ssh_data 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: aaa29fd598724a11d13c32aa423fdb26944b5ed7d027b852de0fb3b6c8808f54
+  data.tar.gz: 6737375c449655f42d8f6a629065ad1e493f301e6ed118ca23a2d6b939b2516c
+SHA512:
+  metadata.gz: 43afd3056dd763d3bfbeb44e98936a6a35a97172000772bb91107a516642c384b3398127e211a792193102351fe3ab6bafcf2d4e7674c7233f7610f743f80341
+  data.tar.gz: e0cc819489d6ac78f0cdf2e3fb9d22ded46dda75e11e6275d9e47a354d951ed753434a1cacc82377b4c1ef4c3469e8df73cc82e981062c2d0476513f7e9a287d

data/LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 GitHub, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/lib/ssh_data.rb

@@ -0,0 +1,36 @@
+require "openssl"
+require "base64"
+
+module SSHData
+  # Break down a key in OpenSSH authorized_keys format (see sshd(8) manual
+  # page).
+  #
+  # key - An OpenSSH formatted public key or certificate, including algo,
+  #       base64 encoded key and optional comment.
+  #
+  # Returns an Array containing the algorithm String , the raw key or
+  # certificate String and the comment String or nil.
+  def key_parts(key)
+    algo, b64, comment = key.strip.split(" ", 3)
+    if algo.nil? || b64.nil?
+      raise DecodeError, "bad data format"
+    end
+
+    raw = begin
+      Base64.strict_decode64(b64)
+    rescue ArgumentError
+      raise DecodeError, "bad data format"
+    end
+
+    [algo, raw, comment]
+  end
+
+  extend self
+end
+
+require "ssh_data/version"
+require "ssh_data/error"
+require "ssh_data/certificate"
+require "ssh_data/public_key"
+require "ssh_data/private_key"
+require "ssh_data/encoding"

data/lib/ssh_data/certificate.rb

@@ -0,0 +1,240 @@
+require "securerandom"
+require "ipaddr"
+
+module SSHData
+  class Certificate
+    # Special values for valid_before and valid_after.
+    BEGINNING_OF_TIME = Time.at(0)
+    END_OF_TIME = Time.at((2**64)-1)
+
+    # Integer certificate types
+    TYPE_USER = 1
+    TYPE_HOST = 2
+
+    # Certificate algorithm identifiers
+    ALGO_RSA      = "ssh-rsa-cert-v01@openssh.com"
+    ALGO_DSA      = "ssh-dss-cert-v01@openssh.com"
+    ALGO_ECDSA256 = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
+    ALGO_ECDSA384 = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
+    ALGO_ECDSA521 = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
+    ALGO_ED25519  = "ssh-ed25519-cert-v01@openssh.com"
+
+    ALGOS = [
+      ALGO_RSA, ALGO_DSA, ALGO_ECDSA256, ALGO_ECDSA384, ALGO_ECDSA521,
+      ALGO_ED25519
+    ]
+
+    CRITICAL_OPTION_FORCE_COMMAND  = "force-command"
+    CRITICAL_OPTION_SOURCE_ADDRESS = "source-address"
+
+    attr_reader :algo, :nonce, :public_key, :serial, :type, :key_id,
+                :valid_principals, :valid_after, :valid_before,
+                :critical_options, :extensions, :reserved, :ca_key, :signature
+
+    # Parse an OpenSSH certificate in authorized_keys format (see sshd(8) manual
+    # page).
+    #
+    # cert              - An OpenSSH formatted certificate, including key algo,
+    #                     base64 encoded key and optional comment.
+    # unsafe_no_verify: - Bool of whether to skip verifying certificate signature
+    #                     (Default false)
+    #
+    # Returns a Certificate instance.
+    def self.parse_openssh(cert, unsafe_no_verify: false)
+      algo, raw, _ = SSHData.key_parts(cert)
+      parsed = parse_rfc4253(raw, unsafe_no_verify: unsafe_no_verify)
+
+      if parsed.algo != algo
+        raise DecodeError, "algo mismatch: #{parsed.algo.inspect}!=#{algo.inspect}"
+      end
+
+      parsed
+    end
+
+    # Deprecated
+    singleton_class.send(:alias_method, :parse, :parse_openssh)
+
+    # Parse an RFC 4253 binary SSH certificate.
