sshkey 2.0.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: b6e9c3f40bf3a5b7a9f80cadd7d98e8c4e9b41d4
-  data.tar.gz: 362495eb1d46d0befe4c932c94318ce1e40c8ec2
+SHA256:
+  metadata.gz: 9e933102cbc9909bfcb4564475ef8ea53427869b58c424405a588c954f3f737c
+  data.tar.gz: 415a21ff41613ba75ce07dab568f8560c9b3b83b0b3e7cac015f4238f20420b0
 SHA512:
-  metadata.gz: 7f99fe44852eb551a34ff7fc8ca2dcab7e51a222e9e2bb7c9708115419e1e1e08444ca03973692547b2ce5d83d4dda593b95baa3bca19b1def9df3037bae127c
-  data.tar.gz: 846c9b1966e56c5f405897254619367867d34855c9ebaa65f7d863ad271763427d574589c22b6570c790642a352e8fb39fb055a56ce446c18d717f17cf943f42
+  metadata.gz: 5867e989c0296a84807b9cf52e2d0512f3083c12f07a82fb8f9bca1bf475e38fd658132d5cbd91df03cee83114665c325f1a58e4c195b037f08f8feb648c188f
+  data.tar.gz: b314c5762fbe08f6e95ba8d18d01e6a51ef25656cd3797de8e3d2065d1066768656ac8c1ac030379672b2ed27d3672e5cbbcdc6d499fd90f7e35ba4b356f25b2

data/.github/workflows/ci.yml

@@ -0,0 +1,25 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["2.5", "2.6", "2.7", "3.0", "3.1", "3.2", "3.3", jruby-9.3, jruby-9.4]
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ruby/setup-ruby@v1
+      with:
+        bundler-cache: true
+        ruby-version: ${{ matrix.ruby }}
+    - run: bundle exec rake

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2011-2016 James Miller
+Copyright (c) 2011-2023 James Miller
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -1,12 +1,10 @@
 # SSHKey
 
-Generate private and public SSH keys (RSA and DSA supported) using pure Ruby.
-
-[![Build Status](https://secure.travis-ci.org/bensie/sshkey.svg?branch=master)](http://travis-ci.org/bensie/sshkey)
+Generate private and public SSH keys (RSA, DSA, and ECDSA supported) using pure Ruby.
 
 ## Requirements
 
-Tested / supported on CRuby 2.0.0+ and JRuby.
+Tested / supported on CRuby 2.5+ and JRuby.
 
 ## Installation
 
@@ -16,7 +14,7 @@ Tested / supported on CRuby 2.0.0+ and JRuby.
 
 ### Generate a new key
 
-When generating a new keypair the default key type is 2048-bit RSA, but you can supply the `type` (RSA or DSA) and `bits` in the options.
+When generating a new keypair the default key type is 2048-bit RSA, but you can supply the `type` (RSA or DSA or ECDSA) and `bits` in the options.
 You can also (optionally) supply a `comment` or `passphrase`.
 
 ```ruby
@@ -32,7 +30,7 @@ k = SSHKey.generate(
 
 ### Use your existing key
 
-Return an SSHKey object from an existing RSA or DSA private key (provided as a string).
+Return an SSHKey object from an existing RSA or DSA or ECDSA private key (provided as a string).
 
 ```ruby
 f = File.read(File.expand_path("~/.ssh/id_rsa"))
@@ -43,7 +41,7 @@ k = SSHKey.new(f, comment: "foo@bar.com")
 
 #### Private and public keys
 
-Fetch the private and public keys as strings. Note that the `public_key` is the RSA or DSA public key, not an SSH public key.
+Fetch the private and public keys as strings. Note that the `public_key` is the RSA or DSA or ECDSA public key, not an SSH public key.
 
 ```ruby
 k.private_key
@@ -161,7 +159,7 @@ puts k.randomart
 
 #### Original OpenSSL key object
 
-Return the original [OpenSSL::PKey::RSA](http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL/PKey/RSA.html) or [OpenSSL::PKey::DSA](http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL/PKey/DSA.html) object.
+Return the original [OpenSSL::PKey::RSA](https://ruby-doc.org/3.2.2/exts/openssl/OpenSSL/PKey/RSA.html) or [OpenSSL::PKey::DSA](https://ruby-doc.org/3.2.2/exts/openssl/OpenSSL/PKey/DSA.html) or [OpenSSL::PKey::EC](https://ruby-doc.org/3.2.2/exts/openssl/OpenSSL/PKey/EC.html)object.
 
