RubyGems - sshkey - Versions diffs - 2.0.0 → 3.0.0 - Mend

sshkey 2.0.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: b6e9c3f40bf3a5b7a9f80cadd7d98e8c4e9b41d4
-  data.tar.gz: 362495eb1d46d0befe4c932c94318ce1e40c8ec2
+SHA256:
+  metadata.gz: 9e933102cbc9909bfcb4564475ef8ea53427869b58c424405a588c954f3f737c
+  data.tar.gz: 415a21ff41613ba75ce07dab568f8560c9b3b83b0b3e7cac015f4238f20420b0
 SHA512:
-  metadata.gz: 7f99fe44852eb551a34ff7fc8ca2dcab7e51a222e9e2bb7c9708115419e1e1e08444ca03973692547b2ce5d83d4dda593b95baa3bca19b1def9df3037bae127c
-  data.tar.gz: 846c9b1966e56c5f405897254619367867d34855c9ebaa65f7d863ad271763427d574589c22b6570c790642a352e8fb39fb055a56ce446c18d717f17cf943f42
+  metadata.gz: 5867e989c0296a84807b9cf52e2d0512f3083c12f07a82fb8f9bca1bf475e38fd658132d5cbd91df03cee83114665c325f1a58e4c195b037f08f8feb648c188f
+  data.tar.gz: b314c5762fbe08f6e95ba8d18d01e6a51ef25656cd3797de8e3d2065d1066768656ac8c1ac030379672b2ed27d3672e5cbbcdc6d499fd90f7e35ba4b356f25b2

data/.github/workflows/ci.yml ADDED Viewed

@@ -0,0 +1,25 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+permissions:
+  contents: read
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["2.5", "2.6", "2.7", "3.0", "3.1", "3.2", "3.3", jruby-9.3, jruby-9.4]
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ruby/setup-ruby@v1
+      with:
+        bundler-cache: true
+        ruby-version: ${{ matrix.ruby }}
+    - run: bundle exec rake

data/LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright (c) 2011-2016 James Miller
+Copyright (c) 2011-2023 James Miller
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md CHANGED Viewed

@@ -1,12 +1,10 @@
 # SSHKey
-Generate private and public SSH keys (RSA and DSA supported) using pure Ruby.
-[![Build Status](https://secure.travis-ci.org/bensie/sshkey.svg?branch=master)](http://travis-ci.org/bensie/sshkey)
+Generate private and public SSH keys (RSA, DSA, and ECDSA supported) using pure Ruby.
 ## Requirements
-Tested / supported on CRuby 2.0.0+ and JRuby.
+Tested / supported on CRuby 2.5+ and JRuby.
 ## Installation
@@ -16,7 +14,7 @@ Tested / supported on CRuby 2.0.0+ and JRuby.
 ### Generate a new key
-When generating a new keypair the default key type is 2048-bit RSA, but you can supply the `type` (RSA or DSA) and `bits` in the options.
+When generating a new keypair the default key type is 2048-bit RSA, but you can supply the `type` (RSA or DSA or ECDSA) and `bits` in the options.
 You can also (optionally) supply a `comment` or `passphrase`.
 ```ruby
@@ -32,7 +30,7 @@ k = SSHKey.generate(
 ### Use your existing key
-Return an SSHKey object from an existing RSA or DSA private key (provided as a string).
+Return an SSHKey object from an existing RSA or DSA or ECDSA private key (provided as a string).
 ```ruby
 f = File.read(File.expand_path("~/.ssh/id_rsa"))
@@ -43,7 +41,7 @@ k = SSHKey.new(f, comment: "foo@bar.com")
 #### Private and public keys
-Fetch the private and public keys as strings. Note that the `public_key` is the RSA or DSA public key, not an SSH public key.
+Fetch the private and public keys as strings. Note that the `public_key` is the RSA or DSA or ECDSA public key, not an SSH public key.
 ```ruby
 k.private_key
@@ -161,7 +159,7 @@ puts k.randomart
 #### Original OpenSSL key object
-Return the original [OpenSSL::PKey::RSA](http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL/PKey/RSA.html) or [OpenSSL::PKey::DSA](http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL/PKey/DSA.html) object.
+Return the original [OpenSSL::PKey::RSA](https://ruby-doc.org/3.2.2/exts/openssl/OpenSSL/PKey/RSA.html) or [OpenSSL::PKey::DSA](https://ruby-doc.org/3.2.2/exts/openssl/OpenSSL/PKey/DSA.html) or [OpenSSL::PKey::EC](https://ruby-doc.org/3.2.2/exts/openssl/OpenSSL/PKey/EC.html)object.
 ```ruby
 k.key_object
@@ -213,4 +211,4 @@ SSHKey.ssh_public_key_to_ssh2_public_key "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ
 ## Copyright
-Copyright (c) 2011-2019 James Miller
+Copyright (c) 2011-2023 James Miller

data/lib/sshkey/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 class SSHKey
-  VERSION = "2.0.0"
+  VERSION = "3.0.0"
 end