+    #
+    # cert              - A RFC 4253 binary certificate String.
+    # unsafe_no_verify: - Bool of whether to skip verifying certificate
+    #                     signature (Default false)
+    #
+    # Returns a Certificate instance.
+    def self.parse_rfc4253(raw, unsafe_no_verify: false)
+      data, read = Encoding.decode_certificate(raw)
+
+      if read != raw.bytesize
+        raise DecodeError, "unexpected trailing data"
+      end
+
+      # Parse data into better types, where possible.
+      public_key = PublicKey.from_data(data.delete(:public_key))
+      ca_key     = PublicKey.from_data(data.delete(:signature_key))
+
+      new(**data.merge(public_key: public_key, ca_key: ca_key)).tap do |cert|
+        raise VerifyError unless unsafe_no_verify || cert.verify
+      end
+    end
+
+    # Intialize a new Certificate instance.
+    #
+    # algo:             - The certificate's String algorithm id (one of ALGO_RSA,
+    #                     ALGO_DSA, ALGO_ECDSA256, ALGO_ECDSA384, ALGO_ECDSA521,
+    #                     or ALGO_ED25519)
+    # nonce:            - The certificate's String nonce field.
+    # public_key:       - The certificate's public key as an PublicKey::Base
+    #                     subclass instance.
+    # serial:           - The certificate's Integer serial field.
+    # type:             - The certificate's Integer type field (one of TYPE_USER
+    #                     or TYPE_HOST).
+    # key_id:           - The certificate's String key_id field.
+    # valid_principals: - The Array of Strings valid_principles field from the
+    #                     certificate.
+    # valid_after:      - The certificate's Time valid_after field.
+    # valid_before:     - The certificate's Time valid_before field.
+    # critical_options: - The Hash critical_options field from the certificate.
+    # extensions:       - The Hash extensions field from the certificate.
+    # reserved:         - The certificate's String reserved field.
+    # ca_key:           - The issuing CA's public key as a PublicKey::Base
+    #                     subclass instance.
+    # signature:        - The certificate's String signature field.
+    #
+    # Returns nothing.
+    def initialize(public_key:, key_id:, algo: nil, nonce: nil, serial: 0, type: TYPE_USER, valid_principals: [], valid_after: BEGINNING_OF_TIME, valid_before: END_OF_TIME, critical_options: {}, extensions: {}, reserved: "", ca_key: nil, signature: "")
+      @algo = algo || Encoding::CERT_ALGO_BY_PUBLIC_KEY_ALGO[public_key.algo]
+      @nonce = nonce || SecureRandom.random_bytes(32)
+      @public_key = public_key
+      @serial = serial
+      @type = type
+      @key_id = key_id
+      @valid_principals = valid_principals
+      @valid_after = valid_after
+      @valid_before = valid_before
+      @critical_options = critical_options
+      @extensions = extensions
+      @reserved = reserved
+      @ca_key = ca_key
+      @signature = signature
+    end
+
+    # OpenSSH certificate in authorized_keys format (see sshd(8) manual page).
+    #
+    # comment - Optional String comment to append.
+    #
+    # Returns a String key.
+    def openssh(comment: nil)
+      [algo, Base64.strict_encode64(rfc4253), comment].compact.join(" ")
+    end
+
+    # RFC4253 binary encoding of the certificate.
+    #
+    # Returns a binary String.
+    def rfc4253
+      Encoding.encode_fields(
+        [:string,  algo],
+        [:string,  nonce],
+        [:raw,     public_key_without_algo],
+        [:uint64,  serial],
+        [:uint32,  type],
+        [:string,  key_id],
+        [:list,    valid_principals],
+        [:time,    valid_after],
+        [:time,    valid_before],
+        [:options, critical_options],
+        [:options, extensions],
+        [:string,  reserved],
+        [:string,  ca_key.rfc4253],
+        [:string,  signature],
+      )
+    end
+
+    # Sign this certificate with a private key.
