sshkey 1.9.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: e557b4605e1f00d77de9e7b939f79a5ba9601cdf
-  data.tar.gz: 6764a84f581a544e0adea8958731eb01bd35a550
+SHA256:
+  metadata.gz: 9e933102cbc9909bfcb4564475ef8ea53427869b58c424405a588c954f3f737c
+  data.tar.gz: 415a21ff41613ba75ce07dab568f8560c9b3b83b0b3e7cac015f4238f20420b0
 SHA512:
-  metadata.gz: dd96a9bacc99265e0f211b40a4c0d4a860ed4f6e5ffb7197277f5fdf11800776f6dbf687288b4c2b4bf3829e02273b2dcaa7b5c8fec662fda8b695b6f5861c5c
-  data.tar.gz: 8d68590c6f42a5d3868eaa0c39a8880c8c2666c5f63ac9d53df9cee0cba7f7827a3f3f3343166adecdca88e05de7599b0c7c163327ca12f72f3f04f2a0e0b965
+  metadata.gz: 5867e989c0296a84807b9cf52e2d0512f3083c12f07a82fb8f9bca1bf475e38fd658132d5cbd91df03cee83114665c325f1a58e4c195b037f08f8feb648c188f
+  data.tar.gz: b314c5762fbe08f6e95ba8d18d01e6a51ef25656cd3797de8e3d2065d1066768656ac8c1ac030379672b2ed27d3672e5cbbcdc6d499fd90f7e35ba4b356f25b2

data/.github/workflows/ci.yml

@@ -0,0 +1,25 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["2.5", "2.6", "2.7", "3.0", "3.1", "3.2", "3.3", jruby-9.3, jruby-9.4]
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ruby/setup-ruby@v1
+      with:
+        bundler-cache: true
+        ruby-version: ${{ matrix.ruby }}
+    - run: bundle exec rake

data/Gemfile

@@ -1,7 +1,5 @@
 source "https://rubygems.org"
 
-gem "jruby-openssl", ">= 0.8.2", :platforms => :jruby
-gem "rubysl", "~> 2.0.15", :platforms => :rbx
-gem "rubysl-test-unit", "~> 2.0.3", :platforms => :rbx
+gem "jruby-openssl", ">= 0.8.2", platform: :jruby
 
 gemspec

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2011-2016 James Miller
+Copyright (c) 2011-2023 James Miller
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -1,22 +1,20 @@
 # SSHKey
 
-Generate private and public SSH keys (RSA and DSA supported) using pure Ruby.
-
-[![Build Status](https://secure.travis-ci.org/bensie/sshkey.svg?branch=master)](http://travis-ci.org/bensie/sshkey)
+Generate private and public SSH keys (RSA, DSA, and ECDSA supported) using pure Ruby.
 
 ## Requirements
 
-Tested / supported on CRuby 1.9.3+ and JRuby.
+Tested / supported on CRuby 2.5+ and JRuby.
 
 ## Installation
 
-	gem install sshkey
+    gem install sshkey
 
 ## Usage
 
 ### Generate a new key
 
-When generating a new keypair the default key type is 2048-bit RSA, but you can supply the `type` (RSA or DSA) and `bits` in the options.
+When generating a new keypair the default key type is 2048-bit RSA, but you can supply the `type` (RSA or DSA or ECDSA) and `bits` in the options.
 You can also (optionally) supply a `comment` or `passphrase`.
 
 ```ruby
@@ -32,17 +30,18 @@ k = SSHKey.generate(
 
 ### Use your existing key
 
-Return an SSHKey object from an existing RSA or DSA private key (provided as a string).
+Return an SSHKey object from an existing RSA or DSA or ECDSA private key (provided as a string).
 
 ```ruby
-k = SSHKey.new(File.read("~/.ssh/id_rsa"), comment: "foo@bar.com")
+f = File.read(File.expand_path("~/.ssh/id_rsa"))
+k = SSHKey.new(f, comment: "foo@bar.com")
 ```
 
 ### The SSHKey object
 
 #### Private and public keys
 
-Fetch the private and public keys as strings. Note that the `public_key` is the RSA or DSA public key, not an SSH public key.
+Fetch the private and public keys as strings. Note that the `public_key` is the RSA or DSA or ECDSA public key, not an SSH public key.
 
 ```ruby
 k.private_key
@@ -90,6 +89,7 @@ k.ssh_public_key
 k.ssh2_public_key
 # => "---- BEGIN SSH2 PUBLIC KEY ----\nComment: me@me.com\nAAAAB3NzaC1yc2EAAAADAQABAAABAQC9HuXvYJPtQE/o/7TYi63yAopsrJ6TP+lDGdyQ+n\nVVp+5ojAIy9h8/h99UlNxjkiFT2YhI3Fl/pgNDRO4PVo6tlgb3CwiAZjSdeE5RnF79Dkj5\nXsM4j+FLMoXtbRw0K9ok9RKjz6ygIs1JDmaOdXexFnq4nAYU3fSLUa6WoccqTHe8bFuJoA\nv1gbnx09Js8YcVMD96mpTJ3V/MK5YfIv10dbtrDhGug3IS1V2J+0BB9orbQja554N+4S0I\n9rFBgVCpvPmQqddDHd/AdGkLv/zjEfGytjnvp68bEfDinkQkPfuxw01yd5MbcvLv39VVIC\nWtKbqW263HT5LvSxwKorR7\n---- END SSH2 PUBLIC KEY ----"
 ```
+
 #### Bit length
 
 Determine the strength of the key in bits as an integer.
@@ -159,7 +159,7 @@ puts k.randomart
 
 #### Original OpenSSL key object
 
-Return the original [OpenSSL::PKey::RSA](http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL/PKey/RSA.html) or [OpenSSL::PKey::DSA](http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL/PKey/DSA.html) object.
+Return the original [OpenSSL::PKey::RSA](https://ruby-doc.org/3.2.2/exts/openssl/OpenSSL/PKey/RSA.html) or [OpenSSL::PKey::DSA](https://ruby-doc.org/3.2.2/exts/openssl/OpenSSL/PKey/DSA.html) or [OpenSSL::PKey::EC](https://ruby-doc.org/3.2.2/exts/openssl/OpenSSL/PKey/EC.html)object.
 
 ```ruby
 k.key_object
@@ -179,7 +179,7 @@ SSHKey.valid_ssh_public_key? "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9HuXvYJPtQE
 
 #### Bit length
 
-Determine the strength of the key in bits as an integer.  Returns `SSHKey::PublicKeyError` if bits cannot be determined.
+Determine the strength of the key in bits as an integer. Returns `SSHKey::PublicKeyError` if bits cannot be determined.
 
 ```ruby
 SSHKey.ssh_public_key_bits "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9HuXvYJPtQE/o/7TYi63yAopsrJ6TP+lDGdyQ+nVVp+5ojAIy9h8/h99UlNxjkiFT2YhI3Fl/pgNDRO4PVo6tlgb3CwiAZjSdeE5RnF79Dkj5XsM4j+FLMoXtbRw0K9ok9RKjz6ygIs1JDmaOdXexFnq4nAYU3fSLUa6WoccqTHe8bFuJoAv1gbnx09Js8YcVMD96mpTJ3V/MK5YfIv10dbtrDhGug3IS1V2J+0BB9orbQja554N+4S0I9rFBgVCpvPmQqddDHd/AdGkLv/zjEfGytjnvp68bEfDinkQkPfuxw01yd5MbcvLv39VVICWtKbqW263HT5LvSxwKorR7"
@@ -202,7 +202,7 @@ SSHKey.sha256_fingerprint "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9HuXvYJPtQE/o/
 
 #### Convert to SSH2 Public Key
 
-Convert an existing SSH Public Key into an SSH2 Public key.  Returns `SSHKey::PublicKeyError` if a valid key cannot be generated.
+Convert an existing SSH Public Key into an SSH2 Public key. Returns `SSHKey::PublicKeyError` if a valid key cannot be generated.
 