 ```ruby
 k.key_object
@@ -213,4 +211,4 @@ SSHKey.ssh_public_key_to_ssh2_public_key "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ
 
 ## Copyright
 
-Copyright (c) 2011-2019 James Miller
+Copyright (c) 2011-2023 James Miller

data/lib/sshkey/version.rb

@@ -1,3 +1,3 @@
 class SSHKey
-  VERSION = "2.0.0"
+  VERSION = "3.0.0"
 end

data/lib/sshkey.rb

@@ -4,6 +4,35 @@ require 'digest/md5'
 require 'digest/sha1'
 require 'digest/sha2'
 
+def jruby_not_implemented(msg)
+  raise NotImplementedError.new "jruby-openssl #{JOpenSSL::VERSION}: #{msg}" if RUBY_PLATFORM == "java"
+end
+
+# Monkey patch OpenSSL::PKey::EC to provide convenience methods usable in this gem
+class OpenSSL::PKey::EC
+  def identifier
+    # NOTE: Unable to find these constants within OpenSSL, so hardcode them here.
+    # Analogous to net-ssh OpenSSL::PKey::EC::CurveNameAliasInv
+    # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/transport/openssl.rb#L147-L151
+    case group.curve_name
+    when "prime256v1" then "nistp256"  # https://stackoverflow.com/a/41953717
+    when "secp256r1"  then "nistp256"  # JRuby
+    when "secp384r1"  then "nistp384"
+    when "secp521r1"  then "nistp521"
+    else
+      raise "Unknown curve name: #{public_key.group.curve_name}"
+    end
+  end
+
+  def q
+    # jruby-openssl does not currently support to_octet_string
+    # https://github.com/jruby/jruby-openssl/issues/226
+    jruby_not_implemented("to_octet_string is not implemented")
+
+    public_key.to_octet_string(group.point_conversion_form)
+  end
+end
+
 class SSHKey
   SSH_TYPES = {
     "ssh-rsa" => "rsa",
@@ -20,7 +49,23 @@ class SSHKey
     "ecdsa"   => 3,
     "ed25519" => 4,
   }
-  SSH_CONVERSION = {"rsa" => ["e", "n"], "dsa" => ["p", "q", "g", "pub_key"]}
+
+  ECDSA_CURVES = {
+    256 => "prime256v1",  # https://stackoverflow.com/a/41953717
+    384 => "secp384r1",
+    521 => "secp521r1",
+  }
+
+  VALID_BITS = {
+    "ecdsa" => ECDSA_CURVES.keys,
+  }
+
+  # Accessor methods are defined in:
+  # - RSA:   https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_pkey_rsa.c
+  # - DSA:   https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_pkey_dsa.c
+  # - ECDSA: monkey patch OpenSSL::PKey::EC above
+  SSH_CONVERSION = {"rsa" => ["e", "n"], "dsa" => ["p", "q", "g", "pub_key"], "ecdsa" => ["identifier", "q"]}
+
   SSH2_LINE_LENGTH = 70 # +1 (for line wrap '/' character) must be <= 72
 
   class << self
@@ -40,17 +85,44 @@ class SSHKey
       type   = options[:type] || "rsa"
 