+    #
+    # private_key - An SSHData::PrivateKey::Base subclass instance.
+    # algo:       - Optionally specify the signature algorithm to use.
+    #
+    # Returns nothing.
+    def sign(private_key, algo: nil)
+      @ca_key = private_key.public_key
+      @signature = private_key.sign(signed_data, algo: algo)
+    end
+
+    # Verify the certificate's signature.
+    #
+    # Returns boolean.
+    def verify
+      ca_key.verify(signed_data, signature)
+    end
+
+    # The force-command critical option, if present.
+    #
+    # Returns a String or nil.
+    def force_command
+      case value = critical_options[CRITICAL_OPTION_FORCE_COMMAND]
+      when String, NilClass
+        value
+      else
+        raise DecodeError, "bad force-request"
+      end
+    end
+
+    # The source-address critical option, if present.
+    #
+    # Returns an Array of IPAddr instances or nil.
+    def source_address
+      return @source_address if defined?(@source_address)
+
+      value = critical_options[CRITICAL_OPTION_SOURCE_ADDRESS]
+
+      @source_address = case value
+      when String
+        value.split(",").map do |str_addr|
+          begin
+            IPAddr.new(str_addr.strip)
+          rescue IPAddr::InvalidAddressError => e
+            raise DecodeError, "bad source-address: #{e.message}"
+          end
+        end
+      when NilClass
+        nil
+      else
+        raise DecodeError, "bad source-address"
+      end
+    end
+
+    # Check if the given IP address is allowed for use with this certificate.
+    #
+    # address - A String IP address.
+    #
+    # Returns boolean.
+    def allowed_source_address?(address)
+      return true if source_address.nil?
+      parsed_addr = IPAddr.new(address)
+      source_address.any? { |a| a.include?(parsed_addr) }
+    rescue IPAddr::InvalidAddressError
+      return false
+    end
+
+    private
+
+    # The portion of the certificate over which the signature is calculated.
+    #
+    # Returns a binary String.
+    def signed_data
+      siglen = self.signature.bytesize + 4
+      rfc4253.byteslice(0...-siglen)
+    end
+
+    # Helper for getting the RFC4253 encoded public key with the first field
+    # (the algorithm) stripped off.
+    #
+    # Returns a String.
+    def public_key_without_algo
+      key = public_key.rfc4253
+      _, algo_len = Encoding.decode_string(key)
+      key.byteslice(algo_len..-1)
+    end
+
+  end
+end

data/lib/ssh_data/encoding.rb

@@ -0,0 +1,666 @@
+module SSHData
+  module Encoding
+    # Fields in an OpenSSL private key
+    # https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
+    OPENSSH_PRIVATE_KEY_MAGIC = "openssh-key-v1\x00"
+    OPENSSH_PRIVATE_KEY_FIELDS = [
+      [:ciphername, :string],
+      [:kdfname,    :string],
+      [:kdfoptions, :string],
+      [:nkeys,      :uint32],
+    ]
+
+    # Fields in an RSA private key
+    RSA_PRIVATE_KEY_FIELDS = [
+      [:n,       :mpint],
+      [:e,       :mpint],
+      [:d,       :mpint],
+      [:iqmp,    :mpint],
+      [:p,       :mpint],
+      [:q,       :mpint],
+    ]
+
+    # Fields in a DSA private key
+    DSA_PRIVATE_KEY_FIELDS = [
+      [:p, :mpint],
+      [:q, :mpint],