 ```ruby
 SSHKey.ssh_public_key_to_ssh2_public_key "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9HuXvYJPtQE/o/7TYi63yAopsrJ6TP+lDGdyQ+nVVp+5ojAIy9h8/h99UlNxjkiFT2YhI3Fl/pgNDRO4PVo6tlgb3CwiAZjSdeE5RnF79Dkj5XsM4j+FLMoXtbRw0K9ok9RKjz6ygIs1JDmaOdXexFnq4nAYU3fSLUa6WoccqTHe8bFuJoAv1gbnx09Js8YcVMD96mpTJ3V/MK5YfIv10dbtrDhGug3IS1V2J+0BB9orbQja554N+4S0I9rFBgVCpvPmQqddDHd/AdGkLv/zjEfGytjnvp68bEfDinkQkPfuxw01yd5MbcvLv39VVICWtKbqW263HT5LvSxwKorR7 me@me.com"
@@ -211,4 +211,4 @@ SSHKey.ssh_public_key_to_ssh2_public_key "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ
 
 ## Copyright
 
-Copyright (c) 2011-2016 James Miller
+Copyright (c) 2011-2023 James Miller

data/lib/sshkey/version.rb

@@ -1,3 +1,3 @@
 class SSHKey
-  VERSION = "1.9.0"
+  VERSION = "3.0.0"
 end

data/lib/sshkey.rb

@@ -1,10 +1,37 @@
-$:.unshift File.dirname(__FILE__)
-
 require 'openssl'
 require 'base64'
 require 'digest/md5'
 require 'digest/sha1'
-require 'sshkey/exception'
+require 'digest/sha2'
+
+def jruby_not_implemented(msg)
+  raise NotImplementedError.new "jruby-openssl #{JOpenSSL::VERSION}: #{msg}" if RUBY_PLATFORM == "java"
+end
+
+# Monkey patch OpenSSL::PKey::EC to provide convenience methods usable in this gem
+class OpenSSL::PKey::EC
+  def identifier
+    # NOTE: Unable to find these constants within OpenSSL, so hardcode them here.
+    # Analogous to net-ssh OpenSSL::PKey::EC::CurveNameAliasInv
+    # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/transport/openssl.rb#L147-L151
+    case group.curve_name
+    when "prime256v1" then "nistp256"  # https://stackoverflow.com/a/41953717
+    when "secp256r1"  then "nistp256"  # JRuby
+    when "secp384r1"  then "nistp384"
+    when "secp521r1"  then "nistp521"
+    else
+      raise "Unknown curve name: #{public_key.group.curve_name}"
+    end
+  end
+
+  def q
+    # jruby-openssl does not currently support to_octet_string
+    # https://github.com/jruby/jruby-openssl/issues/226
+    jruby_not_implemented("to_octet_string is not implemented")
+
+    public_key.to_octet_string(group.point_conversion_form)
+  end
+end
 
 class SSHKey
   SSH_TYPES = {
@@ -15,7 +42,30 @@ class SSHKey
     "ecdsa-sha2-nistp384" => "ecdsa",
     "ecdsa-sha2-nistp521" => "ecdsa",
   }
-  SSH_CONVERSION = {"rsa" => ["e", "n"], "dsa" => ["p", "q", "g", "pub_key"]}
+
+  SSHFP_TYPES = {
+    "rsa"     => 1,
+    "dsa"     => 2,
+    "ecdsa"   => 3,
+    "ed25519" => 4,
+  }
+
+  ECDSA_CURVES = {
+    256 => "prime256v1",  # https://stackoverflow.com/a/41953717
+    384 => "secp384r1",
+    521 => "secp521r1",
+  }
+
+  VALID_BITS = {
+    "ecdsa" => ECDSA_CURVES.keys,
+  }
+
+  # Accessor methods are defined in:
+  # - RSA:   https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_pkey_rsa.c
+  # - DSA:   https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_pkey_dsa.c
+  # - ECDSA: monkey patch OpenSSL::PKey::EC above
+  SSH_CONVERSION = {"rsa" => ["e", "n"], "dsa" => ["p", "q", "g", "pub_key"], "ecdsa" => ["identifier", "q"]}
+
   SSH2_LINE_LENGTH = 70 # +1 (for line wrap '/' character) must be <= 72
 
   class << self
@@ -35,17 +85,44 @@ class SSHKey
       type   = options[:type] || "rsa"
 
       # JRuby modulus size must range from 512 to 1024
-      default_bits = type == "rsa" ? 2048 : 1024
+      case type
+      when "rsa"   then default_bits = 2048
+      when "ecdsa" then default_bits = 256
+      else
+        default_bits = 1024
+      end
 
       bits   = options[:bits] || default_bits
-      cipher = OpenSSL::Cipher::Cipher.new("AES-128-CBC") if options[:passphrase]
+      cipher = OpenSSL::Cipher.new("AES-128-CBC") if options[:passphrase]
+
+      raise "Bits must either: #{VALID_BITS[type.downcase].join(', ')}" unless VALID_BITS[type.downcase].nil? || VALID_BITS[type.downcase].include?(bits)
 
       case type.downcase
-      when "rsa" then new(OpenSSL::PKey::RSA.generate(bits).to_pem(cipher, options[:passphrase]), options)
-      when "dsa" then new(OpenSSL::PKey::DSA.generate(bits).to_pem(cipher, options[:passphrase]), options)
+      when "rsa"
+        key_object = OpenSSL::PKey::RSA.generate(bits)
+
+      when "dsa"
+        key_object = OpenSSL::PKey::DSA.generate(bits)
+
+      when "ecdsa"
+        # jruby-openssl OpenSSL::PKey::EC support isn't complete
+        # https://github.com/jruby/jruby-openssl/issues/189
+        jruby_not_implemented("OpenSSL::PKey::EC is not fully implemented")
+
+        if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000
+          # https://github.com/ruby/openssl/pull/480
+          key_object = OpenSSL::PKey::EC.generate(ECDSA_CURVES[bits])
+        else
+          key_pkey = OpenSSL::PKey::EC.new(ECDSA_CURVES[bits])
+          key_object = key_pkey.generate_key
+        end
+
       else
         raise "Unknown key type: #{type}"
       end
+
+      key_pem = key_object.to_pem(cipher, options[:passphrase])
+      new(key_pem, options)
     end
 
     # Validate an existing SSH public key
@@ -62,7 +139,7 @@ class SSHKey
         when "ssh-rsa", "ssh-dss"
           sections.size == SSH_CONVERSION[SSH_TYPES[ssh_type]].size
         when "ssh-ed25519"
-          sections.size == 1 && sections[0].num_bytes == 32 # https://tools.ietf.org/id/draft-bjh21-ssh-ed25519-00.html#rfc.section.4
+          sections.size == 1                                # https://tools.ietf.org/id/draft-bjh21-ssh-ed25519-00.html#rfc.section.4
         when "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521"
           sections.size == 2                                # https://tools.ietf.org/html/rfc5656#section-3.1
         else
@@ -78,9 +155,27 @@ class SSHKey
     #
     # ==== Parameters
     # * ssh_public_key<~String> - "ssh-rsa AAAAB3NzaC1yc2EA...."
+    # * ssh_public_key<~String> - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTY...."
     #
     def ssh_public_key_bits(ssh_public_key)
-      unpacked_byte_array( *parse_ssh_public_key(ssh_public_key) ).last.num_bytes * 8
+      ssh_type, encoded_key = parse_ssh_public_key(ssh_public_key)
+      sections = unpacked_byte_array(ssh_type, encoded_key)
+
+      case ssh_type
+      when "ssh-rsa", "ssh-dss", "ssh-ed25519"
+        sections.last.num_bytes * 8
+
+      when "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521"
+        raise PublicKeyError, "invalid ECDSA key" unless sections.count == 2
+
+        # https://tools.ietf.org/html/rfc5656#section-3.1
+        identifier = sections[0].to_s(2)
+        q = sections[1].to_s(2)
+        ecdsa_bits(ssh_type, identifier, q)
+
+      else
+        raise PublicKeyError, "unsupported key type #{ssh_type}"
+      end
     end
 
     # Fingerprints
@@ -115,6 +210,16 @@ class SSHKey
       end
     end
 
+    # SSHFP records for the given SSH key
+    def sshfp(hostname, key)
+      if key.match(/PRIVATE/)
+        new(key).sshfp hostname
+      else
+        type, encoded_key = parse_ssh_public_key(key)
+        format_sshfp_record(hostname, SSH_TYPES[type], Base64.decode64(encoded_key))
+      end
+    end
+
     # Convert an existing SSH public key to SSH2 (RFC4716) public key
     #
     # ==== Parameters
@@ -124,7 +229,7 @@ class SSHKey
     def ssh_public_key_to_ssh2_public_key(ssh_public_key, headers = nil)
       raise PublicKeyError, "invalid ssh public key" unless SSHKey.valid_ssh_public_key?(ssh_public_key)
 
-      source_format, source_key = parse_ssh_public_key(ssh_public_key)
+      _source_format, source_key = parse_ssh_public_key(ssh_public_key)
 
       # Add a 'Comment' Header Field unless others are explicitly passed in
       if source_comment = ssh_public_key.split(source_key)[1]
@@ -138,6 +243,13 @@ class SSHKey
       ssh2_key << "\n---- END SSH2 PUBLIC KEY ----"
     end
 
+    def format_sshfp_record(hostname, type, key)
+      [[Digest::SHA1, 1], [Digest::SHA256, 2]].map { |f, num|
+        fpr = f.hexdigest(key)
+        "#{hostname} IN SSHFP #{SSHFP_TYPES[type]} #{num} #{fpr}"
+      }.join("\n")
+    end
+
     private
 
     def unpacked_byte_array(ssh_type, encoded_key)
@@ -149,19 +261,71 @@ class SSHKey
         raise PublicKeyError, "validation error"
       end
 