       # JRuby modulus size must range from 512 to 1024
-      default_bits = type == "rsa" ? 2048 : 1024
+      case type
+      when "rsa"   then default_bits = 2048
+      when "ecdsa" then default_bits = 256
+      else
+        default_bits = 1024
+      end
 
       bits   = options[:bits] || default_bits
       cipher = OpenSSL::Cipher.new("AES-128-CBC") if options[:passphrase]
 
+      raise "Bits must either: #{VALID_BITS[type.downcase].join(', ')}" unless VALID_BITS[type.downcase].nil? || VALID_BITS[type.downcase].include?(bits)
+
       case type.downcase
-      when "rsa" then new(OpenSSL::PKey::RSA.generate(bits).to_pem(cipher, options[:passphrase]), options)
-      when "dsa" then new(OpenSSL::PKey::DSA.generate(bits).to_pem(cipher, options[:passphrase]), options)
+      when "rsa"
+        key_object = OpenSSL::PKey::RSA.generate(bits)
+
+      when "dsa"
+        key_object = OpenSSL::PKey::DSA.generate(bits)
+
+      when "ecdsa"
+        # jruby-openssl OpenSSL::PKey::EC support isn't complete
+        # https://github.com/jruby/jruby-openssl/issues/189
+        jruby_not_implemented("OpenSSL::PKey::EC is not fully implemented")
+
+        if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000
+          # https://github.com/ruby/openssl/pull/480
+          key_object = OpenSSL::PKey::EC.generate(ECDSA_CURVES[bits])
+        else
+          key_pkey = OpenSSL::PKey::EC.new(ECDSA_CURVES[bits])
+          key_object = key_pkey.generate_key
+        end
+
       else
         raise "Unknown key type: #{type}"
       end
+
+      key_pem = key_object.to_pem(cipher, options[:passphrase])
+      new(key_pem, options)
     end
 
     # Validate an existing SSH public key
@@ -83,9 +155,27 @@ class SSHKey
     #
     # ==== Parameters
     # * ssh_public_key<~String> - "ssh-rsa AAAAB3NzaC1yc2EA...."
+    # * ssh_public_key<~String> - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTY...."
     #
     def ssh_public_key_bits(ssh_public_key)
-      unpacked_byte_array( *parse_ssh_public_key(ssh_public_key) ).last.num_bytes * 8
+      ssh_type, encoded_key = parse_ssh_public_key(ssh_public_key)
+      sections = unpacked_byte_array(ssh_type, encoded_key)
+
+      case ssh_type
+      when "ssh-rsa", "ssh-dss", "ssh-ed25519"
+        sections.last.num_bytes * 8
+
+      when "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521"
+        raise PublicKeyError, "invalid ECDSA key" unless sections.count == 2
+
+        # https://tools.ietf.org/html/rfc5656#section-3.1
+        identifier = sections[0].to_s(2)
+        q = sections[1].to_s(2)
+        ecdsa_bits(ssh_type, identifier, q)
+
+      else
+        raise PublicKeyError, "unsupported key type #{ssh_type}"
+      end
     end
 
