ssh_data 1.1.0

data/lib/ssh_data/error.rb

@@ -0,0 +1,7 @@
+module SSHData
+  Error          = Class.new(StandardError)
+  DecodeError    = Class.new(Error)
+  VerifyError    = Class.new(Error)
+  AlgorithmError = Class.new(Error)
+  DecryptError   = Class.new(Error)
+end

data/lib/ssh_data/private_key.rb

@@ -0,0 +1,73 @@
+module SSHData
+  module PrivateKey
+    OPENSSH_PEM_TYPE   = "OPENSSH PRIVATE KEY"
+    RSA_PEM_TYPE       = "RSA PRIVATE KEY"
+    DSA_PEM_TYPE       = "DSA PRIVATE KEY"
+    ECDSA_PEM_TYPE     = "EC PRIVATE KEY"
+    ENCRYPTED_PEM_TYPE = "ENCRYPTED PRIVATE KEY"
+
+    # Parse an SSH private key.
+    #
+    # key - A PEM or OpenSSH encoded private key.
+    #
+    # Returns an Array of PrivateKey::Base subclass instances.
+    def self.parse(key)
+      pem_type = Encoding.pem_type(key)
+      case pem_type
+      when OPENSSH_PEM_TYPE
+        parse_openssh(key)
+      when RSA_PEM_TYPE
+        [RSA.from_openssl(OpenSSL::PKey::RSA.new(key, ""))]
+      when DSA_PEM_TYPE
+        [DSA.from_openssl(OpenSSL::PKey::DSA.new(key, ""))]
+      when ECDSA_PEM_TYPE
+        [ECDSA.from_openssl(OpenSSL::PKey::EC.new(key, ""))]
+      when ENCRYPTED_PEM_TYPE
+        raise DecryptError, "cannot decode encrypted private keys"
+      else
+        raise AlgorithmError, "unknown PEM type: #{pem_type.inspect}"
+      end
+    rescue OpenSSL::PKey::PKeyError => e
+      raise DecodeError, "bad private key. maybe encrypted?"
+    end
+
+    # Parse an OpenSSH formatted private key.
+    #
+    # key - An OpenSSH encoded private key.
+    #
+    # Returns an Array of PrivateKey::Base subclass instances.
+    def self.parse_openssh(key)
+      raw = Encoding.decode_pem(key, OPENSSH_PEM_TYPE)
+
+      data, read = Encoding.decode_openssh_private_key(raw)
+      unless read == raw.bytesize
+        raise DecodeError, "unexpected trailing data"
+      end
+
+      from_data(data)
+    end
+
+    def self.from_data(data)
+      data[:private_keys].map do |priv|
+        case priv[:algo]
+        when PublicKey::ALGO_RSA
+          RSA.new(**priv)
+        when PublicKey::ALGO_DSA
+          DSA.new(**priv)
+        when PublicKey::ALGO_ECDSA256, PublicKey::ALGO_ECDSA384, PublicKey::ALGO_ECDSA521
+          ECDSA.new(**priv)
+        when PublicKey::ALGO_ED25519
+          ED25519.new(**priv)
+        else
+          raise DecodeError, "unkown algo: #{priv[:algo].inspect}"
+        end
+      end
+    end
+  end
+end
+
+require "ssh_data/private_key/base"
+require "ssh_data/private_key/rsa"
+require "ssh_data/private_key/dsa"
+require "ssh_data/private_key/ecdsa"
+require "ssh_data/private_key/ed25519"

data/lib/ssh_data/private_key/base.rb

@@ -0,0 +1,39 @@
+module SSHData
+  module PrivateKey
+    class Base
+      attr_reader :algo, :comment, :public_key
+
+      def initialize(**kwargs)
+        @algo = kwargs[:algo]
+        @comment = kwargs[:comment]
+      end
+
+      # Generate a new private key.
+      #
+      # Returns a PublicKey::Base subclass instance.
+      def self.generate(**kwargs)
+        raise "implement me"
+      end
+
+      # Make an SSH signature.
+      #
+      # signed_data - The String message over which to calculated the signature.
+      # algo:       - Optionally specify the signature algorithm to use.
+      #
+      # Returns a binary String signature.
+      def sign(signed_data, algo: nil)
+        raise "implement me"
+      end
+
+      # Issue a certificate using this private key.
+      #
+      # signature_algo: - Optionally specify the signature algorithm to use.
+      # kwargs          - See SSHData::Certificate.new.
+      #
+      # Returns a SSHData::Certificate instance.
+      def issue_certificate(signature_algo: nil, **kwargs)
+        Certificate.new(**kwargs).tap { |c| c.sign(self, algo: signature_algo) }
+      end
+    end
+  end
+end