+      byte_count = 0
       data = []
       until decoded.empty?
         front = decoded.slice!(0,4)
         size = front.unpack("N").first
         segment = decoded.slice!(0, size)
+        byte_count += segment.length
         unless front.length == 4 && segment.length == size
           raise PublicKeyError, "byte array too short"
         end
         data << OpenSSL::BN.new(segment, 2)
       end
+
+
+      if ssh_type == "ssh-ed25519"
+        unless byte_count == 32
+          raise PublicKeyError, "validation error, ed25519 key length not OK"
+        end
+      end
+
       return data
     end
 
+    def ecdsa_bits(ssh_type, identifier, q)
+      raise PublicKeyError, "invalid ssh type" unless ssh_type == "ecdsa-sha2-#{identifier}"
+
+      len_q = q.length
+
+      compression_octet = q.slice(0, 1)
+      if compression_octet == "\x04"
+        # Point compression is off
+        # Summary from https://www.secg.org/sec1-v2.pdf "2.3.3  Elliptic-Curve-Point-to-Octet-String Conversion"
+        # - the leftmost octet indicates that point compression is off
+        #   (first octet 0x04 as specified in "3.3. Output M = 04 base 16 ‖ X ‖ Y.")
+        # - the remainder of the octet string contains the x-coordinate followed by the y-coordinate.
+        len_x = (len_q - 1) / 2
+
+      else
+        # Point compression is on
+        # Summary from https://www.secg.org/sec1-v2.pdf "2.3.3  Elliptic-Curve-Point-to-Octet-String Conversion"
+        # - the compressed y-coordinate is recovered from the leftmost octet
+        # - the x-coordinate is recovered from the remainder of the octet string
+        raise PublicKeyError, "invalid compression octet" unless compression_octet == "\x02" || compression_octet == "\x03"
+        len_x = len_q - 1
+      end
+
+      # https://www.secg.org/sec2-v2.pdf "2.1  Properties of Elliptic Curve Domain Parameters over Fp" defines
+      # five discrete bit lengths: 192, 224, 256, 384, 521
+      # These bit lengths can be ascertained from the length of the packed x-coordinate.
+      # Alternatively, these bit lengths can be derived from their associated prime constants using Math.log2(prime).ceil
+      # against the prime constants defined in https://www.secg.org/sec2-v2.pdf
+      case len_x
+      when 24 then bits = 192
+      when 28 then bits = 224
+      when 32 then bits = 256
+      when 48 then bits = 384
+      when 66 then bits = 521
+      else
+        raise PublicKeyError, "invalid x-coordinate length #{len_x}"
+      end
+
+      raise PublicKeyError, "invalid identifier #{identifier}" unless identifier =~ /#{bits}/
+      return bits
+    end
+
     def decoded_key(key)
       Base64.decode64(parse_ssh_public_key(key).last)
     end
@@ -171,6 +335,10 @@ class SSHKey
     end
 
     def parse_ssh_public_key(public_key)
+      # lines starting with a '#' and empty lines are ignored as comments (as in ssh AuthorizedKeysFile)
+      public_key = public_key.gsub(/^#.*$/, '')
+      public_key = public_key.strip # leading and trailing whitespaces wiped out
+
       raise PublicKeyError, "newlines are not permitted between key data" if public_key =~ /\n(?!$)/
 
       parsed = public_key.split(" ")
@@ -195,13 +363,13 @@ class SSHKey
     end
   end
 
-  attr_reader :key_object, :type
+  attr_reader :key_object, :type, :typestr
   attr_accessor :passphrase, :comment
 
   # Create a new SSHKey object
   #
   # ==== Parameters
-  # * private_key - Existing RSA or DSA private key
+  # * private_key - Existing RSA or DSA or ECDSA private key
   # * options<~Hash>
   #   * :comment<~String> - Comment to use for the public key, defaults to ""
   #   * :passphrase<~String> - If the key is encrypted, supply the passphrase
@@ -211,19 +379,41 @@ class SSHKey
     @passphrase = options[:passphrase]
     @comment    = options[:comment] || ""
     self.directives = options[:directives] || []
+
     begin
       @key_object = OpenSSL::PKey::RSA.new(private_key, passphrase)
       @type = "rsa"
-    rescue
+      @typestr = "ssh-rsa"
+    rescue OpenSSL::PKey::RSAError
+      @type = nil
+    end
+
+    return if @type
+
+    begin
       @key_object = OpenSSL::PKey::DSA.new(private_key, passphrase)
       @type = "dsa"
+      @typestr = "ssh-dss"
+    rescue OpenSSL::PKey::DSAError
+      @type = nil
     end
+
+    return if @type
+
+    @key_object = OpenSSL::PKey::EC.new(private_key, passphrase)
+    @type = "ecdsa"
+    bits = ECDSA_CURVES.invert[@key_object.group.curve_name]
+    @typestr = "ecdsa-sha2-nistp#{bits}"
   end
 
-  # Fetch the RSA/DSA private key
+  # Fetch the private key (PEM format)
   #
   # rsa_private_key and dsa_private_key are aliased for backward compatibility
   def private_key
+    # jruby-openssl OpenSSL::PKey::EC support isn't complete
+    # https://github.com/jruby/jruby-openssl/issues/189
+    jruby_not_implemented("OpenSSL::PKey::EC is not fully implemented") if type == "ecdsa"
+
     key_object.to_pem
   end
   alias_method :rsa_private_key, :private_key
@@ -234,21 +424,76 @@ class SSHKey
   # If no passphrase is set, returns the unencrypted private key
   def encrypted_private_key
     return private_key unless passphrase
-    key_object.to_pem(OpenSSL::Cipher::Cipher.new("AES-128-CBC"), passphrase)
+    key_object.to_pem(OpenSSL::Cipher.new("AES-128-CBC"), passphrase)
   end
 
-  # Fetch the RSA/DSA public key
+  # Fetch the public key (PEM format)
   #
   # rsa_public_key and dsa_public_key are aliased for backward compatibility
   def public_key
-    key_object.public_key.to_pem
+    public_key_object.to_pem
   end
   alias_method :rsa_public_key, :public_key
   alias_method :dsa_public_key, :public_key
 
+  def public_key_object
+    if type == "ecdsa"
+      return nil unless key_object
+      return nil unless key_object.group
+
+      if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000 && RUBY_PLATFORM != "java"
+
+        # jruby-openssl does not currently support point_conversion_form
+        # (futureproofing for if/when JRuby requires this technique to determine public key)
+        jruby_not_implemented("point_conversion_form is not implemented")
+
+        # Avoid "OpenSSL::PKey::PKeyError: pkeys are immutable on OpenSSL 3.0"
+        # https://github.com/ruby/openssl/blob/master/History.md#version-300
+        # https://github.com/ruby/openssl/issues/498
+        # https://github.com/net-ssh/net-ssh/commit/4de6831dea4e922bf3052192eec143af015a3486
+        # https://github.com/ClearlyClaire/cose-ruby/commit/28ee497fa7d9d49e72d5a5e97a567c0b58fdd822
+
+        curve_name = key_object.group.curve_name
+        return nil unless curve_name
+
+        # Map to different curve_name for JRuby
+        # (futureproofing for if/when JRuby requires this technique to determine public key)
+        # https://github.com/jwt/ruby-jwt/issues/362#issuecomment-722938409
+        curve_name = "prime256v1" if curve_name == "secp256r1" && RUBY_PLATFORM == "java"
+
+        # Construct public key OpenSSL::PKey::EC from OpenSSL::PKey::EC::Point
+        public_key_point = key_object.public_key  # => OpenSSL::PKey::EC::Point
+        return nil unless public_key_point
+
+        asn1 = OpenSSL::ASN1::Sequence(
+          [
+            OpenSSL::ASN1::Sequence(
+              [
+                OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+                OpenSSL::ASN1::ObjectId(curve_name)
+              ]
+            ),
+            OpenSSL::ASN1::BitString(public_key_point.to_octet_string(key_object.group.point_conversion_form))
+          ]
+        )
+
+        pub = OpenSSL::PKey::EC.new(asn1.to_der)
+        pub
+
+      else
+        pub = OpenSSL::PKey::EC.new(key_object.group)
+        pub.public_key = key_object.public_key
+        pub
+      end
+
+    else
+      key_object.public_key
+    end
+  end
+
   # SSH public key
   def ssh_public_key
-    [directives.join(",").strip, SSH_TYPES.invert[type], Base64.encode64(ssh_public_key_conversion).gsub("\n", ""), comment].join(" ").strip
+    [directives.join(",").strip, typestr, Base64.encode64(ssh_public_key_conversion).gsub("\n", ""), comment].join(" ").strip
   end
 