     # Fingerprints
@@ -194,6 +284,48 @@ class SSHKey
       return data
     end
 
+    def ecdsa_bits(ssh_type, identifier, q)
+      raise PublicKeyError, "invalid ssh type" unless ssh_type == "ecdsa-sha2-#{identifier}"
+
+      len_q = q.length
+
+      compression_octet = q.slice(0, 1)
+      if compression_octet == "\x04"
+        # Point compression is off
+        # Summary from https://www.secg.org/sec1-v2.pdf "2.3.3  Elliptic-Curve-Point-to-Octet-String Conversion"
+        # - the leftmost octet indicates that point compression is off
+        #   (first octet 0x04 as specified in "3.3. Output M = 04 base 16 ‖ X ‖ Y.")
+        # - the remainder of the octet string contains the x-coordinate followed by the y-coordinate.
+        len_x = (len_q - 1) / 2
+
+      else
+        # Point compression is on
+        # Summary from https://www.secg.org/sec1-v2.pdf "2.3.3  Elliptic-Curve-Point-to-Octet-String Conversion"
+        # - the compressed y-coordinate is recovered from the leftmost octet
+        # - the x-coordinate is recovered from the remainder of the octet string
+        raise PublicKeyError, "invalid compression octet" unless compression_octet == "\x02" || compression_octet == "\x03"
+        len_x = len_q - 1
+      end
+
+      # https://www.secg.org/sec2-v2.pdf "2.1  Properties of Elliptic Curve Domain Parameters over Fp" defines
+      # five discrete bit lengths: 192, 224, 256, 384, 521
+      # These bit lengths can be ascertained from the length of the packed x-coordinate.
+      # Alternatively, these bit lengths can be derived from their associated prime constants using Math.log2(prime).ceil
+      # against the prime constants defined in https://www.secg.org/sec2-v2.pdf
+      case len_x
+      when 24 then bits = 192
+      when 28 then bits = 224
+      when 32 then bits = 256
+      when 48 then bits = 384
+      when 66 then bits = 521
+      else
+        raise PublicKeyError, "invalid x-coordinate length #{len_x}"
+      end
+
+      raise PublicKeyError, "invalid identifier #{identifier}" unless identifier =~ /#{bits}/
+      return bits
+    end
+
     def decoded_key(key)
       Base64.decode64(parse_ssh_public_key(key).last)
     end
@@ -203,6 +335,10 @@ class SSHKey
     end
 
     def parse_ssh_public_key(public_key)
+      # lines starting with a '#' and empty lines are ignored as comments (as in ssh AuthorizedKeysFile)
+      public_key = public_key.gsub(/^#.*$/, '')
+      public_key = public_key.strip # leading and trailing whitespaces wiped out
+
       raise PublicKeyError, "newlines are not permitted between key data" if public_key =~ /\n(?!$)/
 
       parsed = public_key.split(" ")
@@ -227,13 +363,13 @@ class SSHKey
     end
   end
 
-  attr_reader :key_object, :type
+  attr_reader :key_object, :type, :typestr
   attr_accessor :passphrase, :comment
 
   # Create a new SSHKey object
   #
   # ==== Parameters
-  # * private_key - Existing RSA or DSA private key
+  # * private_key - Existing RSA or DSA or ECDSA private key
   # * options<~Hash>
   #   * :comment<~String> - Comment to use for the public key, defaults to ""
   #   * :passphrase<~String> - If the key is encrypted, supply the passphrase
@@ -243,19 +379,41 @@ class SSHKey
     @passphrase = options[:passphrase]
     @comment    = options[:comment] || ""
     self.directives = options[:directives] || []
+
     begin
       @key_object = OpenSSL::PKey::RSA.new(private_key, passphrase)
       @type = "rsa"
-    rescue
+      @typestr = "ssh-rsa"
+    rescue OpenSSL::PKey::RSAError
+      @type = nil
+    end
+
+    return if @type
+
+    begin
       @key_object = OpenSSL::PKey::DSA.new(private_key, passphrase)
       @type = "dsa"
+      @typestr = "ssh-dss"
+    rescue OpenSSL::PKey::DSAError
+      @type = nil
     end
+
+    return if @type
+
+    @key_object = OpenSSL::PKey::EC.new(private_key, passphrase)
+    @type = "ecdsa"
+    bits = ECDSA_CURVES.invert[@key_object.group.curve_name]
+    @typestr = "ecdsa-sha2-nistp#{bits}"
   end
 
-  # Fetch the RSA/DSA private key
+  # Fetch the private key (PEM format)
   #
   # rsa_private_key and dsa_private_key are aliased for backward compatibility
   def private_key
+    # jruby-openssl OpenSSL::PKey::EC support isn't complete
+    # https://github.com/jruby/jruby-openssl/issues/189
+    jruby_not_implemented("OpenSSL::PKey::EC is not fully implemented") if type == "ecdsa"
+
     key_object.to_pem
   end
   alias_method :rsa_private_key, :private_key
@@ -269,18 +427,73 @@ class SSHKey
     key_object.to_pem(OpenSSL::Cipher.new("AES-128-CBC"), passphrase)
   end
 
