s, &blk)
-    unless s =~ /-----BEGIN OPENSSH PRIVATE KEY-----\n([A-Za-z0-9\/+\n]*={0,2})\n-----END OPENSSH PRIVATE KEY-----/m
-      raise OpenSSL::PKey::PKeyError,
-            "invalid OpenSSH private key format"
-    end
-
-    keyblob = unpack_private_ssh_key($1, &blk)
-    keytype, rest = ssh_key_lv_decode(keyblob, 1)
-
-    case keytype
-    when "ssh-rsa"
-      parts = ssh_key_lv_decode(rest, 6)
-      OpenSSL::PKey::RSA.new.tap do |k|
-        k.n = ssh_key_mpi_decode(parts[0])
-        k.e = ssh_key_mpi_decode(parts[1])
-        k.d = ssh_key_mpi_decode(parts[2])
-        k.iqmp = ssh_key_mpi_decode(parts[3])
-        k.p = ssh_key_mpi_decode(parts[4])
-        k.q = ssh_key_mpi_decode(parts[5])
-      end
-    when "ssh-dss"
-      parts = ssh_key_lv_decode(rest, 5)
-      OpenSSL::PKey::DSA.new.tap do |k|
-        k.p = ssh_key_mpi_decode(parts[0])
-        k.q = ssh_key_mpi_decode(parts[1])
-        k.g = ssh_key_mpi_decode(parts[2])
-        k.pub_key = ssh_key_mpi_decode(parts[3])
-        k.priv_key = ssh_key_mpi_decode(parts[4])
-      end
-    when /ecdsa-sha2-/
-      parts = ssh_key_lv_decode(rest, 3)
-
-      begin
-        OpenSSL::PKey::EC.new(SSH_CURVE_NAME_MAP[parts[0]]).tap do |k|
-          k.public_key = OpenSSL::PKey::EC::Point.new(k.group, parts[1])
-          k.private_key = ssh_key_mpi_decode(parts[2])
-        end
-      rescue TypeError
-        raise OpenSSL::PKey::PKeyError.new,
-              "Unknown curve identifier #{parts[0]}"
-      end
-    else
-      raise OpenSSL::PKey::PKeyError,
-            "Unknown key type #{keytype}"
-    end
-  end
-
-  def self.unpack_private_ssh_key(s)
-    rest = s.unpack("m").first
-
-    # From https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.key?annotate=HEAD
-
-    #  8: #define AUTH_MAGIC      "openssh-key-v1"
-    #  9:
-    # 10:        byte[]  AUTH_MAGIC
-    unless rest[0, 15] == "openssh-key-v1\0"
-      raise OpenSSL::PKey::PKeyError,
-            "Invalid OpenSSH private key: incorrect magic found (#{rest[0, 15].inspect})"
-    end
-
-    # 11:        string  ciphername
-    # 12:        string  kdfname
-    # 13:        string  kdfoptions
-    cipher, kdf, kdfopts, rest = ssh_key_lv_decode(rest[15..], 3)
-
-    # 14:        int     number of keys N
-    key_count, rest = rest.unpack("Na*")
-    if key_count == 0
-      raise OpenSSL::PKey::PKeyError,
-            "invalid OpenSSH private key: no keys!"
-    elsif key_count > 1
-      raise OpenSSL::PKey::PKeyError,
-            "unsupported OpenSSH private key: multiple keys"
-    end
-
-    # 15:        string  publickey1
-    # We care not for your stinky public key
-    _, rest = ssh_key_lv_decode(rest, 1)
-
-    # 19:        string  encrypted, padded list of private keys
-    rest, x = ssh_key_lv_decode(rest, 1)
-    unless x.nil?
-      #:nocov:
-      raise OpenSSL::PKey::PKeyError,
-            "invalid OpenSSH private key: trailing garbage after private key blob: #{x.inspect}"
-      #:nocov:
-    end
-
-    if kdf == "none"
-      # This one is easy
-      # 36:        uint32  checkint
-      # 37:        uint32  checkint
-      # 38:        string  privatekey1
-      check1, check2, rest = rest.unpack("NNa*")
-      unless check1 == check2
-        raise OpenSSL::PKey::PKeyError,
-              "invalid OpenSSH private key: check values don't match"
-      end
-
-      # The format spec says that the keyblob is, itself, a string, but that's
-      # not what I'm seeing in real-world keys generated by OpenSSH -- the
-      # first element of the keyblob (the key type string) is just straight up
-      # there after the check digits.  That must make parsing out multiple
-      # private keys an absolute nightmare -- except, oh wait (from
-      # openssh-portable.git/sshkey.c):
-      #
-      #     if (nkeys != 1) {
-      #         /* XXX only one key supported */
-      #         r = SSH_ERR_INVALID_FORMAT;
-      #         goto out;
-      #     }
-      #
-      # Cheaters.