   # SSH2 public key (RFC4716)
@@ -291,6 +536,7 @@ class SSHKey
   #
   # Generate OpenSSH compatible ASCII art fingerprints
   # See http://www.opensource.apple.com/source/OpenSSH/OpenSSH-175/openssh/key.c (key_fingerprint_randomart function)
+  # or https://mirrors.mit.edu/pub/OpenBSD/OpenSSH/ (sshkey.c fingerprint_randomart function)
   #
   # Example:
   # +--[ RSA 2048]----+
@@ -304,13 +550,23 @@ class SSHKey
   # |   . .           |
   # |    Eo.          |
   # +-----------------+
-  def randomart
+  def randomart(dgst_alg = "MD5")
     fieldsize_x = 17
     fieldsize_y = 9
     x = fieldsize_x / 2
     y = fieldsize_y / 2
-    raw_digest = Digest::MD5.digest(ssh_public_key_conversion)
-    num_bytes = raw_digest.bytesize
+
+    case dgst_alg
+      when "MD5"    then raw_digest = Digest::MD5.digest(ssh_public_key_conversion)
+      when "SHA256" then raw_digest = Digest::SHA2.new(256).digest(ssh_public_key_conversion)
+      when "SHA384" then raw_digest = Digest::SHA2.new(384).digest(ssh_public_key_conversion)
+      when "SHA512" then raw_digest = Digest::SHA2.new(512).digest(ssh_public_key_conversion)
+    else
+      raise "Unknown digest algorithm: #{digest}"
+    end
+
+    augmentation_string = " .o+=*BOX@%&#/^SE"
+    len = augmentation_string.length - 1
 
     field = Array.new(fieldsize_x) { Array.new(fieldsize_y) {0} }
 
@@ -322,20 +578,27 @@ class SSHKey
         x = [[x, 0].max, fieldsize_x - 1].min
         y = [[y, 0].max, fieldsize_y - 1].min
 
-        field[x][y] += 1 if (field[x][y] < num_bytes - 2)
+        field[x][y] += 1 if (field[x][y] < len - 2)
 
         byte >>= 2
       end
     end
 
-    field[fieldsize_x / 2][fieldsize_y / 2] = num_bytes - 1
-    field[x][y] = num_bytes
-    augmentation_string = " .o+=*BOX@%&#/^SE"
-    output = "+--#{sprintf("[%4s %4u]", type.upcase, bits)}----+\n"
+    fieldsize_x_halved = fieldsize_x / 2
+    fieldsize_y_halved = fieldsize_y / 2
+
+    field[fieldsize_x_halved][fieldsize_y_halved] = len - 1
+    field[x][y] = len
+
+    type_name_length_max = 4  # Note: this will need to be extended to accomodate ed25519
+    bits_number_length_max = (bits < 1000 ? 3 : 4)
+    formatstr = "[%#{type_name_length_max}s %#{bits_number_length_max}u]"
+    output = "+--#{sprintf(formatstr, type.upcase, bits)}----+\n"
+
     fieldsize_y.times do |y|
       output << "|"
       fieldsize_x.times do |x|
-        output << augmentation_string[[field[x][y], num_bytes].min]
+        output << augmentation_string[[field[x][y], len].min]
       end
       output << "|"
       output << "\n"
@@ -344,6 +607,10 @@ class SSHKey
     output
   end
 
+  def sshfp(hostname)
+    self.class.format_sshfp_record(hostname, @type, ssh_public_key_conversion)
+  end
+
   def directives=(directives)
     @directives = Array[directives].flatten.compact
   end
@@ -351,6 +618,26 @@ class SSHKey
 
   private
 
+  def self.ssh_public_key_data_dsarsa(val)
+    # Get byte-representation of absolute value of val
+    data = val.to_s(2)
+
+    first_byte = data[0,1].unpack("c").first
+    if val < 0
+      # For negative values, highest bit must be set
+      data[0] = [0x80 & first_byte].pack("c")
+    elsif first_byte < 0
+      # For positive values where highest bit would be set, prefix with \0
+      data = "\0" + data
+    end
+
+    data
+  end
+
+  def self.ssh_public_key_data_ecdsa(val)
+    val
+  end
+
   # SSH Public Key Conversion
   #
   # All data type encoding is defined in the section #5 of RFC #4251.
@@ -361,27 +648,23 @@ class SSHKey
   # For instance, the "ssh-rsa" string is encoded as the following byte array
   # [0, 0, 0, 7, 's', 's', 'h', '-', 'r', 's', 'a']
   def ssh_public_key_conversion
-    typestr = SSH_TYPES.invert[type]
     methods = SSH_CONVERSION[type]
-    pubkey = key_object.public_key
-    methods.inject([7].pack("N") + typestr) do |pubkeystr, m|
-      # Given pubkey.class == OpenSSL::BN, pubkey.to_s(0) returns an MPI
-      # formatted string (length prefixed bytes). This is not supported by
-      # JRuby, so we still have to deal with length and data separately.
-      val = pubkey.send(m)
-
-      # Get byte-representation of absolute value of val
-      data = val.to_s(2)
-
-      first_byte = data[0,1].unpack("c").first
-      if val < 0
-        # For negative values, highest bit must be set
-        data[0] = [0x80 & first_byte].pack("c")
-      elsif first_byte < 0
-        # For positive values where highest bit would be set, prefix with \0
-        data = "\0" + data
+    methods.inject([typestr.length].pack("N") + typestr) do |pubkeystr, m|
+      # Given public_key_object.class == OpenSSL::BN, public_key_object.to_s(0)
+      # returns an MPI formatted string (length prefixed bytes). This is not
+      # supported by JRuby, so we still have to deal with length and data separately.
+      val = public_key_object.send(m)
+
+      case type
+      when "dsa","rsa" then data = self.class.ssh_public_key_data_dsarsa(val)
+      when "ecdsa"     then data = self.class.ssh_public_key_data_ecdsa(val)
+      else
+        raise "Unknown key type: #{type}"
       end
+
       pubkeystr + [data.length].pack("N") + data
     end
   end
+
+  class PublicKeyError < StandardError; end
 end

data/sshkey.gemspec

@@ -13,7 +13,10 @@ Gem::Specification.new do |s|
   s.description = %q{Generate private/public SSH keypairs using pure Ruby}
   s.licenses    = ["MIT"]
 
-  s.rubyforge_project = "sshkey"
+  # ECDSA requires OpenSSL::PKey::EC::Point#to_octet_string
+  # to_octet string was added in Ruby/OpenSSL 2.1.0 https://github.com/ruby/openssl/blob/master/History.md#version-210
+  # Ruby 2.5 Updated Ruby/OpenSSL from to 2.1.0 https://github.com/ruby/ruby/blob/v2_5_0/NEWS
+  s.required_ruby_version = '>= 2.5'
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")

data/test/sshkey_test.rb

@@ -2,6 +2,13 @@ require 'test/unit'
 require 'sshkey'
 