+      [:g, :mpint],
+      [:y, :mpint],
+      [:x, :mpint]
+    ]
+
+    # Fields in a ECDSA private key
+    ECDSA_PRIVATE_KEY_FIELDS = [
+      [:curve,       :string],
+      [:public_key,  :string],
+      [:private_key, :mpint],
+    ]
+
+    # Fields in a ED25519 private key
+    ED25519_PRIVATE_KEY_FIELDS = [
+      [:pk, :string],
+      [:sk, :string]
+    ]
+
+    # Fields in an RSA public key
+    RSA_KEY_FIELDS = [
+      [:e, :mpint],
+      [:n, :mpint]
+    ]
+
+    # Fields in a DSA public key
+    DSA_KEY_FIELDS = [
+      [:p, :mpint],
+      [:q, :mpint],
+      [:g, :mpint],
+      [:y, :mpint]
+    ]
+
+    # Fields in an ECDSA public key
+    ECDSA_KEY_FIELDS = [
+      [:curve,      :string],
+      [:public_key, :string]
+    ]
+
+    # Fields in a ED25519 public key
+    ED25519_KEY_FIELDS = [
+      [:pk, :string]
+    ]
+
+    PUBLIC_KEY_ALGO_BY_CERT_ALGO = {
+      Certificate::ALGO_RSA      => PublicKey::ALGO_RSA,
+      Certificate::ALGO_DSA      => PublicKey::ALGO_DSA,
+      Certificate::ALGO_ECDSA256 => PublicKey::ALGO_ECDSA256,
+      Certificate::ALGO_ECDSA384 => PublicKey::ALGO_ECDSA384,
+      Certificate::ALGO_ECDSA521 => PublicKey::ALGO_ECDSA521,
+      Certificate::ALGO_ED25519  => PublicKey::ALGO_ED25519,
+    }
+
+    CERT_ALGO_BY_PUBLIC_KEY_ALGO = {
+      PublicKey::ALGO_RSA      => Certificate::ALGO_RSA,
+      PublicKey::ALGO_DSA      => Certificate::ALGO_DSA,
+      PublicKey::ALGO_ECDSA256 => Certificate::ALGO_ECDSA256,
+      PublicKey::ALGO_ECDSA384 => Certificate::ALGO_ECDSA384,
+      PublicKey::ALGO_ECDSA521 => Certificate::ALGO_ECDSA521,
+      PublicKey::ALGO_ED25519  => Certificate::ALGO_ED25519,
+    }
+
+    KEY_FIELDS_BY_PUBLIC_KEY_ALGO = {
+      PublicKey::ALGO_RSA      => RSA_KEY_FIELDS,
+      PublicKey::ALGO_DSA      => DSA_KEY_FIELDS,
+      PublicKey::ALGO_ECDSA256 => ECDSA_KEY_FIELDS,
+      PublicKey::ALGO_ECDSA384 => ECDSA_KEY_FIELDS,
+      PublicKey::ALGO_ECDSA521 => ECDSA_KEY_FIELDS,
+      PublicKey::ALGO_ED25519  => ED25519_KEY_FIELDS,
+    }
+
+    KEY_FIELDS_BY_PRIVATE_KEY_ALGO = {
+      PublicKey::ALGO_RSA      => RSA_PRIVATE_KEY_FIELDS,
+      PublicKey::ALGO_DSA      => DSA_PRIVATE_KEY_FIELDS,
+      PublicKey::ALGO_ECDSA256 => ECDSA_PRIVATE_KEY_FIELDS,
+      PublicKey::ALGO_ECDSA384 => ECDSA_PRIVATE_KEY_FIELDS,
+      PublicKey::ALGO_ECDSA521 => ECDSA_PRIVATE_KEY_FIELDS,
+      PublicKey::ALGO_ED25519  => ED25519_PRIVATE_KEY_FIELDS,
+    }
+
+    # Get the type from a PEM encoded blob.
+    #
+    # pem - A PEM encoded String.
+    #
+    # Returns a String PEM type.
+    def pem_type(pem)
+      head = pem.split("\n", 2).first.strip
+
+      head_prefix = "-----BEGIN "
+      head_suffix = "-----"
+
+      unless head.start_with?(head_prefix) && head.end_with?(head_suffix)
+        raise DecodeError, "bad PEM encoding"
+      end
+
+      type_size = head.bytesize - head_prefix.bytesize - head_suffix.bytesize
+
+      head.byteslice(head_prefix.bytesize, type_size)
+    end
+
+    # Get the raw data from a PEM encoded blob.
+    #
+    # pem  - The PEM encoded String to decode.
+    # type - The String PEM type we're expecting.
+    #
+    # Returns the decoded String.