-  # Fetch the RSA/DSA public key
+  # Fetch the public key (PEM format)
   #
   # rsa_public_key and dsa_public_key are aliased for backward compatibility
   def public_key
-    key_object.public_key.to_pem
+    public_key_object.to_pem
   end
   alias_method :rsa_public_key, :public_key
   alias_method :dsa_public_key, :public_key
 
+  def public_key_object
+    if type == "ecdsa"
+      return nil unless key_object
+      return nil unless key_object.group
+
+      if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000 && RUBY_PLATFORM != "java"
+
+        # jruby-openssl does not currently support point_conversion_form
+        # (futureproofing for if/when JRuby requires this technique to determine public key)
+        jruby_not_implemented("point_conversion_form is not implemented")
+
+        # Avoid "OpenSSL::PKey::PKeyError: pkeys are immutable on OpenSSL 3.0"
+        # https://github.com/ruby/openssl/blob/master/History.md#version-300
+        # https://github.com/ruby/openssl/issues/498
+        # https://github.com/net-ssh/net-ssh/commit/4de6831dea4e922bf3052192eec143af015a3486
+        # https://github.com/ClearlyClaire/cose-ruby/commit/28ee497fa7d9d49e72d5a5e97a567c0b58fdd822
+
+        curve_name = key_object.group.curve_name
+        return nil unless curve_name
+
+        # Map to different curve_name for JRuby
+        # (futureproofing for if/when JRuby requires this technique to determine public key)
+        # https://github.com/jwt/ruby-jwt/issues/362#issuecomment-722938409
+        curve_name = "prime256v1" if curve_name == "secp256r1" && RUBY_PLATFORM == "java"
+
+        # Construct public key OpenSSL::PKey::EC from OpenSSL::PKey::EC::Point
+        public_key_point = key_object.public_key  # => OpenSSL::PKey::EC::Point
+        return nil unless public_key_point
+
+        asn1 = OpenSSL::ASN1::Sequence(
+          [
+            OpenSSL::ASN1::Sequence(
+              [
+                OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+                OpenSSL::ASN1::ObjectId(curve_name)
+              ]
+            ),
+            OpenSSL::ASN1::BitString(public_key_point.to_octet_string(key_object.group.point_conversion_form))
+          ]
+        )
+
+        pub = OpenSSL::PKey::EC.new(asn1.to_der)
+        pub
+
+      else
+        pub = OpenSSL::PKey::EC.new(key_object.group)
+        pub.public_key = key_object.public_key
+        pub
+      end
+
+    else
+      key_object.public_key
+    end
+  end
+
   # SSH public key
   def ssh_public_key
-    [directives.join(",").strip, SSH_TYPES.invert[type], Base64.encode64(ssh_public_key_conversion).gsub("\n", ""), comment].join(" ").strip
+    [directives.join(",").strip, typestr, Base64.encode64(ssh_public_key_conversion).gsub("\n", ""), comment].join(" ").strip
   end
 