data/lib/sshkey.rb CHANGED Viewed

@@ -4,6 +4,35 @@ require 'digest/md5'
 require 'digest/sha1'
 require 'digest/sha2'
+def jruby_not_implemented(msg)
+  raise NotImplementedError.new "jruby-openssl #{JOpenSSL::VERSION}: #{msg}" if RUBY_PLATFORM == "java"
+end
+# Monkey patch OpenSSL::PKey::EC to provide convenience methods usable in this gem
+class OpenSSL::PKey::EC
+  def identifier
+    # NOTE: Unable to find these constants within OpenSSL, so hardcode them here.
+    # Analogous to net-ssh OpenSSL::PKey::EC::CurveNameAliasInv
+    # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/transport/openssl.rb#L147-L151
+    case group.curve_name
+    when "prime256v1" then "nistp256"  # https://stackoverflow.com/a/41953717
+    when "secp256r1"  then "nistp256"  # JRuby
+    when "secp384r1"  then "nistp384"
+    when "secp521r1"  then "nistp521"
+    else
+      raise "Unknown curve name: #{public_key.group.curve_name}"
+    end
+  end
+  def q
+    # jruby-openssl does not currently support to_octet_string
+    # https://github.com/jruby/jruby-openssl/issues/226
+    jruby_not_implemented("to_octet_string is not implemented")
+    public_key.to_octet_string(group.point_conversion_form)
+  end
+end
 class SSHKey
   SSH_TYPES = {
     "ssh-rsa" => "rsa",
@@ -20,7 +49,23 @@ class SSHKey
     "ecdsa"   => 3,
     "ed25519" => 4,
   }
-  SSH_CONVERSION = {"rsa" => ["e", "n"], "dsa" => ["p", "q", "g", "pub_key"]}
+  ECDSA_CURVES = {
+    256 => "prime256v1",  # https://stackoverflow.com/a/41953717
+    384 => "secp384r1",
+    521 => "secp521r1",
+  }
+  VALID_BITS = {
+    "ecdsa" => ECDSA_CURVES.keys,
+  }
+  # Accessor methods are defined in:
+  # - RSA:   https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_pkey_rsa.c
+  # - DSA:   https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_pkey_dsa.c
+  # - ECDSA: monkey patch OpenSSL::PKey::EC above
+  SSH_CONVERSION = {"rsa" => ["e", "n"], "dsa" => ["p", "q", "g", "pub_key"], "ecdsa" => ["identifier", "q"]}
   SSH2_LINE_LENGTH = 70 # +1 (for line wrap '/' character) must be <= 72
   class << self
@@ -40,17 +85,44 @@ class SSHKey
       type   = options[:type] || "rsa"
       # JRuby modulus size must range from 512 to 1024
-      default_bits = type == "rsa" ? 2048 : 1024
+      case type
+      when "rsa"   then default_bits = 2048
+      when "ecdsa" then default_bits = 256
+      else
+        default_bits = 1024
+      end
       bits   = options[:bits] || default_bits
       cipher = OpenSSL::Cipher.new("AES-128-CBC") if options[:passphrase]
+      raise "Bits must either: #{VALID_BITS[type.downcase].join(', ')}" unless VALID_BITS[type.downcase].nil? || VALID_BITS[type.downcase].include?(bits)
       case type.downcase
-      when "rsa" then new(OpenSSL::PKey::RSA.generate(bits).to_pem(cipher, options[:passphrase]), options)
-      when "dsa" then new(OpenSSL::PKey::DSA.generate(bits).to_pem(cipher, options[:passphrase]), options)
+      when "rsa"
+        key_object = OpenSSL::PKey::RSA.generate(bits)
+      when "dsa"
+        key_object = OpenSSL::PKey::DSA.generate(bits)
+      when "ecdsa"
+        # jruby-openssl OpenSSL::PKey::EC support isn't complete
+        # https://github.com/jruby/jruby-openssl/issues/189
+        jruby_not_implemented("OpenSSL::PKey::EC is not fully implemented")
+        if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000
+          # https://github.com/ruby/openssl/pull/480
+          key_object = OpenSSL::PKey::EC.generate(ECDSA_CURVES[bits])
+        else
+          key_pkey = OpenSSL::PKey::EC.new(ECDSA_CURVES[bits])
+          key_object = key_pkey.generate_key
+        end
       else
         raise "Unknown key type: #{type}"
       end
+      key_pem = key_object.to_pem(cipher, options[:passphrase])
+      new(key_pem, options)
     end
     # Validate an existing SSH public key
@@ -83,9 +155,27 @@ class SSHKey
     #
     # ==== Parameters
     # * ssh_public_key<~String> - "ssh-rsa AAAAB3NzaC1yc2EA...."
+    # * ssh_public_key<~String> - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTY...."
     #
     def ssh_public_key_bits(ssh_public_key)
-      unpacked_byte_array( *parse_ssh_public_key(ssh_public_key) ).last.num_bytes * 8
+      ssh_type, encoded_key = parse_ssh_public_key(ssh_public_key)
+      sections = unpacked_byte_array(ssh_type, encoded_key)
+      case ssh_type
+      when "ssh-rsa", "ssh-dss", "ssh-ed25519"
+        sections.last.num_bytes * 8
+      when "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521"
+        raise PublicKeyError, "invalid ECDSA key" unless sections.count == 2
+        # https://tools.ietf.org/html/rfc5656#section-3.1
+        identifier = sections[0].to_s(2)
+        q = sections[1].to_s(2)
+        ecdsa_bits(ssh_type, identifier, q)
+      else
+        raise PublicKeyError, "unsupported key type #{ssh_type}"
+      end
     end
     # Fingerprints
@@ -194,6 +284,48 @@ class SSHKey
       return data
     end
+    def ecdsa_bits(ssh_type, identifier, q)
+      raise PublicKeyError, "invalid ssh type" unless ssh_type == "ecdsa-sha2-#{identifier}"
+      len_q = q.length
+      compression_octet = q.slice(0, 1)
+      if compression_octet == "\x04"
+        # Point compression is off
+        # Summary from https://www.secg.org/sec1-v2.pdf "2.3.3  Elliptic-Curve-Point-to-Octet-String Conversion"
+        # - the leftmost octet indicates that point compression is off
+        #   (first octet 0x04 as specified in "3.3. Output M = 04 base 16 ‖ X ‖ Y.")
+        # - the remainder of the octet string contains the x-coordinate followed by the y-coordinate.
+        len_x = (len_q - 1) / 2
+      else
+        # Point compression is on