+    def decode_pem(pem, type)
+      lines = pem.split("\n").map(&:strip)
+
+      unless lines.shift == "-----BEGIN #{type}-----"
+        raise DecodeError, "bad PEM header"
+      end
+
+      unless lines.pop == "-----END #{type}-----"
+        raise DecodeError, "bad PEM footer"
+      end
+
+      begin
+        Base64.strict_decode64(lines.join)
+      rescue ArgumentError
+        raise DecodeError, "bad PEM data"
+      end
+    end
+
+    # Decode an OpenSSH private key.
+    #
+    # raw - The binary String private key.
+    #
+    # Returns an Array containing a Hash describing the private key and the
+    # Integer number of bytes read.
+    def decode_openssh_private_key(raw)
+      total_read = 0
+
+      magic = raw.byteslice(total_read, OPENSSH_PRIVATE_KEY_MAGIC.bytesize)
+      unless magic == OPENSSH_PRIVATE_KEY_MAGIC
+        raise DecodeError, "bad OpenSSH private key"
+      end
+      total_read += OPENSSH_PRIVATE_KEY_MAGIC.bytesize
+
+      data, read = decode_fields(raw, OPENSSH_PRIVATE_KEY_FIELDS, total_read)
+      total_read += read
+
+      # TODO: add support for encrypted private keys
+      unless data[:ciphername] == "none" && data[:kdfname] == "none"
+        raise DecryptError, "cannot decode encrypted private keys"
+      end
+
+      data[:public_keys], read = decode_n_strings(raw, total_read, data[:nkeys])
+      total_read += read
+
+      privs, read = decode_string(raw, total_read)
+      total_read += read
+
+      privs_read = 0
+
+      data[:checkint1], read = decode_uint32(privs, privs_read)
+      privs_read += read
+
+      data[:checkint2], read = decode_uint32(privs, privs_read)
+      privs_read += read
+
+      unless data[:checkint1] == data[:checkint2]
+        raise DecryptError, "bad private key checksum"
+      end
+
+      data[:private_keys] = data[:nkeys].times.map do
+        algo, read = decode_string(privs, privs_read)
+        privs_read += read
+
+        unless fields = KEY_FIELDS_BY_PRIVATE_KEY_ALGO[algo]
+          raise AlgorithmError, "unknown algorithm: #{algo.inspect}"
+        end
+
+        priv_data, read = decode_fields(privs, fields, privs_read)
+        privs_read += read
+
+        comment, read = decode_string(privs, privs_read)
+        privs_read += read
+
+        priv_data.merge(algo: algo, comment: comment)
+      end
+
+      # padding at end is bytes 1, 2, 3, 4, etc...
+      data[:padding] = privs.byteslice(privs_read..-1)
+      unless data[:padding].bytes.each_with_index.all? { |b, i| b == (i + 1) % 255 }
+        raise DecodeError, "bad padding: #{data[:padding].inspect}"
+      end
+
+      [data, total_read]
+    end
+
+    # Decode the signature.
+    #
+    # raw    - The binary String signature as described by RFC4253 section 6.6.
+    # offset - Integer number of bytes into `raw` at which we should start
+    #          reading.
+    #
+    # Returns an Array containing the decoded algorithm String, the decoded binary
+    # signature String, and the Integer number of bytes read.
+    def decode_signature(raw, offset=0)
+      total_read = 0
+
+      algo, read = decode_string(raw, offset + total_read)
+      total_read += read
+
+      sig, read = decode_string(raw, offset + total_read)
+      total_read += read
+
+      [algo, sig, total_read]
+    end
+
+    # Encoding a signature.
+    #
+    # algo       - The String signature algorithm.
+    # signature  - The String signature blob.
+    #
+    # Returns an encoded String.
+    def encode_signature(algo, signature)
+      encode_string(algo) + encode_string(signature)
+    end
+
+    # Decode the fields in a public key.
+    #
+    # raw    - Binary String public key as described by RFC4253 section 6.6.
+    # algo   - String public key algorithm identifier (optional).
+    # offset - Integer number of bytes into `raw` at which we should start
+    #          reading.