 class SSHKeyTest < Test::Unit::TestCase
+
+  # https://github.com/jruby/jruby-openssl/issues/189
+  # https://github.com/jruby/jruby-openssl/issues/226
+  def ecdsa_supported?
+    RUBY_PLATFORM != "java"
+  end
+
   SSH_PRIVATE_KEY1 = <<-EOF
 -----BEGIN RSA PRIVATE KEY-----
 MIIEogIBAAKCAQEArfTA/lKVR84IMc9ZzXOCHr8DVtR8hzWuEVHF6KElavRHlk14
@@ -73,34 +80,104 @@ ItmZYXTvJDwLXgq2/iK1fRRcKk2PJEaSuJR7WeNGsJKfWmQ2UbOhqA3wWLDazIZt
 cMKjFzD0hM4E8qgjHjMvKDE6WgT6SFP+tqx3nnh7pJWwsbGjSMQexpyRAhQLhz0l
 GzM8qwTcXd06uIZAJdTHIQ==
 -----END DSA PRIVATE KEY-----
+EOF
+
+  SSH_PRIVATE_KEY4 = <<-EOF
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIByjVCRawGxEd/L/VblGjnJTJeOgk6vGFYnolYWHg+JkoAoGCCqGSM49
+AwEHoUQDQgAEQOAmNzXT3XN5DQdHBYCgflosVlHd6MUB1n9n6CCijvVJCQGJAA0p
+6+3o91ccyA0zHXuUno2eMzBUDghfNZYnHg==
+-----END EC PRIVATE KEY-----
+EOF
+
+  PUBLIC_KEY1 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEArfTA/lKVR84IMc9ZzXOC
+Hr8DVtR8hzWuEVHF6KElavRHlk14g0SZu3m908Ejm/XF3EfNHjX9wN+62IMA0QBx
+kBMFCuLF+U/oeUs0NoDdAEKxjj4n6lq6Ss8aLct+anMy7D1jwvOLbcwV54w1d5JD
+dlZVdZ6AvHm9otwJq6rNpDgdmXY4HgC2nM9csFpuy0cDpL6fdJx9lcNL2RnkRC4+
+RMsIB+PxDw0j3vDi04dYLBXMGYjyeGH+mIFpL3PTPXGXwL2XDYXZ2H4SQX6bOoKm
+azTXq6QXuEB665njh1GxXldoIMcSshoJL0hrk3WrTOG22N2CQA+IfHgrXJ+A+QUz
+KQIBIw==
+-----END PUBLIC KEY-----
+EOF
+
+  PUBLIC_KEY2 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxl6TpN7uFiY/JZ8qDnD7
+UrxDP+ABeh2PVg8Du1LEgXNk0+YWCeP5S6oHklqaWeDlbmAs1oHsBwCMAVpMa5tg
+ONOLvz4JgwgkiqQEbKR8ofWJ+LADUElvqRVGmGiNEMLI6GJWeneL4sjmbb8d6U+M
+53c6iWG0si9XE5m7teBQSsCl0Tk3qMIkQGw5zpJeCXjZ8KpJhIJRYgexFkGgPlYR
+V+UYIhxpUW90t0Ra5i6JOFYwq98k5S/6SJIZQ/A9F4JNzwLw3eVxZj0yVHWxkGz1
++TyELNY1kOyMxnZaqSfGzSQJTrnIXpdweVHuYh1LtOgedRQhCyiELeSMGwio1vRP
+KwIBIw==
+-----END PUBLIC KEY-----
+EOF
+
+  PUBLIC_KEY3 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MIIBuDCCASwGByqGSM44BAEwggEfAoGBALyVy5dwVwgL3CxXzsvo8DBh58qArQLB
+NIPW/f9pptmy7jD5QXzOw+12w0/z4lZ86ncoVutRMf44OABcX9ovhRl+luxB7jjp
+kVXy/p2ZaqPbeyTQUtdTmXa2y4n053Jd61VeMG+iLP7+viT+Ib96y9aVUYQfCrl5
+heBDUZ9cAFjdAhUAxV5zuySaRSsJHqKK+Blhh7c9A9kCgYEAqel0RUBO0MY5b3DZ
+69J/mRzUifN1O6twk4er2ph0JpryuUwZohLpcVZwqoGWmPQy/ZHmV1b3RtT9GWUa
++HUqKdMhFVOx/iq1khVfLi83whjMMvXj3ecqd0yzGxGHnSsjVKefa2ywCLHrh4nl
+UVIaXI5gQpgMyVbMcromDe1WZzoDgYUAAoGBAIwTRPAEcroqOzaebiVspFcmsXxD
+Q4wXQZQdho1ExW6FKS8s7/6pItmZYXTvJDwLXgq2/iK1fRRcKk2PJEaSuJR7WeNG
+sJKfWmQ2UbOhqA3wWLDazIZtcMKjFzD0hM4E8qgjHjMvKDE6WgT6SFP+tqx3nnh7
+pJWwsbGjSMQexpyR
+-----END PUBLIC KEY-----
+EOF
+
+  PUBLIC_KEY4 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQOAmNzXT3XN5DQdHBYCgflosVlHd
+6MUB1n9n6CCijvVJCQGJAA0p6+3o91ccyA0zHXuUno2eMzBUDghfNZYnHg==
+-----END PUBLIC KEY-----
 EOF
 
   SSH_PUBLIC_KEY1 = 'AAAAB3NzaC1yc2EAAAABIwAAAQEArfTA/lKVR84IMc9ZzXOCHr8DVtR8hzWuEVHF6KElavRHlk14g0SZu3m908Ejm/XF3EfNHjX9wN+62IMA0QBxkBMFCuLF+U/oeUs0NoDdAEKxjj4n6lq6Ss8aLct+anMy7D1jwvOLbcwV54w1d5JDdlZVdZ6AvHm9otwJq6rNpDgdmXY4HgC2nM9csFpuy0cDpL6fdJx9lcNL2RnkRC4+RMsIB+PxDw0j3vDi04dYLBXMGYjyeGH+mIFpL3PTPXGXwL2XDYXZ2H4SQX6bOoKmazTXq6QXuEB665njh1GxXldoIMcSshoJL0hrk3WrTOG22N2CQA+IfHgrXJ+A+QUzKQ=='
   SSH_PUBLIC_KEY2 = 'AAAAB3NzaC1yc2EAAAABIwAAAQEAxl6TpN7uFiY/JZ8qDnD7UrxDP+ABeh2PVg8Du1LEgXNk0+YWCeP5S6oHklqaWeDlbmAs1oHsBwCMAVpMa5tgONOLvz4JgwgkiqQEbKR8ofWJ+LADUElvqRVGmGiNEMLI6GJWeneL4sjmbb8d6U+M53c6iWG0si9XE5m7teBQSsCl0Tk3qMIkQGw5zpJeCXjZ8KpJhIJRYgexFkGgPlYRV+UYIhxpUW90t0Ra5i6JOFYwq98k5S/6SJIZQ/A9F4JNzwLw3eVxZj0yVHWxkGz1+TyELNY1kOyMxnZaqSfGzSQJTrnIXpdweVHuYh1LtOgedRQhCyiELeSMGwio1vRPKw=='
   SSH_PUBLIC_KEY3 = 'AAAAB3NzaC1kc3MAAACBALyVy5dwVwgL3CxXzsvo8DBh58qArQLBNIPW/f9pptmy7jD5QXzOw+12w0/z4lZ86ncoVutRMf44OABcX9ovhRl+luxB7jjpkVXy/p2ZaqPbeyTQUtdTmXa2y4n053Jd61VeMG+iLP7+viT+Ib96y9aVUYQfCrl5heBDUZ9cAFjdAAAAFQDFXnO7JJpFKwkeoor4GWGHtz0D2QAAAIEAqel0RUBO0MY5b3DZ69J/mRzUifN1O6twk4er2ph0JpryuUwZohLpcVZwqoGWmPQy/ZHmV1b3RtT9GWUa+HUqKdMhFVOx/iq1khVfLi83whjMMvXj3ecqd0yzGxGHnSsjVKefa2ywCLHrh4nlUVIaXI5gQpgMyVbMcromDe1WZzoAAACBAIwTRPAEcroqOzaebiVspFcmsXxDQ4wXQZQdho1ExW6FKS8s7/6pItmZYXTvJDwLXgq2/iK1fRRcKk2PJEaSuJR7WeNGsJKfWmQ2UbOhqA3wWLDazIZtcMKjFzD0hM4E8qgjHjMvKDE6WgT6SFP+tqx3nnh7pJWwsbGjSMQexpyR'
+  SSH_PUBLIC_KEY4 = 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEDgJjc1091zeQ0HRwWAoH5aLFZR3ejFAdZ/Z+ggoo71SQkBiQANKevt6PdXHMgNMx17lJ6NnjMwVA4IXzWWJx4='
+
+  SSH_PUBLIC_KEY_ED25519        = 'AAAAC3NzaC1lZDI1NTE5AAAAIBrNsRCISAtKXV5OVxqV6unVcdis5Uh3oiC6B7CMB7HQ'
+  SSH_PUBLIC_KEY_ED25519_0_BYTE = 'AAAAC3NzaC1lZDI1NTE5AAAAIADK9x9t3yQQH7h4OEJpUa7l2j7mcmKf4LAsNXHxNbSm'
 
-  SSH_PUBLIC_KEY_ED25519   = 'AAAAC3NzaC1lZDI1NTE5AAAAIBrNsRCISAtKXV5OVxqV6unVcdis5Uh3oiC6B7CMB7HQ'
   SSH_PUBLIC_KEY_ECDSA_256 = 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHJFDZ5qymZfIzoJcxYeu3C9HjJ08QAbqR28C2zSMLwcb3ZzWdRApnj6wEgRvizsBmr9zyPKb2u5Rp0vjJtQcZo='
   SSH_PUBLIC_KEY_ECDSA_384 = 'AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBP+GtUCOR8aW7xTtpkbJS0qqNZ98PgbUNtTFhE+Oe+khgoFMX+o0JG5bckVuvtkRl8dr+63kUK0QPTtzP9O5yixB9CYnB8CgCgYo1FCXZuJIImf12wW5nWKglrCH4kV1Qg=='
   SSH_PUBLIC_KEY_ECDSA_521 = 'AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACsunidnIZ77AjCHSDp/xknLGDW3M0Ia7nxLdImmp0XGbxtbwYm2ga5XUzV9dMO9wF9ICC3OuH6g9DtGOBNPru1PwFDjaPISGgm0vniEzWazLsvjJVLThOA3VyYLxmtjm0WfS+/DfxgWVS6oeCTnDjjoVVpwU/fDbUbYPPRZI84/hOGNA=='
 