   # SSH2 public key (RFC4716)
@@ -323,6 +536,7 @@ class SSHKey
   #
   # Generate OpenSSH compatible ASCII art fingerprints
   # See http://www.opensource.apple.com/source/OpenSSH/OpenSSH-175/openssh/key.c (key_fingerprint_randomart function)
+  # or https://mirrors.mit.edu/pub/OpenBSD/OpenSSH/ (sshkey.c fingerprint_randomart function)
   #
   # Example:
   # +--[ RSA 2048]----+
@@ -336,13 +550,23 @@ class SSHKey
   # |   . .           |
   # |    Eo.          |
   # +-----------------+
-  def randomart
+  def randomart(dgst_alg = "MD5")
     fieldsize_x = 17
     fieldsize_y = 9
     x = fieldsize_x / 2
     y = fieldsize_y / 2
-    raw_digest = Digest::MD5.digest(ssh_public_key_conversion)
-    num_bytes = raw_digest.bytesize
+
+    case dgst_alg
+      when "MD5"    then raw_digest = Digest::MD5.digest(ssh_public_key_conversion)
+      when "SHA256" then raw_digest = Digest::SHA2.new(256).digest(ssh_public_key_conversion)
+      when "SHA384" then raw_digest = Digest::SHA2.new(384).digest(ssh_public_key_conversion)
+      when "SHA512" then raw_digest = Digest::SHA2.new(512).digest(ssh_public_key_conversion)
+    else
+      raise "Unknown digest algorithm: #{digest}"
+    end
+
+    augmentation_string = " .o+=*BOX@%&#/^SE"
+    len = augmentation_string.length - 1
 
     field = Array.new(fieldsize_x) { Array.new(fieldsize_y) {0} }
 
@@ -354,20 +578,27 @@ class SSHKey
         x = [[x, 0].max, fieldsize_x - 1].min
         y = [[y, 0].max, fieldsize_y - 1].min
 
-        field[x][y] += 1 if (field[x][y] < num_bytes - 2)
+        field[x][y] += 1 if (field[x][y] < len - 2)
 
         byte >>= 2
       end
     end
 
-    field[fieldsize_x / 2][fieldsize_y / 2] = num_bytes - 1
-    field[x][y] = num_bytes
-    augmentation_string = " .o+=*BOX@%&#/^SE"
-    output = "+--#{sprintf("[%4s %4u]", type.upcase, bits)}----+\n"
+    fieldsize_x_halved = fieldsize_x / 2
+    fieldsize_y_halved = fieldsize_y / 2
+
+    field[fieldsize_x_halved][fieldsize_y_halved] = len - 1
+    field[x][y] = len
+
+    type_name_length_max = 4  # Note: this will need to be extended to accomodate ed25519
+    bits_number_length_max = (bits < 1000 ? 3 : 4)
+    formatstr = "[%#{type_name_length_max}s %#{bits_number_length_max}u]"
+    output = "+--#{sprintf(formatstr, type.upcase, bits)}----+\n"
+
     fieldsize_y.times do |y|
       output << "|"
       fieldsize_x.times do |x|
-        output << augmentation_string[[field[x][y], num_bytes].min]
+        output << augmentation_string[[field[x][y], len].min]
       end
       output << "|"
       output << "\n"
@@ -387,6 +618,26 @@ class SSHKey
 
   private
 
+  def self.ssh_public_key_data_dsarsa(val)
+    # Get byte-representation of absolute value of val
+    data = val.to_s(2)
+
+    first_byte = data[0,1].unpack("c").first
+    if val < 0
+      # For negative values, highest bit must be set
+      data[0] = [0x80 & first_byte].pack("c")
+    elsif first_byte < 0
+      # For positive values where highest bit would be set, prefix with \0
+      data = "\0" + data
+    end
+
+    data
+  end
+
+  def self.ssh_public_key_data_ecdsa(val)
+    val
+  end
+
   # SSH Public Key Conversion
   #
   # All data type encoding is defined in the section #5 of RFC #4251.
@@ -397,26 +648,20 @@ class SSHKey
   # For instance, the "ssh-rsa" string is encoded as the following byte array
   # [0, 0, 0, 7, 's', 's', 'h', '-', 'r', 's', 'a']
   def ssh_public_key_conversion
-    typestr = SSH_TYPES.invert[type]
     methods = SSH_CONVERSION[type]
-    pubkey = key_object.public_key
-    methods.inject([7].pack("N") + typestr) do |pubkeystr, m|
-      # Given pubkey.class == OpenSSL::BN, pubkey.to_s(0) returns an MPI
-      # formatted string (length prefixed bytes). This is not supported by
-      # JRuby, so we still have to deal with length and data separately.
-      val = pubkey.send(m)
-
-      # Get byte-representation of absolute value of val
-      data = val.to_s(2)
-
-      first_byte = data[0,1].unpack("c").first
-      if val < 0
-        # For negative values, highest bit must be set
-        data[0] = [0x80 & first_byte].pack("c")
-      elsif first_byte < 0
-        # For positive values where highest bit would be set, prefix with \0
-        data = "\0" + data
+    methods.inject([typestr.length].pack("N") + typestr) do |pubkeystr, m|
+      # Given public_key_object.class == OpenSSL::BN, public_key_object.to_s(0)
+      # returns an MPI formatted string (length prefixed bytes). This is not
+      # supported by JRuby, so we still have to deal with length and data separately.
+      val = public_key_object.send(m)
+
+      case type
+      when "dsa","rsa" then data = self.class.ssh_public_key_data_dsarsa(val)
+      when "ecdsa"     then data = self.class.ssh_public_key_data_ecdsa(val)
+      else
+        raise "Unknown key type: #{type}"
       end
+
       pubkeystr + [data.length].pack("N") + data
     end
   end