-      #
-      # At any rate, the fact that the spec isn't what's implemented means that
-      # the keyblob I do send back needs to be carefully parsed itself, rather
-      # than just being able to blat it through ssh_key_lv_decode to get all
-      # the bits.  Sigh.
-      return rest
-    elsif kdf == "bcrypt"
-      # This is cheating a little bit, but I'm not up for implementing
-      # decryption support today, and this at least allows us to reliably
-      # detect that the key *is* in fact encrypted rather than corrupted
-      yield if block_given?
-      raise OpenSSL::PKey::PKeyError,
-            "unsupported OpenSSH private key: decryption is not (yet) supported"
-    else
-      raise OpenSSL::PKey::PKeyError,
-            "unsupport OpenSSH private key KDF #{kdf.inspect}"
-    end
-  end
-
-  def self.decode_public_ssh_key(s)
-    if s =~ /\Assh-[a-z0-9-]+ /
-      # WHOOP WHOOP prefixed key detected.
-      s = s.split(" ")[1]
-    else
-      # Discard any comment, etc that might be lurking around
-      s = s.split(" ")[0]
-    end
-
-    unless s =~ /\A[A-Za-z0-9\/+]+={0,2}\z/
-      raise OpenSSL::PKey::PKeyError,
-            "Invalid key encoding (not valid base64)"
-    end
-
-    parts = ssh_key_lv_decode(s.unpack("m").first)
-
-    case parts.first
-    when "ssh-rsa"
-      OpenSSL::PKey::RSA.new.tap do |k|
-        k.e = ssh_key_mpi_decode(parts[1])
-        k.n = ssh_key_mpi_decode(parts[2])
-      end
-    when "ssh-dss"
-      OpenSSL::PKey::DSA.new.tap do |k|
-        k.p = ssh_key_mpi_decode(parts[1])
-        k.q = ssh_key_mpi_decode(parts[2])
-        k.g = ssh_key_mpi_decode(parts[3])
-      end
-    when /ecdsa-sha2-/
-      begin
-        OpenSSL::PKey::EC.new(SSH_CURVE_NAME_MAP[parts[1]]).tap do |k|
-          k.public_key = OpenSSL::PKey::EC::Point.new(k.group, parts[2])
-        end
-      rescue TypeError
-        raise OpenSSL::PKey::PKeyError.new,
-              "Unknown curve identifier #{parts[1]}"
-      end
-    else
-      raise OpenSSL::PKey::PKeyError,
-            "Unknown key type #{parts.first.inspect}"
-    end
-  end
-
-  # Take the base64 string and split it into its component parts.
-  #
-  def self.ssh_key_lv_decode(s, n = nil)
-    rest = s
-
-    [].tap do |parts|
-      until rest == "" || (n && n <= 0)
-        len, rest = rest.unpack("Na*")
-        if len > rest.length
-          raise OpenSSL::PKey::PKeyError,
-                "Invalid LV-encoded string; wanted #{len} octets, but there's only #{rest.length} octets left"
-        end
-
-        elem, rest = rest.unpack("a#{len}a*")
-        parts << elem
-        n -= 1 if n
-      end
-
-      if rest != ""
-        parts << rest
-      end
-    end
-  end
-
-  # Turn an SSH "MPI" (encoded arbitrary-length integer) string into a real
-  # Ruby integer.
-  #
-  def self.ssh_key_mpi_decode(s)
-    s.each_char.inject(0) { |i, c| i * 256 + c.ord }
-  end
-end
+require_relative './ssh_pkey'

data/lib/openssl/ssh_pkey.rb

@@ -0,0 +1,254 @@
+require "openssl"
+
+# Enhancements to the core asymmetric key handling.
+module OpenSSL::PKey
+  # A mapping of the "SSH" names for various curves, to their OpenSSL
+  # equivalents.
+  SSH_CURVE_NAME_MAP = {
+    "nistp256" => "prime256v1",
+    "nistp384" => "secp384r1",
+    "nistp521" => "secp521r1",
+  }
+
+  # Create a new `OpenSSL::PKey` from an SSH public or private key.
+  #
+  # Given an OpenSSH 2 public key (with or without the `ssh-rsa` / `ecdsa-etc`
+  # prefix), or an encrypted or unencrypted OpenSSH private key, create an
+  # equivalent instance of an `OpenSSL::PKey::PKey` subclass which represents
+  # the same key parameters.
+  #
+  # @param s [String] the SSH public or private key to convert.  Public keys
+  #   should be in their usual all-on-one-line bas64-encoded form, with or
+  #   without the key type prefix.  Private keys must have the `-----BEGIN/END
+  #   OPENSSH PRIVATE KEY-----` delimiters.