+  SSH_PUBLIC_KEY_ECDSA_256_COMPRESSED = 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAAAhA+YNpJJrrUsu5OLLvqGX5pAH3+x6/yEFU2AYdxb54Jk8'
+  SSH_PUBLIC_KEY_ECDSA_384_COMPRESSED = 'AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAAxAgMhp0cNvtzncxXF0W5nrkBCTrxJIcYqUTX4RcKWIM74FfxizmWJqP/C+looEz6dLQ=='
+  SSH_PUBLIC_KEY_ECDSA_521_COMPRESSED = 'AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAABDAgDoeNR4bndT24BosNaTKCLOALjL6tXrpNHn0HJzHO5z30L4SvH0Gz9jvAiqehNHOgmK3/bFbwLVW1W4TJbNsp8BVA=='
+
   KEY1_MD5_FINGERPRINT = "2a:89:84:c9:29:05:d1:f8:49:79:1c:ba:73:99:eb:af"
   KEY2_MD5_FINGERPRINT = "3c:af:74:87:cc:cc:a1:12:05:1a:09:b7:7b:ce:ed:ce"
   KEY3_MD5_FINGERPRINT = "14:f6:6a:12:96:be:44:32:e6:3c:77:43:94:52:f5:7a"
+  KEY4_MD5_FINGERPRINT = "38:0b:0f:63:36:64:b6:f0:43:94:de:32:75:eb:57:68"
   ED25519_MD5_FINGERPRINT = "6f:1a:8a:c1:4f:13:5c:36:6e:3f:be:eb:49:3b:8e:3e"
   ECDSA_256_MD5_FINGERPRINT = "d9:3a:7f:de:b2:65:04:ac:62:05:1a:1e:97:e9:2b:9d"
+  ECDSA_384_MD5_FINGERPRINT = "b5:bb:3e:f6:eb:3b:0f:1e:18:37:1f:36:ac:7c:87:0d"
+  ECDSA_521_MD5_FINGERPRINT = "98:8e:a9:4c:b9:aa:58:35:d1:42:65:c3:41:dd:04:e1"
 
   KEY1_SHA1_FINGERPRINT = "e4:f9:79:f2:fe:d6:be:2d:ef:2e:c2:fa:aa:f8:b0:17:34:fe:0d:c0"
   KEY2_SHA1_FINGERPRINT = "9a:52:78:2b:6b:cb:39:b7:85:ed:90:8a:28:62:aa:b3:98:88:e6:07"
   KEY3_SHA1_FINGERPRINT = "15:68:c6:72:ac:18:d1:fc:ab:a2:b7:b5:8c:d1:fe:8f:b9:ae:a9:47"
+  KEY4_SHA1_FINGERPRINT = "aa:b5:e6:62:27:87:b8:05:f6:d6:8f:31:dc:83:81:d9:8f:f8:71:29"
   ED25519_SHA1_FINGERPRINT = "57:41:7c:d0:e2:53:28:87:7e:87:53:d4:69:ef:ef:63:ec:c0:0e:5e"
   ECDSA_256_SHA1_FINGERPRINT = "94:e8:92:2b:1b:ec:49:de:ff:85:ea:6e:10:d6:8d:87:7a:67:40:ee"
+  ECDSA_384_SHA1_FINGERPRINT = "cc:fb:4c:d6:e9:d0:03:ae:2d:82:e1:fc:70:d8:47:98:25:e1:83:2b"
+  ECDSA_521_SHA1_FINGERPRINT = "6b:2c:a2:6e:3a:82:6c:73:28:57:91:20:71:82:bc:8f:f8:9d:6c:41"
 
   KEY1_SHA256_FINGERPRINT = "js3llFehloxCfsVuDw5xu3NtS9AOAxcXY8WL6vkDIts="
   KEY2_SHA256_FINGERPRINT = "23f/6U/LdxIFx1CQFKHylw76n+LIHYoY4nRxKcFoos4="
   KEY3_SHA256_FINGERPRINT = "mPqEPQlOPGORrTJrU17sPax1jOqeutZja6MOsFIca+8="
+  KEY4_SHA256_FINGERPRINT = "foUpf1ox3KfG3eKgJxGoSdZFRxHPsBYJgfD+CMYky6Y="
   ED25519_SHA256_FINGERPRINT = "gyzHUKl1eO8Bk1Cvn4joRgxRlXo1+1HJ3Vho/hAtKEg="
   ECDSA_256_SHA256_FINGERPRINT = "ncy2crhoL44R58GCZPQ5chPRrjlQKKgu07FDNelDmdk="
+  ECDSA_384_SHA256_FINGERPRINT = "mrr4QcP6qD05DUS6Rwefb9f0uuvjyMcO28LSiq2283U="
+  ECDSA_521_SHA256_FINGERPRINT = "QnaiGMIVDZyTG47hMWK6Y1z/yUzHIcTBGpNNuUwlhAk="
 
   KEY1_RANDOMART = <<-EOF.rstrip
 +--[ RSA 2048]----+
@@ -142,6 +219,81 @@ EOF
 |                 |
 |                 |
 +-----------------+
+EOF
+
+  # ssh-keygen -lv -E md5 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART = <<-EOF.rstrip
++--[ECDSA 256]----+
+|    ..           |
+|   .. . .        |
+|  ..=o . . .     |
+|   B+.... E .    |
+|    @oo.S. .     |
+|   o B o. .      |
+|      o  .       |
+|                 |
+|                 |
++-----------------+
+EOF
+
+  # ssh-keygen -lv -E sha256 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART_USING_SHA256_DIGEST = <<-EOF.rstrip
++--[ECDSA 256]----+
+|      .. o++B+   |
+|       .. ...*   |
+|    . ...o  o o  |
+|   . =o.o .= .   |
+|    +o+oS o.= . .|
+|   o .oo =.. + +.|
+|  E     o +.+ = o|
+|         ..=.+ . |
+|          oo  .  |
++-----------------+
+EOF
+
+  # ssh-keygen -lv -E sha384 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART_USING_SHA384_DIGEST = <<-EOF.rstrip
++--[ECDSA 256]----+
+|           o++.  |
+| .        *oo. . |
+|o       .o+B.o.. |
+|+o      ooB+O *..|
+|.=+    .SB== ^.+.|
+|+  o    +o .O Xo.|
+| .  ...   .. + .o|
+|  . E. o +  + +..|
+|   .... . o..Bo..|
++-----------------+
+EOF
+
+  # ssh-keygen -lv -E sha512 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART_USING_SHA512_DIGEST = <<-EOF.rstrip
++--[ECDSA 256]----+
+|       +*+o    oo|
+|      . .o o  . +|
+|     . o.   oo oo|
+|.. .+ .    .*.o+ |
+|..Bo.*  S  ..=o..|
+| .+X+ Oo    ...+ |
+| +o.B*+=o    .+ +|
+|+=+O.+=+.+. +.o+.|
+|@**EB*O++=o+ =o.+|
++-----------------+
+EOF
+
+  KEY1_SSHFP = <<-EOF.rstrip
+localhost IN SSHFP 1 1 e4f979f2fed6be2def2ec2faaaf8b01734fe0dc0
+localhost IN SSHFP 1 2 8ecde59457a1968c427ec56e0f0e71bb736d4bd00e03171763c58beaf90322db
+EOF
+
+  KEY2_SSHFP = <<-EOF.rstrip
+localhost IN SSHFP 1 1 9a52782b6bcb39b785ed908a2862aab39888e607
+localhost IN SSHFP 1 2 db77ffe94fcb771205c7509014a1f2970efa9fe2c81d8a18e2747129c168a2ce
+EOF
+
+  KEY3_SSHFP = <<-EOF.rstrip
+localhost IN SSHFP 2 1 1568c672ac18d1fcaba2b7b58cd1fe8fb9aea947
+localhost IN SSHFP 2 2 98fa843d094e3c6391ad326b535eec3dac758cea9ebad6636ba30eb0521c6bef
 EOF
 
   SSH2_PUBLIC_KEY1 = <<-EOF.rstrip
@@ -188,6 +340,7 @@ EOF
     @key1 = SSHKey.new(SSH_PRIVATE_KEY1, :comment => "me@example.com")
     @key2 = SSHKey.new(SSH_PRIVATE_KEY2, :comment => "me@example.com")
     @key3 = SSHKey.new(SSH_PRIVATE_KEY3, :comment => "me@example.com")
+    @key4 = SSHKey.new(SSH_PRIVATE_KEY4, :comment => "me@example.com")
     @key_without_comment = SSHKey.new(SSH_PRIVATE_KEY1)
   end
 
@@ -200,7 +353,14 @@ EOF
   end
 
   def test_generator_with_type
+    assert_equal "rsa", SSHKey.generate(:type => "rsa").type
     assert_equal "dsa", SSHKey.generate(:type => "dsa").type
+
+    if ecdsa_supported?
+      assert_equal "ecdsa", SSHKey.generate(:type => "ecdsa").type
+    else
+      assert_raises(NotImplementedError) { SSHKey.generate(:type => "ecdsa").type }
+    end
   end
 
   def test_generator_with_passphrase
@@ -222,6 +382,30 @@ EOF
     assert_equal SSH_PRIVATE_KEY3, @key3.dsa_private_key
   end
 