data/sshkey.gemspec

@@ -13,7 +13,10 @@ Gem::Specification.new do |s|
   s.description = %q{Generate private/public SSH keypairs using pure Ruby}
   s.licenses    = ["MIT"]
 
-  s.rubyforge_project = "sshkey"
+  # ECDSA requires OpenSSL::PKey::EC::Point#to_octet_string
+  # to_octet string was added in Ruby/OpenSSL 2.1.0 https://github.com/ruby/openssl/blob/master/History.md#version-210
+  # Ruby 2.5 Updated Ruby/OpenSSL from to 2.1.0 https://github.com/ruby/ruby/blob/v2_5_0/NEWS
+  s.required_ruby_version = '>= 2.5'
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")

data/test/sshkey_test.rb

@@ -2,6 +2,13 @@ require 'test/unit'
 require 'sshkey'
 
 class SSHKeyTest < Test::Unit::TestCase
+
+  # https://github.com/jruby/jruby-openssl/issues/189
+  # https://github.com/jruby/jruby-openssl/issues/226
+  def ecdsa_supported?
+    RUBY_PLATFORM != "java"
+  end
+
   SSH_PRIVATE_KEY1 = <<-EOF
 -----BEGIN RSA PRIVATE KEY-----
 MIIEogIBAAKCAQEArfTA/lKVR84IMc9ZzXOCHr8DVtR8hzWuEVHF6KElavRHlk14
@@ -73,11 +80,66 @@ ItmZYXTvJDwLXgq2/iK1fRRcKk2PJEaSuJR7WeNGsJKfWmQ2UbOhqA3wWLDazIZt
 cMKjFzD0hM4E8qgjHjMvKDE6WgT6SFP+tqx3nnh7pJWwsbGjSMQexpyRAhQLhz0l
 GzM8qwTcXd06uIZAJdTHIQ==
 -----END DSA PRIVATE KEY-----
+EOF
+
+  SSH_PRIVATE_KEY4 = <<-EOF
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIByjVCRawGxEd/L/VblGjnJTJeOgk6vGFYnolYWHg+JkoAoGCCqGSM49
+AwEHoUQDQgAEQOAmNzXT3XN5DQdHBYCgflosVlHd6MUB1n9n6CCijvVJCQGJAA0p
+6+3o91ccyA0zHXuUno2eMzBUDghfNZYnHg==
+-----END EC PRIVATE KEY-----
+EOF
+
+  PUBLIC_KEY1 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEArfTA/lKVR84IMc9ZzXOC
+Hr8DVtR8hzWuEVHF6KElavRHlk14g0SZu3m908Ejm/XF3EfNHjX9wN+62IMA0QBx
+kBMFCuLF+U/oeUs0NoDdAEKxjj4n6lq6Ss8aLct+anMy7D1jwvOLbcwV54w1d5JD
+dlZVdZ6AvHm9otwJq6rNpDgdmXY4HgC2nM9csFpuy0cDpL6fdJx9lcNL2RnkRC4+