+        # Summary from https://www.secg.org/sec1-v2.pdf "2.3.3  Elliptic-Curve-Point-to-Octet-String Conversion"
+        # - the compressed y-coordinate is recovered from the leftmost octet
+        # - the x-coordinate is recovered from the remainder of the octet string
+        raise PublicKeyError, "invalid compression octet" unless compression_octet == "\x02" || compression_octet == "\x03"
+        len_x = len_q - 1
+      end
+      # https://www.secg.org/sec2-v2.pdf "2.1  Properties of Elliptic Curve Domain Parameters over Fp" defines
+      # five discrete bit lengths: 192, 224, 256, 384, 521
+      # These bit lengths can be ascertained from the length of the packed x-coordinate.
+      # Alternatively, these bit lengths can be derived from their associated prime constants using Math.log2(prime).ceil
+      # against the prime constants defined in https://www.secg.org/sec2-v2.pdf
+      case len_x
+      when 24 then bits = 192
+      when 28 then bits = 224
+      when 32 then bits = 256
+      when 48 then bits = 384
+      when 66 then bits = 521
+      else
+        raise PublicKeyError, "invalid x-coordinate length #{len_x}"
+      end
+      raise PublicKeyError, "invalid identifier #{identifier}" unless identifier =~ /#{bits}/
+      return bits
+    end
     def decoded_key(key)
       Base64.decode64(parse_ssh_public_key(key).last)
     end
@@ -203,6 +335,10 @@ class SSHKey
     end
     def parse_ssh_public_key(public_key)
+      # lines starting with a '#' and empty lines are ignored as comments (as in ssh AuthorizedKeysFile)
+      public_key = public_key.gsub(/^#.*$/, '')
+      public_key = public_key.strip # leading and trailing whitespaces wiped out
       raise PublicKeyError, "newlines are not permitted between key data" if public_key =~ /\n(?!$)/
       parsed = public_key.split(" ")
@@ -227,13 +363,13 @@ class SSHKey
     end
   end
-  attr_reader :key_object, :type
+  attr_reader :key_object, :type, :typestr
   attr_accessor :passphrase, :comment
   # Create a new SSHKey object
   #
   # ==== Parameters
-  # * private_key - Existing RSA or DSA private key
+  # * private_key - Existing RSA or DSA or ECDSA private key
   # * options<~Hash>
   #   * :comment<~String> - Comment to use for the public key, defaults to ""
   #   * :passphrase<~String> - If the key is encrypted, supply the passphrase
@@ -243,19 +379,41 @@ class SSHKey
     @passphrase = options[:passphrase]
     @comment    = options[:comment] || ""
     self.directives = options[:directives] || []
     begin
       @key_object = OpenSSL::PKey::RSA.new(private_key, passphrase)
       @type = "rsa"
-    rescue
+      @typestr = "ssh-rsa"
+    rescue OpenSSL::PKey::RSAError
+      @type = nil
+    end
+    return if @type
+    begin
       @key_object = OpenSSL::PKey::DSA.new(private_key, passphrase)
       @type = "dsa"
+      @typestr = "ssh-dss"
+    rescue OpenSSL::PKey::DSAError
+      @type = nil
     end
+    return if @type
+    @key_object = OpenSSL::PKey::EC.new(private_key, passphrase)
+    @type = "ecdsa"
+    bits = ECDSA_CURVES.invert[@key_object.group.curve_name]
+    @typestr = "ecdsa-sha2-nistp#{bits}"
   end
-  # Fetch the RSA/DSA private key
+  # Fetch the private key (PEM format)
   #
   # rsa_private_key and dsa_private_key are aliased for backward compatibility
   def private_key
+    # jruby-openssl OpenSSL::PKey::EC support isn't complete
+    # https://github.com/jruby/jruby-openssl/issues/189
+    jruby_not_implemented("OpenSSL::PKey::EC is not fully implemented") if type == "ecdsa"
     key_object.to_pem
   end
   alias_method :rsa_private_key, :private_key
@@ -269,18 +427,73 @@ class SSHKey
     key_object.to_pem(OpenSSL::Cipher.new("AES-128-CBC"), passphrase)
   end
-  # Fetch the RSA/DSA public key
+  # Fetch the public key (PEM format)
   #
   # rsa_public_key and dsa_public_key are aliased for backward compatibility
   def public_key
-    key_object.public_key.to_pem
+    public_key_object.to_pem
   end
   alias_method :rsa_public_key, :public_key
   alias_method :dsa_public_key, :public_key
+  def public_key_object
+    if type == "ecdsa"
+      return nil unless key_object
+      return nil unless key_object.group
+      if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000 && RUBY_PLATFORM != "java"
+        # jruby-openssl does not currently support point_conversion_form
+        # (futureproofing for if/when JRuby requires this technique to determine public key)
+        jruby_not_implemented("point_conversion_form is not implemented")
+        # Avoid "OpenSSL::PKey::PKeyError: pkeys are immutable on OpenSSL 3.0"
+        # https://github.com/ruby/openssl/blob/master/History.md#version-300
+        # https://github.com/ruby/openssl/issues/498
+        # https://github.com/net-ssh/net-ssh/commit/4de6831dea4e922bf3052192eec143af015a3486
+        # https://github.com/ClearlyClaire/cose-ruby/commit/28ee497fa7d9d49e72d5a5e97a567c0b58fdd822
+        curve_name = key_object.group.curve_name
+        return nil unless curve_name
+        # Map to different curve_name for JRuby
+        # (futureproofing for if/when JRuby requires this technique to determine public key)
+        # https://github.com/jwt/ruby-jwt/issues/362#issuecomment-722938409
+        curve_name = "prime256v1" if curve_name == "secp256r1" && RUBY_PLATFORM == "java"
+        # Construct public key OpenSSL::PKey::EC from OpenSSL::PKey::EC::Point
+        public_key_point = key_object.public_key  # => OpenSSL::PKey::EC::Point
+        return nil unless public_key_point
+        asn1 = OpenSSL::ASN1::Sequence(
+          [
+            OpenSSL::ASN1::Sequence(
+              [