+    #
+    # Returns an Array containing a Hash describing the public key and the
+    # Integer number of bytes read.
+    def decode_public_key(raw, offset=0, algo=nil)
+      total_read = 0
+
+      if algo.nil?
+        algo, read = decode_string(raw, offset + total_read)
+        total_read += read
+      end
+
+      unless fields = KEY_FIELDS_BY_PUBLIC_KEY_ALGO[algo]
+        raise AlgorithmError, "unknown algorithm: #{algo.inspect}"
+      end
+
+      data, read = decode_fields(raw, fields, offset + total_read)
+      total_read += read
+
+      data[:algo] = algo
+
+      [data, total_read]
+    end
+
+    # Decode the fields in a public key encoded as an SSH string.
+    #
+    # raw    - Binary public key as described by RFC4253 section 6.6 wrapped in
+    #          an SSH string..
+    # algo   - String public key algorithm identifier (optional).
+    # offset - Integer number of bytes into `raw` at which we should start
+    #          reading.
+    #
+    # Returns an Array containing a Hash describing the public key and the
+    # Integer number of bytes read.
+    def decode_string_public_key(raw, offset=0, algo=nil)
+      key_raw, str_read = decode_string(raw, offset)
+      key, cert_read = decode_public_key(key_raw, 0, algo)
+
+      if cert_read != key_raw.bytesize
+        raise DecodeError, "unexpected trailing data"
+      end
+
+      [key, str_read]
+    end
+
+    # Decode the fields in a certificate.
+    #
+    # raw    - Binary String certificate as described by RFC4253 section 6.6.
+    # offset - Integer number of bytes into `raw` at which we should start
+    #          reading.
+    #
+    # Returns an Array containing a Hash describing the certificate and the
+    # Integer number of bytes read.
+    def decode_certificate(raw, offset=0)
+      total_read = 0
+
+      algo, read = decode_string(raw, offset + total_read)
+      total_read += read
+
+      unless key_algo = PUBLIC_KEY_ALGO_BY_CERT_ALGO[algo]
+        raise AlgorithmError, "unknown algorithm: #{algo.inspect}"
+      end
+
+      data, read = decode_fields(raw, [
+        [:nonce,            :string],
+        [:public_key,       :public_key, key_algo],
+        [:serial,           :uint64],
+        [:type,             :uint32],
+        [:key_id,           :string],
+        [:valid_principals, :list],
+        [:valid_after,      :time],
+        [:valid_before,     :time],
+        [:critical_options, :options],
+        [:extensions,       :options],
+        [:reserved,         :string],
+        [:signature_key,    :string_public_key],
+        [:signature,        :string],
+      ], offset + total_read)
+      total_read += read
+
+      data[:algo] = algo
+
+      [data, total_read]
+    end
+
+    # Decode all of the given fields from raw.
+    #
+    # raw    - A binary String.
+    # fields - An Array of Arrays, each containing a symbol describing the field
+    #          and a Symbol describing the type of the field (:mpint, :string,
+    #          :uint64, or :uint32).
+    # offset - The offset into raw at which to read (default 0).
+    #
+    # Returns an Array containing a Hash mapping the provided field keys to the
+    # decoded values and the Integer number of bytes read.
+    def decode_fields(raw, fields, offset=0)
+      hash = {}
+      total_read = 0
+
+      fields.each do |key, type, *args|
+        hash[key], read = case type
+        when :string
+          decode_string(raw, offset + total_read, *args)
+        when :list
+          decode_list(raw, offset + total_read, *args)
+        when :mpint
+          decode_mpint(raw, offset + total_read, *args)
+        when :time
+          decode_time(raw, offset + total_read, *args)
+        when :uint64
+          decode_uint64(raw, offset + total_read, *args)
+        when :uint32
+          decode_uint32(raw, offset + total_read, *args)
+        when :public_key
+          decode_public_key(raw, offset + total_read, *args)
+        when :string_public_key
+          decode_string_public_key(raw, offset + total_read, *args)
+        when :options
+          decode_options(raw, offset + total_read, *args)
+        else
+          raise DecodeError
+        end
+        total_read += read
+      end
+
+      [hash, total_read]
+    end
+
+    # Encode the series of fiends into a binary string.