+  #
+  # @param passphrase [String] if an encrypted private key is provided, this
+  #   passphrase will be used to try and decrypt the key.  If the passphrase
+  #   is incorrect, an exception will be raised.
+  #
+  # @yield if the key data passed is an encrypted private key and no passphrase
+  #   was given, the block (if provided) will be called, and whatever the value
+  #   of that block call is, it will be used to try and decrypt the private
+  #   key.
+  #
+  # @return [OpenSSL::PKey::PKey] the OpenSSL-compatible key object.
+  #
+  # @raise [OpenSSL::PKey::PKeyError] if anything went wrong with the decoding
+  #   process.
+  #
+  def self.from_ssh_key(s, &blk)
+    if s =~ /\A-----BEGIN OPENSSH PRIVATE KEY-----/
+      decode_private_ssh_key(s, &blk)
+    else
+      decode_public_ssh_key(s)
+    end
+  end
+
+  private
+
+  def self.decode_private_ssh_key(s, &blk)
+    unless s =~ /-----BEGIN OPENSSH PRIVATE KEY-----\n([A-Za-z0-9\/+\n]*={0,2})\n-----END OPENSSH PRIVATE KEY-----/m
+      raise OpenSSL::PKey::PKeyError,
+            "invalid OpenSSH private key format"
+    end
+
+    keyblob = unpack_private_ssh_key($1, &blk)
+    keytype, rest = ssh_key_lv_decode(keyblob, 1)
+
+    case keytype
+    when "ssh-rsa"
+      parts = ssh_key_lv_decode(rest, 6)
+      OpenSSL::PKey::RSA.new.tap do |k|
+        k.n = ssh_key_mpi_decode(parts[0])
+        k.e = ssh_key_mpi_decode(parts[1])
+        k.d = ssh_key_mpi_decode(parts[2])
+        k.iqmp = ssh_key_mpi_decode(parts[3])
+        k.p = ssh_key_mpi_decode(parts[4])
+        k.q = ssh_key_mpi_decode(parts[5])
+      end
+    when "ssh-dss"
+      parts = ssh_key_lv_decode(rest, 5)
+      OpenSSL::PKey::DSA.new.tap do |k|
+        k.p = ssh_key_mpi_decode(parts[0])
+        k.q = ssh_key_mpi_decode(parts[1])
+        k.g = ssh_key_mpi_decode(parts[2])
+        k.pub_key = ssh_key_mpi_decode(parts[3])
+        k.priv_key = ssh_key_mpi_decode(parts[4])
+      end
+    when /ecdsa-sha2-/
+      parts = ssh_key_lv_decode(rest, 3)
+
+      begin
+        OpenSSL::PKey::EC.new(SSH_CURVE_NAME_MAP[parts[0]]).tap do |k|
+          k.public_key = OpenSSL::PKey::EC::Point.new(k.group, parts[1])
+          k.private_key = ssh_key_mpi_decode(parts[2])
+        end
+      rescue TypeError
+        raise OpenSSL::PKey::PKeyError.new,
+              "Unknown curve identifier #{parts[0]}"
+      end
+    else
+      raise OpenSSL::PKey::PKeyError,
+            "Unknown key type #{keytype}"
+    end
+  end
+
+  def self.unpack_private_ssh_key(s)
+    rest = s.unpack("m").first
+
+    # From https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.key?annotate=HEAD
+
+    #  8: #define AUTH_MAGIC      "openssh-key-v1"
+    #  9:
+    # 10:        byte[]  AUTH_MAGIC
+    unless rest[0, 15] == "openssh-key-v1\0"
+      raise OpenSSL::PKey::PKeyError,
+            "Invalid OpenSSH private key: incorrect magic found (#{rest[0, 15].inspect})"
+    end
+
+    # 11:        string  ciphername
+    # 12:        string  kdfname
+    # 13:        string  kdfoptions
+    cipher, kdf, kdfopts, rest = ssh_key_lv_decode(rest[15..], 3)
+
+    # 14:        int     number of keys N
+    key_count, rest = rest.unpack("Na*")
+    if key_count == 0
+      raise OpenSSL::PKey::PKeyError,
+            "invalid OpenSSH private key: no keys!"
+    elsif key_count > 1
+      raise OpenSSL::PKey::PKeyError,
+            "unsupported OpenSSH private key: multiple keys"
+    end
+
+    # 15:        string  publickey1
+    # We care not for your stinky public key
+    _, rest = ssh_key_lv_decode(rest, 1)
+
+    # 19:        string  encrypted, padded list of private keys
+    rest, x = ssh_key_lv_decode(rest, 1)
+    unless x.nil?