+                OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+                OpenSSL::ASN1::ObjectId(curve_name)
+              ]
+            ),
+            OpenSSL::ASN1::BitString(public_key_point.to_octet_string(key_object.group.point_conversion_form))
+          ]
+        )
+        pub = OpenSSL::PKey::EC.new(asn1.to_der)
+        pub
+      else
+        pub = OpenSSL::PKey::EC.new(key_object.group)
+        pub.public_key = key_object.public_key
+        pub
+      end
+    else
+      key_object.public_key
+    end
+  end
   # SSH public key
   def ssh_public_key
-    [directives.join(",").strip, SSH_TYPES.invert[type], Base64.encode64(ssh_public_key_conversion).gsub("\n", ""), comment].join(" ").strip
+    [directives.join(",").strip, typestr, Base64.encode64(ssh_public_key_conversion).gsub("\n", ""), comment].join(" ").strip
   end
   # SSH2 public key (RFC4716)
@@ -323,6 +536,7 @@ class SSHKey
   #
   # Generate OpenSSH compatible ASCII art fingerprints
   # See http://www.opensource.apple.com/source/OpenSSH/OpenSSH-175/openssh/key.c (key_fingerprint_randomart function)
+  # or https://mirrors.mit.edu/pub/OpenBSD/OpenSSH/ (sshkey.c fingerprint_randomart function)
   #
   # Example:
   # +--[ RSA 2048]----+
@@ -336,13 +550,23 @@ class SSHKey
   # |   . .           |
   # |    Eo.          |
   # +-----------------+
-  def randomart
+  def randomart(dgst_alg = "MD5")
     fieldsize_x = 17
     fieldsize_y = 9
     x = fieldsize_x / 2
     y = fieldsize_y / 2
-    raw_digest = Digest::MD5.digest(ssh_public_key_conversion)
-    num_bytes = raw_digest.bytesize
+    case dgst_alg
+      when "MD5"    then raw_digest = Digest::MD5.digest(ssh_public_key_conversion)
+      when "SHA256" then raw_digest = Digest::SHA2.new(256).digest(ssh_public_key_conversion)
+      when "SHA384" then raw_digest = Digest::SHA2.new(384).digest(ssh_public_key_conversion)
+      when "SHA512" then raw_digest = Digest::SHA2.new(512).digest(ssh_public_key_conversion)
+    else
+      raise "Unknown digest algorithm: #{digest}"
+    end
+    augmentation_string = " .o+=*BOX@%&#/^SE"
+    len = augmentation_string.length - 1
     field = Array.new(fieldsize_x) { Array.new(fieldsize_y) {0} }
@@ -354,20 +578,27 @@ class SSHKey
         x = [[x, 0].max, fieldsize_x - 1].min
         y = [[y, 0].max, fieldsize_y - 1].min
-        field[x][y] += 1 if (field[x][y] < num_bytes - 2)
+        field[x][y] += 1 if (field[x][y] < len - 2)
         byte >>= 2
       end
     end
-    field[fieldsize_x / 2][fieldsize_y / 2] = num_bytes - 1
-    field[x][y] = num_bytes
-    augmentation_string = " .o+=*BOX@%&#/^SE"
-    output = "+--#{sprintf("[%4s %4u]", type.upcase, bits)}----+\n"
+    fieldsize_x_halved = fieldsize_x / 2
+    fieldsize_y_halved = fieldsize_y / 2
+    field[fieldsize_x_halved][fieldsize_y_halved] = len - 1
+    field[x][y] = len
+    type_name_length_max = 4  # Note: this will need to be extended to accomodate ed25519
+    bits_number_length_max = (bits < 1000 ? 3 : 4)
+    formatstr = "[%#{type_name_length_max}s %#{bits_number_length_max}u]"
+    output = "+--#{sprintf(formatstr, type.upcase, bits)}----+\n"
     fieldsize_y.times do |y|
       output << "|"
       fieldsize_x.times do |x|
-        output << augmentation_string[[field[x][y], num_bytes].min]
+        output << augmentation_string[[field[x][y], len].min]
       end
       output << "|"
       output << "\n"
@@ -387,6 +618,26 @@ class SSHKey
   private
+  def self.ssh_public_key_data_dsarsa(val)
+    # Get byte-representation of absolute value of val
+    data = val.to_s(2)
+    first_byte = data[0,1].unpack("c").first
+    if val < 0
+      # For negative values, highest bit must be set
+      data[0] = [0x80 & first_byte].pack("c")
+    elsif first_byte < 0
+      # For positive values where highest bit would be set, prefix with \0
+      data = "\0" + data
+    end
+    data
+  end
+  def self.ssh_public_key_data_ecdsa(val)
+    val
+  end
   # SSH Public Key Conversion
   #
   # All data type encoding is defined in the section #5 of RFC #4251.
@@ -397,26 +648,20 @@ class SSHKey
   # For instance, the "ssh-rsa" string is encoded as the following byte array
   # [0, 0, 0, 7, 's', 's', 'h', '-', 'r', 's', 'a']
   def ssh_public_key_conversion
-    typestr = SSH_TYPES.invert[type]
     methods = SSH_CONVERSION[type]
-    pubkey = key_object.public_key
-    methods.inject([7].pack("N") + typestr) do |pubkeystr, m|
-      # Given pubkey.class == OpenSSL::BN, pubkey.to_s(0) returns an MPI
-      # formatted string (length prefixed bytes). This is not supported by
-      # JRuby, so we still have to deal with length and data separately.
-      val = pubkey.send(m)
-      # Get byte-representation of absolute value of val
-      data = val.to_s(2)
-      first_byte = data[0,1].unpack("c").first
-      if val < 0
-        # For negative values, highest bit must be set
-        data[0] = [0x80 & first_byte].pack("c")
-      elsif first_byte < 0
-        # For positive values where highest bit would be set, prefix with \0
-        data = "\0" + data
+    methods.inject([typestr.length].pack("N") + typestr) do |pubkeystr, m|
+      # Given public_key_object.class == OpenSSL::BN, public_key_object.to_s(0)
+      # returns an MPI formatted string (length prefixed bytes). This is not
+      # supported by JRuby, so we still have to deal with length and data separately.
+      val = public_key_object.send(m)
+      case type
+      when "dsa","rsa" then data = self.class.ssh_public_key_data_dsarsa(val)
+      when "ecdsa"     then data = self.class.ssh_public_key_data_ecdsa(val)
+      else
+        raise "Unknown key type: #{type}"
       end
       pubkeystr + [data.length].pack("N") + data
     end
   end