+    #
+    # fields - A series of Arrays, each containing a Symbol type and a value to
+    #          encode.
+    #
+    # Returns a binary String.
+    def encode_fields(*fields)
+      fields.map do |type, value|
+        case type
+        when :raw
+          value
+        when :string
+          encode_string(value)
+        when :list
+          encode_list(value)
+        when :mpint
+          encode_mpint(value)
+        when :time
+          encode_time(value)
+        when :uint64
+          encode_uint64(value)
+        when :uint32
+          encode_uint32(value)
+        when :options
+          encode_options(value)
+        else
+          raise DecodeError, "bad type: #{type}"
+        end
+      end.join
+    end
+
+    # Read a string out of the provided raw data.
+    #
+    # raw    - A binary String.
+    # offset - The offset into raw at which to read (default 0).
+    #
+    # Returns an Array including the decoded String and the Integer number of
+    # bytes read.
+    def decode_string(raw, offset=0)
+      if raw.bytesize < offset + 4
+        raise DecodeError, "data too short"
+      end
+
+      size_s = raw.byteslice(offset, 4)
+
+      size = size_s.unpack("L>").first
+
+      if raw.bytesize < offset + 4 + size
+        raise DecodeError, "data too short"
+      end
+
+      string = raw.byteslice(offset + 4, size)
+
+      [string, 4 + size]
+    end
+
+    # Encoding a string.
+    #
+    # value - The String value to encode.
+    #
+    # Returns an encoded representation of the String.
+    def encode_string(value)
+      [value.bytesize, value].pack("L>A*")
+    end
+
+    # Read a series of strings out of the provided raw data.
+    #
+    # raw    - A binary String.
+    # offset - The offset into raw at which to read (default 0).
+    #
+    # Returns an Array including the Array of decoded Strings and the Integer
+    # number of bytes read.
+    def decode_list(raw, offset=0)
+      list_raw, str_read = decode_string(raw, offset)
+
+      list_read = 0
+      list = []
+
+      while list_raw.bytesize > list_read
+        value, read = decode_string(list_raw, list_read)
+        list << value
+        list_read += read
+      end
+
+      if list_read != list_raw.bytesize
+        raise DecodeError, "bad strings list"
+      end
+
+      [list, str_read]
+    end
+
+    # Encode a list of strings.
+    #
+    # value - The Array of Strings to encode.
+    #
+    # Returns an encoded representation of the list.
+    def encode_list(value)
+      encode_string(value.map { |s| encode_string(s) }.join)
+    end
+
+        # Read a multi-precision integer from the provided raw data.
+    #
+    # raw    - A binary String.
+    # offset - The offset into raw at which to read (default 0).
+    #
+    # Returns an Array including the decoded mpint as an OpenSSL::BN and the
+    # Integer number of bytes read.
+    def decode_mpint(raw, offset=0)
+      if raw.bytesize < offset + 4
+        raise DecodeError, "data too short"
+      end
+
+      str_size_s = raw.byteslice(offset, 4)
+      str_size = str_size_s.unpack("L>").first
+      mpi_size = str_size + 4
+
+      if raw.bytesize < offset + mpi_size
+        raise DecodeError, "data too short"
+      end
+
+      mpi_s = raw.slice(offset, mpi_size)
+
+      # This calls OpenSSL's BN_mpi2bn() function. As far as I can tell, this
+      # matches up with with MPI type defined in RFC4251 Section 5 with the
+      # exception that OpenSSL doesn't enforce minimal length. We could enforce
+      # this ourselves, but it doesn't seem worth the added complexity.
+      mpi = OpenSSL::BN.new(mpi_s, 0)
+
+      [mpi, mpi_size]
+    end
+
+    # Encode a BN as an mpint.
+    #
+    # value - The OpenSSL::BN value to encode.
+    #
+    # Returns an encoded representation of the BN.
+    def encode_mpint(value)
+      value.to_s(0)
+    end
+
+    # Read a time from the provided raw data.
+    #
+    # raw    - A binary String.