data/lib/ssh_data/private_key/dsa.rb

@@ -0,0 +1,75 @@
+  module SSHData
+  module PrivateKey
+    class DSA < Base
+      attr_reader :p, :q, :g, :x, :y, :openssl
+
+      # Generate a new private key.
+      #
+      # Returns a PublicKey::Base subclass instance.
+      def self.generate
+        from_openssl(OpenSSL::PKey::DSA.generate(1024))
+      end
+
+      # Import an openssl private key.
+      #
+      # key - An OpenSSL::PKey::DSA instance.
+      #
+      # Returns a DSA instance.
+      def self.from_openssl(key)
+        new(
+          algo: PublicKey::ALGO_DSA,
+          p: key.params["p"],
+          q: key.params["q"],
+          g: key.params["g"],
+          y: key.params["pub_key"],
+          x: key.params["priv_key"],
+          comment: "",
+        )
+      end
+
+      def initialize(algo:, p:, q:, g:, x:, y:, comment:)
+        unless algo == PublicKey::ALGO_DSA
+          raise DecodeError, "bad algorithm: #{algo.inspect}"
+        end
+
+        @p = p
+        @q = q
+        @g = g
+        @x = x
+        @y = y
+
+        super(algo: algo, comment: comment)
+
+        @openssl = OpenSSL::PKey::DSA.new(asn1.to_der)
+
+        @public_key = PublicKey::DSA.new(algo: algo, p: p, q: q, g: g, y: y)
+      end
+
+      # Make an SSH signature.
+      #
+      # signed_data - The String message over which to calculated the signature.
+      #
+      # Returns a binary String signature.
+      def sign(signed_data, algo: nil)
+        algo ||= self.algo
+        raise AlgorithmError unless algo == self.algo
+        openssl_sig = openssl.sign(OpenSSL::Digest::SHA1.new, signed_data)
+        raw_sig = PublicKey::DSA.ssh_signature(openssl_sig)
+        Encoding.encode_signature(algo, raw_sig)
+      end
+
+      private
+
+      def asn1
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::Integer.new(0),
+          OpenSSL::ASN1::Integer.new(p),
+          OpenSSL::ASN1::Integer.new(q),
+          OpenSSL::ASN1::Integer.new(g),
+          OpenSSL::ASN1::Integer.new(y),
+          OpenSSL::ASN1::Integer.new(x),
+        ])
+      end
+    end
+  end
+end