data/sshkey.gemspec CHANGED Viewed

@@ -13,7 +13,10 @@ Gem::Specification.new do |s|
   s.description = %q{Generate private/public SSH keypairs using pure Ruby}
   s.licenses    = ["MIT"]
-  s.rubyforge_project = "sshkey"
+  # ECDSA requires OpenSSL::PKey::EC::Point#to_octet_string
+  # to_octet string was added in Ruby/OpenSSL 2.1.0 https://github.com/ruby/openssl/blob/master/History.md#version-210
+  # Ruby 2.5 Updated Ruby/OpenSSL from to 2.1.0 https://github.com/ruby/ruby/blob/v2_5_0/NEWS
+  s.required_ruby_version = '>= 2.5'
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")

data/test/sshkey_test.rb CHANGED Viewed

@@ -2,6 +2,13 @@ require 'test/unit'
 require 'sshkey'
 class SSHKeyTest < Test::Unit::TestCase
+  # https://github.com/jruby/jruby-openssl/issues/189
+  # https://github.com/jruby/jruby-openssl/issues/226
+  def ecdsa_supported?
+    RUBY_PLATFORM != "java"
+  end
   SSH_PRIVATE_KEY1 = <<-EOF
 -----BEGIN RSA PRIVATE KEY-----
 MIIEogIBAAKCAQEArfTA/lKVR84IMc9ZzXOCHr8DVtR8hzWuEVHF6KElavRHlk14
@@ -73,11 +80,66 @@ ItmZYXTvJDwLXgq2/iK1fRRcKk2PJEaSuJR7WeNGsJKfWmQ2UbOhqA3wWLDazIZt
 cMKjFzD0hM4E8qgjHjMvKDE6WgT6SFP+tqx3nnh7pJWwsbGjSMQexpyRAhQLhz0l
 GzM8qwTcXd06uIZAJdTHIQ==
 -----END DSA PRIVATE KEY-----
+EOF
+  SSH_PRIVATE_KEY4 = <<-EOF
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIByjVCRawGxEd/L/VblGjnJTJeOgk6vGFYnolYWHg+JkoAoGCCqGSM49
+AwEHoUQDQgAEQOAmNzXT3XN5DQdHBYCgflosVlHd6MUB1n9n6CCijvVJCQGJAA0p
+6+3o91ccyA0zHXuUno2eMzBUDghfNZYnHg==
+-----END EC PRIVATE KEY-----
+EOF
+  PUBLIC_KEY1 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEArfTA/lKVR84IMc9ZzXOC
+Hr8DVtR8hzWuEVHF6KElavRHlk14g0SZu3m908Ejm/XF3EfNHjX9wN+62IMA0QBx
+kBMFCuLF+U/oeUs0NoDdAEKxjj4n6lq6Ss8aLct+anMy7D1jwvOLbcwV54w1d5JD
+dlZVdZ6AvHm9otwJq6rNpDgdmXY4HgC2nM9csFpuy0cDpL6fdJx9lcNL2RnkRC4+
+RMsIB+PxDw0j3vDi04dYLBXMGYjyeGH+mIFpL3PTPXGXwL2XDYXZ2H4SQX6bOoKm
+azTXq6QXuEB665njh1GxXldoIMcSshoJL0hrk3WrTOG22N2CQA+IfHgrXJ+A+QUz
+KQIBIw==
+-----END PUBLIC KEY-----
+EOF
+  PUBLIC_KEY2 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxl6TpN7uFiY/JZ8qDnD7
+UrxDP+ABeh2PVg8Du1LEgXNk0+YWCeP5S6oHklqaWeDlbmAs1oHsBwCMAVpMa5tg
+ONOLvz4JgwgkiqQEbKR8ofWJ+LADUElvqRVGmGiNEMLI6GJWeneL4sjmbb8d6U+M
+53c6iWG0si9XE5m7teBQSsCl0Tk3qMIkQGw5zpJeCXjZ8KpJhIJRYgexFkGgPlYR
+V+UYIhxpUW90t0Ra5i6JOFYwq98k5S/6SJIZQ/A9F4JNzwLw3eVxZj0yVHWxkGz1
++TyELNY1kOyMxnZaqSfGzSQJTrnIXpdweVHuYh1LtOgedRQhCyiELeSMGwio1vRP
+KwIBIw==
+-----END PUBLIC KEY-----
+EOF
+  PUBLIC_KEY3 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MIIBuDCCASwGByqGSM44BAEwggEfAoGBALyVy5dwVwgL3CxXzsvo8DBh58qArQLB
+NIPW/f9pptmy7jD5QXzOw+12w0/z4lZ86ncoVutRMf44OABcX9ovhRl+luxB7jjp
+kVXy/p2ZaqPbeyTQUtdTmXa2y4n053Jd61VeMG+iLP7+viT+Ib96y9aVUYQfCrl5
+heBDUZ9cAFjdAhUAxV5zuySaRSsJHqKK+Blhh7c9A9kCgYEAqel0RUBO0MY5b3DZ
+69J/mRzUifN1O6twk4er2ph0JpryuUwZohLpcVZwqoGWmPQy/ZHmV1b3RtT9GWUa
++HUqKdMhFVOx/iq1khVfLi83whjMMvXj3ecqd0yzGxGHnSsjVKefa2ywCLHrh4nl
+UVIaXI5gQpgMyVbMcromDe1WZzoDgYUAAoGBAIwTRPAEcroqOzaebiVspFcmsXxD
+Q4wXQZQdho1ExW6FKS8s7/6pItmZYXTvJDwLXgq2/iK1fRRcKk2PJEaSuJR7WeNG
+sJKfWmQ2UbOhqA3wWLDazIZtcMKjFzD0hM4E8qgjHjMvKDE6WgT6SFP+tqx3nnh7
+pJWwsbGjSMQexpyR
+-----END PUBLIC KEY-----
+EOF
+  PUBLIC_KEY4 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQOAmNzXT3XN5DQdHBYCgflosVlHd
+6MUB1n9n6CCijvVJCQGJAA0p6+3o91ccyA0zHXuUno2eMzBUDghfNZYnHg==
+-----END PUBLIC KEY-----
 EOF
   SSH_PUBLIC_KEY1 = 'AAAAB3NzaC1yc2EAAAABIwAAAQEArfTA/lKVR84IMc9ZzXOCHr8DVtR8hzWuEVHF6KElavRHlk14g0SZu3m908Ejm/XF3EfNHjX9wN+62IMA0QBxkBMFCuLF+U/oeUs0NoDdAEKxjj4n6lq6Ss8aLct+anMy7D1jwvOLbcwV54w1d5JDdlZVdZ6AvHm9otwJq6rNpDgdmXY4HgC2nM9csFpuy0cDpL6fdJx9lcNL2RnkRC4+RMsIB+PxDw0j3vDi04dYLBXMGYjyeGH+mIFpL3PTPXGXwL2XDYXZ2H4SQX6bOoKmazTXq6QXuEB665njh1GxXldoIMcSshoJL0hrk3WrTOG22N2CQA+IfHgrXJ+A+QUzKQ=='
   SSH_PUBLIC_KEY2 = 'AAAAB3NzaC1yc2EAAAABIwAAAQEAxl6TpN7uFiY/JZ8qDnD7UrxDP+ABeh2PVg8Du1LEgXNk0+YWCeP5S6oHklqaWeDlbmAs1oHsBwCMAVpMa5tgONOLvz4JgwgkiqQEbKR8ofWJ+LADUElvqRVGmGiNEMLI6GJWeneL4sjmbb8d6U+M53c6iWG0si9XE5m7teBQSsCl0Tk3qMIkQGw5zpJeCXjZ8KpJhIJRYgexFkGgPlYRV+UYIhxpUW90t0Ra5i6JOFYwq98k5S/6SJIZQ/A9F4JNzwLw3eVxZj0yVHWxkGz1+TyELNY1kOyMxnZaqSfGzSQJTrnIXpdweVHuYh1LtOgedRQhCyiELeSMGwio1vRPKw=='
   SSH_PUBLIC_KEY3 = 'AAAAB3NzaC1kc3MAAACBALyVy5dwVwgL3CxXzsvo8DBh58qArQLBNIPW/f9pptmy7jD5QXzOw+12w0/z4lZ86ncoVutRMf44OABcX9ovhRl+luxB7jjpkVXy/p2ZaqPbeyTQUtdTmXa2y4n053Jd61VeMG+iLP7+viT+Ib96y9aVUYQfCrl5heBDUZ9cAFjdAAAAFQDFXnO7JJpFKwkeoor4GWGHtz0D2QAAAIEAqel0RUBO0MY5b3DZ69J/mRzUifN1O6twk4er2ph0JpryuUwZohLpcVZwqoGWmPQy/ZHmV1b3RtT9GWUa+HUqKdMhFVOx/iq1khVfLi83whjMMvXj3ecqd0yzGxGHnSsjVKefa2ywCLHrh4nlUVIaXI5gQpgMyVbMcromDe1WZzoAAACBAIwTRPAEcroqOzaebiVspFcmsXxDQ4wXQZQdho1ExW6FKS8s7/6pItmZYXTvJDwLXgq2/iK1fRRcKk2PJEaSuJR7WeNGsJKfWmQ2UbOhqA3wWLDazIZtcMKjFzD0hM4E8qgjHjMvKDE6WgT6SFP+tqx3nnh7pJWwsbGjSMQexpyR'
+  SSH_PUBLIC_KEY4 = 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEDgJjc1091zeQ0HRwWAoH5aLFZR3ejFAdZ/Z+ggoo71SQkBiQANKevt6PdXHMgNMx17lJ6NnjMwVA4IXzWWJx4='
   SSH_PUBLIC_KEY_ED25519        = 'AAAAC3NzaC1lZDI1NTE5AAAAIBrNsRCISAtKXV5OVxqV6unVcdis5Uh3oiC6B7CMB7HQ'
   SSH_PUBLIC_KEY_ED25519_0_BYTE = 'AAAAC3NzaC1lZDI1NTE5AAAAIADK9x9t3yQQH7h4OEJpUa7l2j7mcmKf4LAsNXHxNbSm'
@@ -86,23 +148,36 @@ EOF
   SSH_PUBLIC_KEY_ECDSA_384 = 'AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBP+GtUCOR8aW7xTtpkbJS0qqNZ98PgbUNtTFhE+Oe+khgoFMX+o0JG5bckVuvtkRl8dr+63kUK0QPTtzP9O5yixB9CYnB8CgCgYo1FCXZuJIImf12wW5nWKglrCH4kV1Qg=='
   SSH_PUBLIC_KEY_ECDSA_521 = 'AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACsunidnIZ77AjCHSDp/xknLGDW3M0Ia7nxLdImmp0XGbxtbwYm2ga5XUzV9dMO9wF9ICC3OuH6g9DtGOBNPru1PwFDjaPISGgm0vniEzWazLsvjJVLThOA3VyYLxmtjm0WfS+/DfxgWVS6oeCTnDjjoVVpwU/fDbUbYPPRZI84/hOGNA=='
+  SSH_PUBLIC_KEY_ECDSA_256_COMPRESSED = 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAAAhA+YNpJJrrUsu5OLLvqGX5pAH3+x6/yEFU2AYdxb54Jk8'