+    # offset - The offset into raw at which to read (default 0).
+    #
+    # Returns an Array including the decoded Time and the Integer number of
+    # bytes read.
+    def decode_time(raw, offset=0)
+      time_raw, read = decode_uint64(raw, offset)
+      [Time.at(time_raw), read]
+    end
+
+    # Encode a time.
+    #
+    # value - The Time value to encode.
+    #
+    # Returns an encoded representation of the Time.
+    def encode_time(value)
+      encode_uint64(value.to_i)
+    end
+
+    # Read the specified number of strings out of the provided raw data.
+    #
+    # raw    - A binary String.
+    # offset - The offset into raw at which to read (default 0).
+    # n      - The Integer number of Strings to read.
+    #
+    # Returns an Array including the Array of decoded Strings and the Integer
+    # number of bytes read.
+    def decode_n_strings(raw, offset=0, n)
+      total_read = 0
+      strs = []
+
+      n.times do |i|
+        strs[i], read = decode_string(raw, offset + total_read)
+        total_read += read
+      end
+
+      [strs, total_read]
+    end
+
+    # Read a series of key/value pairs out of the provided raw data.
+    #
+    # raw    - A binary String.
+    # offset - The offset into raw at which to read (default 0).
+    #
+    # Returns an Array including the Hash of decoded keys/values and the Integer
+    # number of bytes read.
+    def decode_options(raw, offset=0)
+      opts_raw, str_read = decode_string(raw, offset)
+
+      opts_read = 0
+      opts = {}
+
+      while opts_raw.bytesize > opts_read
+        key, read = decode_string(opts_raw, opts_read)
+        opts_read += read
+
+        value_raw, read = decode_string(opts_raw, opts_read)
+        opts_read += read
+
+        if value_raw.bytesize > 0
+          opts[key], read = decode_string(value_raw)
+          if read != value_raw.bytesize
+            raise DecodeError, "bad options data"
+          end
+        else
+          opts[key] = true
+        end
+      end
+
+      if opts_read != opts_raw.bytesize
+        raise DecodeError, "bad options"
+      end
+
+      [opts, str_read]
+    end
+
+    # Encode series of key/value pairs.
+    #
+    # value - The Hash value to encode.
+    #
+    # Returns an encoded representation of the Hash.
+    def encode_options(value)
+      opts_raw = value.reduce("") do |encoded, (key, value)|
+        value_str = value == true ? "" : encode_string(value)
+        encoded + encode_string(key) + encode_string(value_str)
+      end
+
+      encode_string(opts_raw)
+    end
+
+    # Read a uint64 from the provided raw data.
+    #
+    # raw    - A binary String.
+    # offset - The offset into raw at which to read (default 0).
+    #
+    # Returns an Array including the decoded uint64 as an Integer and the
+    # Integer number of bytes read.
+    def decode_uint64(raw, offset=0)
+      if raw.bytesize < offset + 8
+        raise DecodeError, "data too short"
+      end
+
+      uint64 = raw.byteslice(offset, 8).unpack("Q>").first
+
+      [uint64, 8]
+    end
+
+    # Encoding an integer as a uint64.
+    #
+    # value - The Integer value to encode.
+    #
+    # Returns an encoded representation of the value.
+    def encode_uint64(value)
+      [value].pack("Q>")
+    end
+
+    # Read a uint32 from the provided raw data.
+    #
+    # raw    - A binary String.
+    # offset - The offset into raw at which to read (default 0).
+    #
+    # Returns an Array including the decoded uint32 as an Integer and the
+    # Integer number of bytes read.
+    def decode_uint32(raw, offset=0)
+      if raw.bytesize < offset + 4
+        raise DecodeError, "data too short"
+      end
+
+      uint32 = raw.byteslice(offset, 4).unpack("L>").first
+
+      [uint32, 4]
+    end
+
+    # Encoding an integer as a uint32.
+    #
+    # value - The Integer value to encode.
+    #
+    # Returns an encoded representation of the value.
+    def encode_uint32(value)
+      [value].pack("L>")
+    end
+
+    extend self
+  end
+end