+  def test_private_key4
+    if ecdsa_supported?
+      assert_equal SSH_PRIVATE_KEY4, @key4.private_key
+    else
+      assert_raises(NotImplementedError) { @key4.private_key }
+    end
+  end
+
+  def test_public_key_1
+    assert_equal PUBLIC_KEY1, @key1.public_key
+  end
+
+  def test_public_key_2
+    assert_equal PUBLIC_KEY2, @key2.public_key
+  end
+
+  def test_public_key_3
+    assert_equal PUBLIC_KEY3, @key3.public_key
+  end
+
+  def test_public_key_4
+    assert_equal PUBLIC_KEY4, @key4.public_key
+  end
+
   def test_ssh_public_key_decoded1
     assert_equal Base64.decode64(SSH_PUBLIC_KEY1), @key1.send(:ssh_public_key_conversion)
   end
@@ -234,6 +418,14 @@ EOF
     assert_equal Base64.decode64(SSH_PUBLIC_KEY3), @key3.send(:ssh_public_key_conversion)
   end
 
+  def test_ssh_public_key_decoded4
+    if ecdsa_supported?
+      assert_equal Base64.decode64(SSH_PUBLIC_KEY4), @key4.send(:ssh_public_key_conversion)
+    else
+      assert_raises(NotImplementedError) { @key4.send(:ssh_public_key_conversion) }
+    end
+  end
+
   def test_ssh_public_key_encoded1
     assert_equal SSH_PUBLIC_KEY1, Base64.encode64(@key1.send(:ssh_public_key_conversion)).gsub("\n", "")
   end
@@ -246,24 +438,37 @@ EOF
     assert_equal SSH_PUBLIC_KEY3, Base64.encode64(@key3.send(:ssh_public_key_conversion)).gsub("\n", "")
   end
 
+  def test_ssh_public_key_encoded4
+    if ecdsa_supported?
+      assert_equal SSH_PUBLIC_KEY4, Base64.encode64(@key4.send(:ssh_public_key_conversion)).gsub("\n", "")
+    else
+      assert_raises(NotImplementedError) { Base64.encode64(@key4.send(:ssh_public_key_conversion)) }
+    end
+  end
+
   def test_ssh_public_key_output
     expected1 = "ssh-rsa #{SSH_PUBLIC_KEY1} me@example.com"
     expected2 = "ssh-rsa #{SSH_PUBLIC_KEY2} me@example.com"
     expected3 = "ssh-dss #{SSH_PUBLIC_KEY3} me@example.com"
-    expected4 = "ssh-rsa #{SSH_PUBLIC_KEY1}"
+    expected4 = "ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4} me@example.com"
+    expected1b = "ssh-rsa #{SSH_PUBLIC_KEY1}"
     assert_equal expected1, @key1.ssh_public_key
     assert_equal expected2, @key2.ssh_public_key
     assert_equal expected3, @key3.ssh_public_key
-    assert_equal expected4, @key_without_comment.ssh_public_key
+
+    if ecdsa_supported?
+      assert_equal expected4, @key4.ssh_public_key
+    else
+      assert_raises(NotImplementedError) { @key4.ssh_public_key }
+    end
+
+    assert_equal expected1b, @key_without_comment.ssh_public_key
   end
 
   def test_ssh2_public_key_output
     expected1 = SSH2_PUBLIC_KEY1
     expected2 = SSH2_PUBLIC_KEY2
     expected3 = SSH2_PUBLIC_KEY3
-    public_key1 = "ssh-rsa #{SSH_PUBLIC_KEY1} me@example.com"
-    public_key2 = "ssh-rsa #{SSH_PUBLIC_KEY2}"
-    public_key3 = "ssh-rsa #{SSH_PUBLIC_KEY3} 1024-bit DSA with provided comment"
 
     assert_equal expected1, @key1.ssh2_public_key
     assert_equal expected2, @key2.ssh2_public_key({})
@@ -271,6 +476,24 @@ EOF
       'x-private-use-header' => 'some value that is long enough to go to wrap around to a new line.'})
   end
 
+  def test_ssh_public_key_output_from_generated
+    generated_rsa   = SSHKey.generate(:type => "rsa",   :comment => "rsa key")
+    generated_dsa   = SSHKey.generate(:type => "dsa",   :comment => "dsa key")
+    generated_ecdsa = SSHKey.generate(:type => "ecdsa", :comment => "ecdsa key") if ecdsa_supported?
+
+    encoded_rsa   = Base64.encode64(generated_rsa.send(:ssh_public_key_conversion)).gsub("\n", "")
+    encoded_dsa   = Base64.encode64(generated_dsa.send(:ssh_public_key_conversion)).gsub("\n", "")
+    encoded_ecdsa = Base64.encode64(generated_ecdsa.send(:ssh_public_key_conversion)).gsub("\n", "") if ecdsa_supported?
+
+    expected_rsa   = "ssh-rsa #{encoded_rsa} rsa key"
+    expected_dsa   = "ssh-dss #{encoded_dsa} dsa key"
+    expected_ecdsa = "ecdsa-sha2-nistp256 #{encoded_ecdsa} ecdsa key"
+
+    assert_equal expected_rsa,   generated_rsa.ssh_public_key
+    assert_equal expected_dsa,   generated_dsa.ssh_public_key
+    assert_equal expected_ecdsa, generated_ecdsa.ssh_public_key if ecdsa_supported?
+  end
+
   def test_public_key_directives
     assert_equal [], SSHKey.generate.directives
 
@@ -324,6 +547,7 @@ EOF
 
   def test_ssh_public_key_validation_elliptic
     assert SSHKey.valid_ssh_public_key?("ssh-ed25519 #{SSH_PUBLIC_KEY_ED25519} me@example.com")
+    assert SSHKey.valid_ssh_public_key?("ssh-ed25519 #{SSH_PUBLIC_KEY_ED25519_0_BYTE} me@example.com")
     assert SSHKey.valid_ssh_public_key?("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256}")
     assert SSHKey.valid_ssh_public_key?("ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384} me@example.com")
     assert SSHKey.valid_ssh_public_key?(%Q{from="trusted.eng.cam.ac.uk",no-port-forwarding,no-pty ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521} me@example.com})
@@ -352,6 +576,28 @@ EOF
     assert !SSHKey.valid_ssh_public_key?(invalid4)
   end
 
+  def test_ssh_public_key_validation_with_comments
+    expected1 = "# Comment\nssh-rsa #{SSH_PUBLIC_KEY1}"
+    expected2 = "# First comment\n\n# Second comment\n\nssh-ed25519 #{SSH_PUBLIC_KEY_ED25519} me@example.com"
+    invalid1  = "No starting hash # Valid comment\nssh-rsa #{SSH_PUBLIC_KEY1} me@example.com"
+    invalid2  = "# First comment\n\nSecond comment without hash\n\necdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256}\nme@example.com"
+
+    assert SSHKey.valid_ssh_public_key?(expected1)
+    assert SSHKey.valid_ssh_public_key?(expected2)
+
+    assert !SSHKey.valid_ssh_public_key?(invalid1)
+    assert !SSHKey.valid_ssh_public_key?(invalid2)
+  end
+
+  def test_ssh_public_key_sshfp
+    assert_equal KEY1_SSHFP, SSHKey.sshfp("localhost", "ssh-rsa #{SSH_PUBLIC_KEY1}\n")
+    assert_equal KEY2_SSHFP, SSHKey.sshfp("localhost", "ssh-rsa #{SSH_PUBLIC_KEY2}\n")
+    assert_equal KEY3_SSHFP, SSHKey.sshfp("localhost", "ssh-dss #{SSH_PUBLIC_KEY3}\n")
+    assert_equal KEY1_SSHFP, SSHKey.sshfp("localhost", SSH_PRIVATE_KEY1)
+    assert_equal KEY2_SSHFP, SSHKey.sshfp("localhost", SSH_PRIVATE_KEY2)
+    assert_equal KEY3_SSHFP, SSHKey.sshfp("localhost", SSH_PRIVATE_KEY3)
+  end
+
   def test_ssh_public_key_bits
     expected1 = "ssh-rsa #{SSH_PUBLIC_KEY1} me@example.com"
     expected2 = "ssh-rsa #{SSH_PUBLIC_KEY2} me@example.com"
@@ -359,6 +605,12 @@ EOF
     expected4 = "ssh-rsa #{SSH_PUBLIC_KEY1}"
     expected5 = %Q{from="trusted.eng.cam.ac.uk",no-port-forwarding,no-pty ssh-rsa #{SSH_PUBLIC_KEY1}}
     invalid1  = "#{SSH_PUBLIC_KEY1} me@example.com"
+    ecdsa256 = "ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256}"
+    ecdsa384 = "ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384}"
+    ecdsa521 = "ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521}"
+    ecdsa256_compressed = "ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256_COMPRESSED}"
+    ecdsa384_compressed = "ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384_COMPRESSED}"
+    ecdsa521_compressed = "ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521_COMPRESSED}"
 