+  SSH_PUBLIC_KEY_ECDSA_384_COMPRESSED = 'AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAAxAgMhp0cNvtzncxXF0W5nrkBCTrxJIcYqUTX4RcKWIM74FfxizmWJqP/C+looEz6dLQ=='
+  SSH_PUBLIC_KEY_ECDSA_521_COMPRESSED = 'AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAABDAgDoeNR4bndT24BosNaTKCLOALjL6tXrpNHn0HJzHO5z30L4SvH0Gz9jvAiqehNHOgmK3/bFbwLVW1W4TJbNsp8BVA=='
   KEY1_MD5_FINGERPRINT = "2a:89:84:c9:29:05:d1:f8:49:79:1c:ba:73:99:eb:af"
   KEY2_MD5_FINGERPRINT = "3c:af:74:87:cc:cc:a1:12:05:1a:09:b7:7b:ce:ed:ce"
   KEY3_MD5_FINGERPRINT = "14:f6:6a:12:96:be:44:32:e6:3c:77:43:94:52:f5:7a"
+  KEY4_MD5_FINGERPRINT = "38:0b:0f:63:36:64:b6:f0:43:94:de:32:75:eb:57:68"
   ED25519_MD5_FINGERPRINT = "6f:1a:8a:c1:4f:13:5c:36:6e:3f:be:eb:49:3b:8e:3e"
   ECDSA_256_MD5_FINGERPRINT = "d9:3a:7f:de:b2:65:04:ac:62:05:1a:1e:97:e9:2b:9d"
+  ECDSA_384_MD5_FINGERPRINT = "b5:bb:3e:f6:eb:3b:0f:1e:18:37:1f:36:ac:7c:87:0d"
+  ECDSA_521_MD5_FINGERPRINT = "98:8e:a9:4c:b9:aa:58:35:d1:42:65:c3:41:dd:04:e1"
   KEY1_SHA1_FINGERPRINT = "e4:f9:79:f2:fe:d6:be:2d:ef:2e:c2:fa:aa:f8:b0:17:34:fe:0d:c0"
   KEY2_SHA1_FINGERPRINT = "9a:52:78:2b:6b:cb:39:b7:85:ed:90:8a:28:62:aa:b3:98:88:e6:07"
   KEY3_SHA1_FINGERPRINT = "15:68:c6:72:ac:18:d1:fc:ab:a2:b7:b5:8c:d1:fe:8f:b9:ae:a9:47"
+  KEY4_SHA1_FINGERPRINT = "aa:b5:e6:62:27:87:b8:05:f6:d6:8f:31:dc:83:81:d9:8f:f8:71:29"
   ED25519_SHA1_FINGERPRINT = "57:41:7c:d0:e2:53:28:87:7e:87:53:d4:69:ef:ef:63:ec:c0:0e:5e"
   ECDSA_256_SHA1_FINGERPRINT = "94:e8:92:2b:1b:ec:49:de:ff:85:ea:6e:10:d6:8d:87:7a:67:40:ee"
+  ECDSA_384_SHA1_FINGERPRINT = "cc:fb:4c:d6:e9:d0:03:ae:2d:82:e1:fc:70:d8:47:98:25:e1:83:2b"
+  ECDSA_521_SHA1_FINGERPRINT = "6b:2c:a2:6e:3a:82:6c:73:28:57:91:20:71:82:bc:8f:f8:9d:6c:41"
   KEY1_SHA256_FINGERPRINT = "js3llFehloxCfsVuDw5xu3NtS9AOAxcXY8WL6vkDIts="
   KEY2_SHA256_FINGERPRINT = "23f/6U/LdxIFx1CQFKHylw76n+LIHYoY4nRxKcFoos4="
   KEY3_SHA256_FINGERPRINT = "mPqEPQlOPGORrTJrU17sPax1jOqeutZja6MOsFIca+8="
+  KEY4_SHA256_FINGERPRINT = "foUpf1ox3KfG3eKgJxGoSdZFRxHPsBYJgfD+CMYky6Y="
   ED25519_SHA256_FINGERPRINT = "gyzHUKl1eO8Bk1Cvn4joRgxRlXo1+1HJ3Vho/hAtKEg="
   ECDSA_256_SHA256_FINGERPRINT = "ncy2crhoL44R58GCZPQ5chPRrjlQKKgu07FDNelDmdk="
+  ECDSA_384_SHA256_FINGERPRINT = "mrr4QcP6qD05DUS6Rwefb9f0uuvjyMcO28LSiq2283U="
+  ECDSA_521_SHA256_FINGERPRINT = "QnaiGMIVDZyTG47hMWK6Y1z/yUzHIcTBGpNNuUwlhAk="
   KEY1_RANDOMART = <<-EOF.rstrip
 +--[ RSA 2048]----+
@@ -144,6 +219,66 @@ EOF
 |                 |
 |                 |
 +-----------------+
+EOF
+  # ssh-keygen -lv -E md5 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART = <<-EOF.rstrip
++--[ECDSA 256]----+
+|    ..           |
+|   .. . .        |
+|  ..=o . . .     |
+|   B+.... E .    |
+|    @oo.S. .     |
+|   o B o. .      |
+|      o  .       |
+|                 |
+|                 |
++-----------------+
+EOF
+  # ssh-keygen -lv -E sha256 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART_USING_SHA256_DIGEST = <<-EOF.rstrip
++--[ECDSA 256]----+
+|      .. o++B+   |
+|       .. ...*   |
+|    . ...o  o o  |
+|   . =o.o .= .   |
+|    +o+oS o.= . .|
+|   o .oo =.. + +.|
+|  E     o +.+ = o|
+|         ..=.+ . |
+|          oo  .  |
++-----------------+
+EOF
+  # ssh-keygen -lv -E sha384 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART_USING_SHA384_DIGEST = <<-EOF.rstrip
++--[ECDSA 256]----+
+|           o++.  |
+| .        *oo. . |
+|o       .o+B.o.. |
+|+o      ooB+O *..|
+|.=+    .SB== ^.+.|
+|+  o    +o .O Xo.|
+| .  ...   .. + .o|
+|  . E. o +  + +..|
+|   .... . o..Bo..|
++-----------------+
+EOF
+  # ssh-keygen -lv -E sha512 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART_USING_SHA512_DIGEST = <<-EOF.rstrip
++--[ECDSA 256]----+
+|       +*+o    oo|
+|      . .o o  . +|
+|     . o.   oo oo|
+|.. .+ .    .*.o+ |
+|..Bo.*  S  ..=o..|
+| .+X+ Oo    ...+ |
+| +o.B*+=o    .+ +|
+|+=+O.+=+.+. +.o+.|
+|@**EB*O++=o+ =o.+|
++-----------------+
 EOF
   KEY1_SSHFP = <<-EOF.rstrip
@@ -205,6 +340,7 @@ EOF
     @key1 = SSHKey.new(SSH_PRIVATE_KEY1, :comment => "me@example.com")
     @key2 = SSHKey.new(SSH_PRIVATE_KEY2, :comment => "me@example.com")
     @key3 = SSHKey.new(SSH_PRIVATE_KEY3, :comment => "me@example.com")
+    @key4 = SSHKey.new(SSH_PRIVATE_KEY4, :comment => "me@example.com")
     @key_without_comment = SSHKey.new(SSH_PRIVATE_KEY1)
   end
@@ -217,7 +353,14 @@ EOF
   end
   def test_generator_with_type
+    assert_equal "rsa", SSHKey.generate(:type => "rsa").type
     assert_equal "dsa", SSHKey.generate(:type => "dsa").type
+    if ecdsa_supported?
+      assert_equal "ecdsa", SSHKey.generate(:type => "ecdsa").type
+    else
+      assert_raises(NotImplementedError) { SSHKey.generate(:type => "ecdsa").type }
+    end
   end
   def test_generator_with_passphrase
@@ -239,6 +382,30 @@ EOF
     assert_equal SSH_PRIVATE_KEY3, @key3.dsa_private_key
   end
+  def test_private_key4
+    if ecdsa_supported?
+      assert_equal SSH_PRIVATE_KEY4, @key4.private_key
+    else
+      assert_raises(NotImplementedError) { @key4.private_key }
+    end
+  end
+  def test_public_key_1
+    assert_equal PUBLIC_KEY1, @key1.public_key
+  end
+  def test_public_key_2
+    assert_equal PUBLIC_KEY2, @key2.public_key
+  end
+  def test_public_key_3
+    assert_equal PUBLIC_KEY3, @key3.public_key
+  end
+  def test_public_key_4
+    assert_equal PUBLIC_KEY4, @key4.public_key
+  end
   def test_ssh_public_key_decoded1
     assert_equal Base64.decode64(SSH_PUBLIC_KEY1), @key1.send(:ssh_public_key_conversion)
   end
@@ -251,6 +418,14 @@ EOF
     assert_equal Base64.decode64(SSH_PUBLIC_KEY3), @key3.send(:ssh_public_key_conversion)
   end
+  def test_ssh_public_key_decoded4
+    if ecdsa_supported?
+      assert_equal Base64.decode64(SSH_PUBLIC_KEY4), @key4.send(:ssh_public_key_conversion)
+    else
+      assert_raises(NotImplementedError) { @key4.send(:ssh_public_key_conversion) }