data/lib/ssh_data/private_key/ecdsa.rb

@@ -0,0 +1,95 @@
+module SSHData
+  module PrivateKey
+    class ECDSA < Base
+      attr_reader :curve, :public_key_bytes, :private_key_bytes, :openssl
+
+      # Generate a new private key.
+      #
+      # curve - The String curve to use. One of SSHData::PublicKey::NISTP256,
+      #         SSHData::PublicKey::NISTP384, or SSHData::PublicKey::NISTP521.
+      #
+      # Returns a PublicKey::Base subclass instance.
+      def self.generate(curve)
+        openssl_curve = PublicKey::ECDSA::OPENSSL_CURVE_NAME_FOR_CURVE[curve]
+        raise AlgorithmError, "unknown curve: #{curve}" if openssl_curve.nil?
+
+        openssl_key = OpenSSL::PKey::EC.new(openssl_curve).tap(&:generate_key)
+        from_openssl(openssl_key)
+      end
+
+      # Import an openssl private key.
+      #
+      # key - An OpenSSL::PKey::EC instance.
+      #
+      # Returns a DSA instance.
+      def self.from_openssl(key)
+        curve = PublicKey::ECDSA::CURVE_FOR_OPENSSL_CURVE_NAME[key.group.curve_name]
+        algo = "ecdsa-sha2-#{curve}"
+
+        new(
+          algo: algo,
+          curve: curve,
+          public_key: key.public_key.to_bn.to_s(2),
+          private_key: key.private_key,
+          comment: "",
+        )
+      end
+
+      def initialize(algo:, curve:, public_key:, private_key:, comment:)
+        unless [PublicKey::ALGO_ECDSA256, PublicKey::ALGO_ECDSA384, PublicKey::ALGO_ECDSA521].include?(algo)
+          raise DecodeError, "bad algorithm: #{algo.inspect}"
+        end
+
+        unless algo == "ecdsa-sha2-#{curve}"
+          raise DecodeError, "bad curve: #{curve.inspect}"
+        end
+
+        @curve = curve
+        @public_key_bytes = public_key
+        @private_key_bytes = private_key
+
+        super(algo: algo, comment: comment)
+
+        @openssl = begin
+          OpenSSL::PKey::EC.new(asn1.to_der)
+        rescue ArgumentError
+          raise DecodeError, "bad key data"
+        end
+
+        @public_key = PublicKey::ECDSA.new(
+          algo: algo,
+          curve: curve,
+          public_key: public_key_bytes
+        )
+      end
+
+      # Make an SSH signature.
+      #
+      # signed_data - The String message over which to calculated the signature.
+      #
+      # Returns a binary String signature.
+      def sign(signed_data, algo: nil)
+        algo ||= self.algo
+        raise AlgorithmError unless algo == self.algo
+        openssl_sig = openssl.sign(public_key.digest.new, signed_data)
+        raw_sig = PublicKey::ECDSA.ssh_signature(openssl_sig)
+        Encoding.encode_signature(algo, raw_sig)
+      end
+
+      private
+
+      def asn1
+        unless name = PublicKey::ECDSA::OPENSSL_CURVE_NAME_FOR_CURVE[curve]
+          raise DecodeError, "unknown curve: #{curve.inspect}"
+        end
+
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::Integer.new(1),
+          OpenSSL::ASN1::OctetString.new(private_key_bytes.to_s(2)),
+          OpenSSL::ASN1::ObjectId.new(name, 0, :EXPLICIT, :CONTEXT_SPECIFIC),
+          OpenSSL::ASN1::BitString.new(public_key_bytes, 1, :EXPLICIT, :CONTEXT_SPECIFIC)
+        ])
+      end
+    end
+  end
+end

data/lib/ssh_data/private_key/ed25519.rb

@@ -0,0 +1,68 @@
+module SSHData
+  module PrivateKey
+    class ED25519 < Base
+      attr_reader :pk, :sk, :ed25519_key
+
+      # Generate a new private key.
+      #
+      # Returns a PublicKey::Base subclass instance.
+      def self.generate
+        PublicKey::ED25519.ed25519_gem_required!
+        from_ed25519(Ed25519::SigningKey.generate)
+      end
+
+      # Create from a ::Ed25519::SigningKey instance.
+      #
+      # key - A ::Ed25519::SigningKey instance.
+      #
+      # Returns a ED25519 instance.
+      def self.from_ed25519(key)
+        new(
+          algo: PublicKey::ALGO_ED25519,
+          pk: key.verify_key.to_bytes,
+          sk: key.to_bytes + key.verify_key.to_bytes,
+          comment: "",
+        )
+      end
+
+      def initialize(algo:, pk:, sk:, comment:)
+        unless algo == PublicKey::ALGO_ED25519
+          raise DecodeError, "bad algorithm: #{algo.inspect}"
+        end
+
+        # openssh stores the pk twice, once as half of the sk...
+        if sk.bytesize != 64 || sk.byteslice(32, 32) != pk
+          raise DecodeError, "bad sk"
+        end
+
+        @pk = pk
+        @sk = sk
+
+        super(algo: algo, comment: comment)
+
+        if PublicKey::ED25519.enabled?
+          @ed25519_key = Ed25519::SigningKey.new(sk.byteslice(0, 32))
+
+          if @ed25519_key.verify_key.to_bytes != pk
+            raise DecodeError, "bad pk"
+          end
+        end
+
+        @public_key = PublicKey::ED25519.new(algo: algo, pk: pk)
+      end
+
+      # Make an SSH signature.
+      #
+      # signed_data - The String message over which to calculated the signature.
+      #
+      # Returns a binary String signature.
+      def sign(signed_data, algo: nil)
+        PublicKey::ED25519.ed25519_gem_required!
+        algo ||= self.algo
+        raise AlgorithmError unless algo == self.algo
+        raw_sig = ed25519_key.sign(signed_data)
+        Encoding.encode_signature(algo, raw_sig)
+      end
+    end
+  end
+end