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected1)
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected2)
@@ -366,6 +618,12 @@ EOF
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected4)
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected5)
     assert_equal 512,  SSHKey.ssh_public_key_bits(SSHKey.generate(:bits => 512).ssh_public_key)
+    assert_equal 256, SSHKey.ssh_public_key_bits(ecdsa256)
+    assert_equal 384, SSHKey.ssh_public_key_bits(ecdsa384)
+    assert_equal 521, SSHKey.ssh_public_key_bits(ecdsa521)
+    assert_equal 256, SSHKey.ssh_public_key_bits(ecdsa256_compressed)
+    assert_equal 384, SSHKey.ssh_public_key_bits(ecdsa384_compressed)
+    assert_equal 521, SSHKey.ssh_public_key_bits(ecdsa521_compressed)
 
     exception1 = assert_raises(SSHKey::PublicKeyError) { SSHKey.ssh_public_key_bits( expected1.gsub('A','.') ) }
     exception2 = assert_raises(SSHKey::PublicKeyError) { SSHKey.ssh_public_key_bits( expected1[0..-20] ) }
@@ -385,7 +643,7 @@ EOF
     assert_equal(SSH2_PUBLIC_KEY2, SSHKey.ssh_public_key_to_ssh2_public_key(public_key2))
     assert_equal(SSH2_PUBLIC_KEY2, SSHKey.ssh_public_key_to_ssh2_public_key(public_key2, {}))
     assert_equal(SSH2_PUBLIC_KEY3, SSHKey.ssh_public_key_to_ssh2_public_key(public_key3, {'Comment' => '1024-bit DSA with provided comment', 'x-private-use-header' => 'some value that is long enough to go to wrap around to a new line.'}))
-end
+  end
 
   def test_exponent
     assert_equal 35, @key1.key_object.e.to_i
@@ -403,22 +661,43 @@ end
     assert_equal KEY2_MD5_FINGERPRINT, @key2.md5_fingerprint
     assert_equal KEY3_MD5_FINGERPRINT, @key3.md5_fingerprint
 
+    if ecdsa_supported?
+      assert_equal KEY4_MD5_FINGERPRINT, @key4.md5_fingerprint
+    else
+      assert_raises(NotImplementedError) { @key4.md5_fingerprint }
+    end
+
     assert_equal KEY1_SHA1_FINGERPRINT, @key1.sha1_fingerprint
     assert_equal KEY2_SHA1_FINGERPRINT, @key2.sha1_fingerprint
     assert_equal KEY3_SHA1_FINGERPRINT, @key3.sha1_fingerprint
 
+    if ecdsa_supported?
+      assert_equal KEY4_SHA1_FINGERPRINT, @key4.sha1_fingerprint
+    else
+      assert_raises(NotImplementedError) { @key4.sha1_fingerprint }
+    end
+
     assert_equal KEY1_SHA256_FINGERPRINT, @key1.sha256_fingerprint
     assert_equal KEY2_SHA256_FINGERPRINT, @key2.sha256_fingerprint
     assert_equal KEY3_SHA256_FINGERPRINT, @key3.sha256_fingerprint
 
+    if ecdsa_supported?
+      assert_equal KEY4_SHA256_FINGERPRINT, @key4.sha256_fingerprint
+    else
+      assert_raises(NotImplementedError) { @key4.sha256_fingerprint }
+    end
+
     assert_equal KEY1_MD5_FINGERPRINT, SSHKey.md5_fingerprint(SSH_PRIVATE_KEY1)
     assert_equal KEY1_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY1}")
     assert_equal KEY2_MD5_FINGERPRINT, SSHKey.md5_fingerprint(SSH_PRIVATE_KEY2)
     assert_equal KEY2_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY2} me@me.com")
     assert_equal KEY3_MD5_FINGERPRINT, SSHKey.md5_fingerprint(SSH_PRIVATE_KEY3)
     assert_equal KEY3_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-dss #{SSH_PUBLIC_KEY3}")
+    assert_equal KEY4_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4}")
     assert_equal ED25519_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-ed25519 #{SSH_PUBLIC_KEY_ED25519}")
     assert_equal ECDSA_256_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256} me@me.com")
+    assert_equal ECDSA_384_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384} me@me.com")
+    assert_equal ECDSA_521_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521} me@me.com")
 
     assert_equal KEY1_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint(SSH_PRIVATE_KEY1)
     assert_equal KEY1_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY1}")
@@ -426,8 +705,11 @@ end
     assert_equal KEY2_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY2} me@me.com")
     assert_equal KEY3_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint(SSH_PRIVATE_KEY3)
     assert_equal KEY3_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-dss #{SSH_PUBLIC_KEY3}")
+    assert_equal KEY4_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4}")
     assert_equal ED25519_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-ed25519 #{SSH_PUBLIC_KEY_ED25519}")
     assert_equal ECDSA_256_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256} me@me.com")
+    assert_equal ECDSA_384_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384} me@me.com")
+    assert_equal ECDSA_521_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521} me@me.com")
 
     assert_equal KEY1_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint(SSH_PRIVATE_KEY1)
     assert_equal KEY1_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY1}")
@@ -435,14 +717,24 @@ end
     assert_equal KEY2_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY2} me@me.com")
     assert_equal KEY3_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint(SSH_PRIVATE_KEY3)
     assert_equal KEY3_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-dss #{SSH_PUBLIC_KEY3}")
+    assert_equal KEY4_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4}")
     assert_equal ED25519_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-ed25519 #{SSH_PUBLIC_KEY_ED25519}")
     assert_equal ECDSA_256_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256} me@me.com")
+    assert_equal ECDSA_384_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384} me@me.com")
+    assert_equal ECDSA_521_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521} me@me.com")
   end
 
   def test_bits
     assert_equal 2048, @key1.bits
     assert_equal 2048, @key2.bits
     assert_equal 1024, @key3.bits
+
+    if ecdsa_supported?
+      assert_equal 256, @key4.bits
+    else
+      assert_raises(NotImplementedError) { @key4.bits }
+    end
+
     assert_equal 512, SSHKey.generate(:bits => 512).bits
   end
 
@@ -450,7 +742,27 @@ end
     assert_equal KEY1_RANDOMART, @key1.randomart
     assert_equal KEY2_RANDOMART, @key2.randomart
     assert_equal KEY3_RANDOMART, @key3.randomart
+
+    if ecdsa_supported?
+      assert_equal KEY4_RANDOMART, @key4.randomart
+    else
+      assert_raises(NotImplementedError) { @key4.randomart }
+    end
+
+    if ecdsa_supported?
+      assert_equal KEY4_RANDOMART_USING_SHA256_DIGEST, @key4.randomart("SHA256")
+      assert_equal KEY4_RANDOMART_USING_SHA384_DIGEST, @key4.randomart("SHA384")
+      assert_equal KEY4_RANDOMART_USING_SHA512_DIGEST, @key4.randomart("SHA512")
+    end
+
   end
+
+  def test_sshfp
+    assert_equal KEY1_SSHFP, @key1.sshfp("localhost")
+    assert_equal KEY2_SSHFP, @key2.sshfp("localhost")
+    assert_equal KEY3_SSHFP, @key3.sshfp("localhost")
+  end
+
 end
 
 class SSHKeyEncryptedTest < Test::Unit::TestCase

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sshkey
 version: !ruby/object:Gem::Version
-  version: 1.9.0
+  version: 3.0.0
 platform: ruby
 authors:
 - James Miller
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-01-25 00:00:00.000000000 Z
+date: 2023-08-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -45,14 +45,13 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
 - ".gitignore"
-- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
 - Rakefile
 - lib/sshkey.rb
-- lib/sshkey/exception.rb
 - lib/sshkey/version.rb
 - sshkey.gemspec
 - test/sshkey_test.rb
@@ -60,7 +59,7 @@ homepage: https://github.com/bensie/sshkey
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -68,16 +67,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: sshkey
-rubygems_version: 2.6.8
-signing_key: 
+rubygems_version: 3.4.18
+signing_key:
 specification_version: 4
 summary: SSH private/public key generator in Ruby
 test_files:

data/.travis.yml

@@ -1,20 +0,0 @@
-language: ruby
-
-rvm:
-  - 1.9.3
-  - 2.0.0
-  - 2.1.9
-  - 2.2.6
-  - 2.3.3
-  - 2.4.0
-  - ruby-head
-  - jruby
-  - jruby-head
-
-matrix:
-  allow_failures:
-    - rvm: ruby-head
-    - rvm: jruby-head
-
-sudo: required
-dist: trusty

data/lib/sshkey/exception.rb

@@ -1,3 +0,0 @@
-class SSHKey
-  class PublicKeyError < StandardError; end
-end