+    end
+  end
   def test_ssh_public_key_encoded1
     assert_equal SSH_PUBLIC_KEY1, Base64.encode64(@key1.send(:ssh_public_key_conversion)).gsub("\n", "")
   end
@@ -263,15 +438,31 @@ EOF
     assert_equal SSH_PUBLIC_KEY3, Base64.encode64(@key3.send(:ssh_public_key_conversion)).gsub("\n", "")
   end
+  def test_ssh_public_key_encoded4
+    if ecdsa_supported?
+      assert_equal SSH_PUBLIC_KEY4, Base64.encode64(@key4.send(:ssh_public_key_conversion)).gsub("\n", "")
+    else
+      assert_raises(NotImplementedError) { Base64.encode64(@key4.send(:ssh_public_key_conversion)) }
+    end
+  end
   def test_ssh_public_key_output
     expected1 = "ssh-rsa #{SSH_PUBLIC_KEY1} me@example.com"
     expected2 = "ssh-rsa #{SSH_PUBLIC_KEY2} me@example.com"
     expected3 = "ssh-dss #{SSH_PUBLIC_KEY3} me@example.com"
-    expected4 = "ssh-rsa #{SSH_PUBLIC_KEY1}"
+    expected4 = "ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4} me@example.com"
+    expected1b = "ssh-rsa #{SSH_PUBLIC_KEY1}"
     assert_equal expected1, @key1.ssh_public_key
     assert_equal expected2, @key2.ssh_public_key
     assert_equal expected3, @key3.ssh_public_key
-    assert_equal expected4, @key_without_comment.ssh_public_key
+    if ecdsa_supported?
+      assert_equal expected4, @key4.ssh_public_key
+    else
+      assert_raises(NotImplementedError) { @key4.ssh_public_key }
+    end
+    assert_equal expected1b, @key_without_comment.ssh_public_key
   end
   def test_ssh2_public_key_output
@@ -285,6 +476,24 @@ EOF
       'x-private-use-header' => 'some value that is long enough to go to wrap around to a new line.'})
   end
+  def test_ssh_public_key_output_from_generated
+    generated_rsa   = SSHKey.generate(:type => "rsa",   :comment => "rsa key")
+    generated_dsa   = SSHKey.generate(:type => "dsa",   :comment => "dsa key")
+    generated_ecdsa = SSHKey.generate(:type => "ecdsa", :comment => "ecdsa key") if ecdsa_supported?
+    encoded_rsa   = Base64.encode64(generated_rsa.send(:ssh_public_key_conversion)).gsub("\n", "")
+    encoded_dsa   = Base64.encode64(generated_dsa.send(:ssh_public_key_conversion)).gsub("\n", "")
+    encoded_ecdsa = Base64.encode64(generated_ecdsa.send(:ssh_public_key_conversion)).gsub("\n", "") if ecdsa_supported?
+    expected_rsa   = "ssh-rsa #{encoded_rsa} rsa key"
+    expected_dsa   = "ssh-dss #{encoded_dsa} dsa key"
+    expected_ecdsa = "ecdsa-sha2-nistp256 #{encoded_ecdsa} ecdsa key"
+    assert_equal expected_rsa,   generated_rsa.ssh_public_key
+    assert_equal expected_dsa,   generated_dsa.ssh_public_key
+    assert_equal expected_ecdsa, generated_ecdsa.ssh_public_key if ecdsa_supported?
+  end
   def test_public_key_directives
     assert_equal [], SSHKey.generate.directives
@@ -367,6 +576,19 @@ EOF
     assert !SSHKey.valid_ssh_public_key?(invalid4)
   end
+  def test_ssh_public_key_validation_with_comments
+    expected1 = "# Comment\nssh-rsa #{SSH_PUBLIC_KEY1}"
+    expected2 = "# First comment\n\n# Second comment\n\nssh-ed25519 #{SSH_PUBLIC_KEY_ED25519} me@example.com"
+    invalid1  = "No starting hash # Valid comment\nssh-rsa #{SSH_PUBLIC_KEY1} me@example.com"
+    invalid2  = "# First comment\n\nSecond comment without hash\n\necdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256}\nme@example.com"
+    assert SSHKey.valid_ssh_public_key?(expected1)
+    assert SSHKey.valid_ssh_public_key?(expected2)
+    assert !SSHKey.valid_ssh_public_key?(invalid1)
+    assert !SSHKey.valid_ssh_public_key?(invalid2)
+  end
   def test_ssh_public_key_sshfp
     assert_equal KEY1_SSHFP, SSHKey.sshfp("localhost", "ssh-rsa #{SSH_PUBLIC_KEY1}\n")
     assert_equal KEY2_SSHFP, SSHKey.sshfp("localhost", "ssh-rsa #{SSH_PUBLIC_KEY2}\n")
@@ -383,6 +605,12 @@ EOF
     expected4 = "ssh-rsa #{SSH_PUBLIC_KEY1}"
     expected5 = %Q{from="trusted.eng.cam.ac.uk",no-port-forwarding,no-pty ssh-rsa #{SSH_PUBLIC_KEY1}}
     invalid1  = "#{SSH_PUBLIC_KEY1} me@example.com"
+    ecdsa256 = "ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256}"
+    ecdsa384 = "ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384}"
+    ecdsa521 = "ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521}"
+    ecdsa256_compressed = "ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256_COMPRESSED}"
+    ecdsa384_compressed = "ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384_COMPRESSED}"
+    ecdsa521_compressed = "ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521_COMPRESSED}"
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected1)
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected2)
@@ -390,6 +618,12 @@ EOF
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected4)
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected5)
     assert_equal 512,  SSHKey.ssh_public_key_bits(SSHKey.generate(:bits => 512).ssh_public_key)
+    assert_equal 256, SSHKey.ssh_public_key_bits(ecdsa256)
+    assert_equal 384, SSHKey.ssh_public_key_bits(ecdsa384)
+    assert_equal 521, SSHKey.ssh_public_key_bits(ecdsa521)
+    assert_equal 256, SSHKey.ssh_public_key_bits(ecdsa256_compressed)
+    assert_equal 384, SSHKey.ssh_public_key_bits(ecdsa384_compressed)
+    assert_equal 521, SSHKey.ssh_public_key_bits(ecdsa521_compressed)
     exception1 = assert_raises(SSHKey::PublicKeyError) { SSHKey.ssh_public_key_bits( expected1.gsub('A','.') ) }
     exception2 = assert_raises(SSHKey::PublicKeyError) { SSHKey.ssh_public_key_bits( expected1[0..-20] ) }
@@ -427,22 +661,43 @@ EOF
     assert_equal KEY2_MD5_FINGERPRINT, @key2.md5_fingerprint
     assert_equal KEY3_MD5_FINGERPRINT, @key3.md5_fingerprint
+    if ecdsa_supported?
+      assert_equal KEY4_MD5_FINGERPRINT, @key4.md5_fingerprint
+    else
+      assert_raises(NotImplementedError) { @key4.md5_fingerprint }
+    end