data/lib/ssh_data/private_key/rsa.rb

@@ -0,0 +1,106 @@
+module SSHData
+  module PrivateKey
+    class RSA < Base
+      attr_reader :n, :e, :d, :iqmp, :p, :q, :openssl
+
+
+      # Generate a new private key.
+      #
+      # size                    - The Integer key size to generate.
+      # unsafe_allow_small_key: - Bool of whether to allow keys of less than
+      #                           2048 bits.
+      #
+      # Returns a PublicKey::Base subclass instance.
+      def self.generate(size, unsafe_allow_small_key: false)
+        unless size >= 2048 || unsafe_allow_small_key
+          raise AlgorithmError, "key too small"
+        end
+
+        from_openssl(OpenSSL::PKey::RSA.generate(size))
+      end
+
+      # Import an openssl private key.
+      #
+      # key - An OpenSSL::PKey::DSA instance.
+      #
+      # Returns a DSA instance.
+      def self.from_openssl(key)
+        new(
+          algo: PublicKey::ALGO_RSA,
+          n: key.params["n"],
+          e: key.params["e"],
+          d: key.params["d"],
+          iqmp: key.params["iqmp"],
+          p: key.params["p"],
+          q: key.params["q"],
+          comment: "",
+        )
+      end
+
+      def initialize(algo:, n:, e:, d:, iqmp:, p:, q:, comment:)
+        unless algo == PublicKey::ALGO_RSA
+          raise DecodeError, "bad algorithm: #{algo.inspect}"
+        end
+
+        @n = n
+        @e = e
+        @d = d
+        @iqmp = iqmp
+        @p = p
+        @q = q
+
+        super(algo: algo, comment: comment)
+
+        @openssl = OpenSSL::PKey::RSA.new(asn1.to_der)
+
+        @public_key = PublicKey::RSA.new(algo: algo, e: e, n: n)
+      end
+
+      # Make an SSH signature.
+      #
+      # signed_data - The String message over which to calculated the signature.
+      #
+      # Returns a binary String signature.
+      def sign(signed_data, algo: nil)
+        algo ||= self.algo
+        digest = PublicKey::RSA::ALGO_DIGESTS[algo]
+        raise AlgorithmError if digest.nil?
+        raw_sig = openssl.sign(digest.new, signed_data)
+        Encoding.encode_signature(algo, raw_sig)
+      end
+
+      private
+
+      # CRT coefficient for faster RSA operations. Used by OpenSSL, but not
+      # OpenSSH.
+      #
+      # Returns an OpenSSL::BN instance.
+      def dmp1
+        d % (p - 1)
+      end
+
+      # CRT coefficient for faster RSA operations. Used by OpenSSL, but not
+      # OpenSSH.
+      #
+      # Returns an OpenSSL::BN instance.
+      def dmq1
+        d % (q - 1)
+      end
+
+      def asn1
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::Integer.new(0),
+          OpenSSL::ASN1::Integer.new(n),
+          OpenSSL::ASN1::Integer.new(e),
+          OpenSSL::ASN1::Integer.new(d),
+          OpenSSL::ASN1::Integer.new(p),
+          OpenSSL::ASN1::Integer.new(q),
+          OpenSSL::ASN1::Integer.new(dmp1),
+          OpenSSL::ASN1::Integer.new(dmq1),
+          OpenSSL::ASN1::Integer.new(iqmp),
+        ])
+      end
+
+    end
+  end
+end