+      #:nocov:
+      raise OpenSSL::PKey::PKeyError,
+            "invalid OpenSSH private key: trailing garbage after private key blob: #{x.inspect}"
+      #:nocov:
+    end
+
+    if kdf == "none"
+      # This one is easy
+      # 36:        uint32  checkint
+      # 37:        uint32  checkint
+      # 38:        string  privatekey1
+      check1, check2, rest = rest.unpack("NNa*")
+      unless check1 == check2
+        raise OpenSSL::PKey::PKeyError,
+              "invalid OpenSSH private key: check values don't match"
+      end
+
+      # The format spec says that the keyblob is, itself, a string, but that's
+      # not what I'm seeing in real-world keys generated by OpenSSH -- the
+      # first element of the keyblob (the key type string) is just straight up
+      # there after the check digits.  That must make parsing out multiple
+      # private keys an absolute nightmare -- except, oh wait (from
+      # openssh-portable.git/sshkey.c):
+      #
+      #     if (nkeys != 1) {
+      #         /* XXX only one key supported */
+      #         r = SSH_ERR_INVALID_FORMAT;
+      #         goto out;
+      #     }
+      #
+      # Cheaters.
+      #
+      # At any rate, the fact that the spec isn't what's implemented means that
+      # the keyblob I do send back needs to be carefully parsed itself, rather
+      # than just being able to blat it through ssh_key_lv_decode to get all
+      # the bits.  Sigh.
+      return rest
+    elsif kdf == "bcrypt"
+      # This is cheating a little bit, but I'm not up for implementing
+      # decryption support today, and this at least allows us to reliably
+      # detect that the key *is* in fact encrypted rather than corrupted
+      yield if block_given?
+      raise OpenSSL::PKey::PKeyError,
+            "unsupported OpenSSH private key: decryption is not (yet) supported"
+    else
+      raise OpenSSL::PKey::PKeyError,
+            "unsupport OpenSSH private key KDF #{kdf.inspect}"
+    end
+  end
+
+  def self.decode_public_ssh_key(s)
+    if s =~ /\Assh-[a-z0-9-]+ /
+      # WHOOP WHOOP prefixed key detected.
+      s = s.split(" ")[1]
+    else
+      # Discard any comment, etc that might be lurking around
+      s = s.split(" ")[0]
+    end
+
+    unless s =~ /\A[A-Za-z0-9\/+]+={0,2}\z/
+      raise OpenSSL::PKey::PKeyError,
+            "Invalid key encoding (not valid base64)"
+    end
+
+    parts = ssh_key_lv_decode(s.unpack("m").first)
+
+    case parts.first
+    when "ssh-rsa"
+      OpenSSL::PKey::RSA.new.tap do |k|
+        k.e = ssh_key_mpi_decode(parts[1])
+        k.n = ssh_key_mpi_decode(parts[2])
+      end
+    when "ssh-dss"
+      OpenSSL::PKey::DSA.new.tap do |k|
+        k.p = ssh_key_mpi_decode(parts[1])
+        k.q = ssh_key_mpi_decode(parts[2])
+        k.g = ssh_key_mpi_decode(parts[3])
+      end
+    when /ecdsa-sha2-/
+      begin
+        OpenSSL::PKey::EC.new(SSH_CURVE_NAME_MAP[parts[1]]).tap do |k|
+          k.public_key = OpenSSL::PKey::EC::Point.new(k.group, parts[2])
+        end
+      rescue TypeError
+        raise OpenSSL::PKey::PKeyError.new,
+              "Unknown curve identifier #{parts[1]}"
+      end
+    else
+      raise OpenSSL::PKey::PKeyError,
+            "Unknown key type #{parts.first.inspect}"
+    end
+  end
+
+  # Take the base64 string and split it into its component parts.
+  #
+  def self.ssh_key_lv_decode(s, n = nil)
+    rest = s
+
+    [].tap do |parts|
+      until rest == "" || (n && n <= 0)
+        len, rest = rest.unpack("Na*")
+        if len > rest.length
+          raise OpenSSL::PKey::PKeyError,
+                "Invalid LV-encoded string; wanted #{len} octets, but there's only #{rest.length} octets left"
+        end
+
+        elem, rest = rest.unpack("a#{len}a*")
+        parts << elem
+        n -= 1 if n
+      end
+
+      if rest != ""
+        parts << rest
+      end
+    end
+  end
+
+  # Turn an SSH "MPI" (encoded arbitrary-length integer) string into a real
+  # Ruby integer.
+  #
+  def self.ssh_key_mpi_decode(s)
+    s.each_char.inject(0) { |i, c| i * 256 + c.ord }
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: openssl-additions
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Matt Palmer
@@ -167,6 +167,7 @@ files:
 - lib/openssl/pkey.rb
 - lib/openssl/pkey/ec.rb
 - lib/openssl/pkey/rsa.rb
+- lib/openssl/ssh_pkey.rb
 - lib/openssl/x509/certificate.rb
 - lib/openssl/x509/request.rb
 - lib/openssl/x509/spki.rb