     assert_equal KEY1_SHA1_FINGERPRINT, @key1.sha1_fingerprint
     assert_equal KEY2_SHA1_FINGERPRINT, @key2.sha1_fingerprint
     assert_equal KEY3_SHA1_FINGERPRINT, @key3.sha1_fingerprint
+    if ecdsa_supported?
+      assert_equal KEY4_SHA1_FINGERPRINT, @key4.sha1_fingerprint
+    else
+      assert_raises(NotImplementedError) { @key4.sha1_fingerprint }
+    end
     assert_equal KEY1_SHA256_FINGERPRINT, @key1.sha256_fingerprint
     assert_equal KEY2_SHA256_FINGERPRINT, @key2.sha256_fingerprint
     assert_equal KEY3_SHA256_FINGERPRINT, @key3.sha256_fingerprint
+    if ecdsa_supported?
+      assert_equal KEY4_SHA256_FINGERPRINT, @key4.sha256_fingerprint
+    else
+      assert_raises(NotImplementedError) { @key4.sha256_fingerprint }
+    end
     assert_equal KEY1_MD5_FINGERPRINT, SSHKey.md5_fingerprint(SSH_PRIVATE_KEY1)
     assert_equal KEY1_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY1}")
     assert_equal KEY2_MD5_FINGERPRINT, SSHKey.md5_fingerprint(SSH_PRIVATE_KEY2)
     assert_equal KEY2_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY2} me@me.com")
     assert_equal KEY3_MD5_FINGERPRINT, SSHKey.md5_fingerprint(SSH_PRIVATE_KEY3)
     assert_equal KEY3_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-dss #{SSH_PUBLIC_KEY3}")
+    assert_equal KEY4_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4}")
     assert_equal ED25519_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-ed25519 #{SSH_PUBLIC_KEY_ED25519}")
     assert_equal ECDSA_256_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256} me@me.com")
+    assert_equal ECDSA_384_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384} me@me.com")
+    assert_equal ECDSA_521_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521} me@me.com")
     assert_equal KEY1_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint(SSH_PRIVATE_KEY1)
     assert_equal KEY1_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY1}")
@@ -450,8 +705,11 @@ EOF
     assert_equal KEY2_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY2} me@me.com")
     assert_equal KEY3_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint(SSH_PRIVATE_KEY3)
     assert_equal KEY3_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-dss #{SSH_PUBLIC_KEY3}")
+    assert_equal KEY4_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4}")
     assert_equal ED25519_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-ed25519 #{SSH_PUBLIC_KEY_ED25519}")
     assert_equal ECDSA_256_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256} me@me.com")
+    assert_equal ECDSA_384_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384} me@me.com")
+    assert_equal ECDSA_521_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521} me@me.com")
     assert_equal KEY1_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint(SSH_PRIVATE_KEY1)
     assert_equal KEY1_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY1}")
@@ -459,14 +717,24 @@ EOF
     assert_equal KEY2_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY2} me@me.com")
     assert_equal KEY3_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint(SSH_PRIVATE_KEY3)
     assert_equal KEY3_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-dss #{SSH_PUBLIC_KEY3}")
+    assert_equal KEY4_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4}")
     assert_equal ED25519_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-ed25519 #{SSH_PUBLIC_KEY_ED25519}")
     assert_equal ECDSA_256_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256} me@me.com")
+    assert_equal ECDSA_384_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384} me@me.com")
+    assert_equal ECDSA_521_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521} me@me.com")
   end
   def test_bits
     assert_equal 2048, @key1.bits
     assert_equal 2048, @key2.bits
     assert_equal 1024, @key3.bits
+    if ecdsa_supported?
+      assert_equal 256, @key4.bits
+    else
+      assert_raises(NotImplementedError) { @key4.bits }
+    end
     assert_equal 512, SSHKey.generate(:bits => 512).bits
   end
@@ -474,6 +742,19 @@ EOF
     assert_equal KEY1_RANDOMART, @key1.randomart
     assert_equal KEY2_RANDOMART, @key2.randomart
     assert_equal KEY3_RANDOMART, @key3.randomart
+    if ecdsa_supported?
+      assert_equal KEY4_RANDOMART, @key4.randomart
+    else
+      assert_raises(NotImplementedError) { @key4.randomart }
+    end
+    if ecdsa_supported?
+      assert_equal KEY4_RANDOMART_USING_SHA256_DIGEST, @key4.randomart("SHA256")
+      assert_equal KEY4_RANDOMART_USING_SHA384_DIGEST, @key4.randomart("SHA384")
+      assert_equal KEY4_RANDOMART_USING_SHA512_DIGEST, @key4.randomart("SHA512")
+    end
   end
   def test_sshfp

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sshkey
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 3.0.0
 platform: ruby
 authors:
 - James Miller
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-02-11 00:00:00.000000000 Z
+date: 2023-08-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -45,8 +45,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
 - ".gitignore"
-- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
@@ -59,7 +59,7 @@ homepage: https://github.com/bensie/sshkey
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -67,16 +67,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: sshkey
-rubygems_version: 2.5.2.3
-signing_key:
+rubygems_version: 3.4.18
+signing_key:
 specification_version: 4
 summary: SSH private/public key generator in Ruby
 test_files:

data/.travis.yml DELETED Viewed

@@ -1,21 +0,0 @@
-language: ruby
-rvm:
-  - 2.0
-  - 2.1
-  - 2.2
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-  - ruby-head
-  - jruby
-  - jruby-head
-matrix:
-  allow_failures:
-    - rvm: ruby-head
-    - rvm: jruby-head
-sudo: required
-dist: xenial