+RMsIB+PxDw0j3vDi04dYLBXMGYjyeGH+mIFpL3PTPXGXwL2XDYXZ2H4SQX6bOoKm
+azTXq6QXuEB665njh1GxXldoIMcSshoJL0hrk3WrTOG22N2CQA+IfHgrXJ+A+QUz
+KQIBIw==
+-----END PUBLIC KEY-----
+EOF
+
+  PUBLIC_KEY2 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxl6TpN7uFiY/JZ8qDnD7
+UrxDP+ABeh2PVg8Du1LEgXNk0+YWCeP5S6oHklqaWeDlbmAs1oHsBwCMAVpMa5tg
+ONOLvz4JgwgkiqQEbKR8ofWJ+LADUElvqRVGmGiNEMLI6GJWeneL4sjmbb8d6U+M
+53c6iWG0si9XE5m7teBQSsCl0Tk3qMIkQGw5zpJeCXjZ8KpJhIJRYgexFkGgPlYR
+V+UYIhxpUW90t0Ra5i6JOFYwq98k5S/6SJIZQ/A9F4JNzwLw3eVxZj0yVHWxkGz1
++TyELNY1kOyMxnZaqSfGzSQJTrnIXpdweVHuYh1LtOgedRQhCyiELeSMGwio1vRP
+KwIBIw==
+-----END PUBLIC KEY-----
+EOF
+
+  PUBLIC_KEY3 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MIIBuDCCASwGByqGSM44BAEwggEfAoGBALyVy5dwVwgL3CxXzsvo8DBh58qArQLB
+NIPW/f9pptmy7jD5QXzOw+12w0/z4lZ86ncoVutRMf44OABcX9ovhRl+luxB7jjp
+kVXy/p2ZaqPbeyTQUtdTmXa2y4n053Jd61VeMG+iLP7+viT+Ib96y9aVUYQfCrl5
+heBDUZ9cAFjdAhUAxV5zuySaRSsJHqKK+Blhh7c9A9kCgYEAqel0RUBO0MY5b3DZ
+69J/mRzUifN1O6twk4er2ph0JpryuUwZohLpcVZwqoGWmPQy/ZHmV1b3RtT9GWUa
++HUqKdMhFVOx/iq1khVfLi83whjMMvXj3ecqd0yzGxGHnSsjVKefa2ywCLHrh4nl
+UVIaXI5gQpgMyVbMcromDe1WZzoDgYUAAoGBAIwTRPAEcroqOzaebiVspFcmsXxD
+Q4wXQZQdho1ExW6FKS8s7/6pItmZYXTvJDwLXgq2/iK1fRRcKk2PJEaSuJR7WeNG
+sJKfWmQ2UbOhqA3wWLDazIZtcMKjFzD0hM4E8qgjHjMvKDE6WgT6SFP+tqx3nnh7
+pJWwsbGjSMQexpyR
+-----END PUBLIC KEY-----
+EOF
+
+  PUBLIC_KEY4 = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQOAmNzXT3XN5DQdHBYCgflosVlHd
+6MUB1n9n6CCijvVJCQGJAA0p6+3o91ccyA0zHXuUno2eMzBUDghfNZYnHg==
+-----END PUBLIC KEY-----
 EOF
 
   SSH_PUBLIC_KEY1 = 'AAAAB3NzaC1yc2EAAAABIwAAAQEArfTA/lKVR84IMc9ZzXOCHr8DVtR8hzWuEVHF6KElavRHlk14g0SZu3m908Ejm/XF3EfNHjX9wN+62IMA0QBxkBMFCuLF+U/oeUs0NoDdAEKxjj4n6lq6Ss8aLct+anMy7D1jwvOLbcwV54w1d5JDdlZVdZ6AvHm9otwJq6rNpDgdmXY4HgC2nM9csFpuy0cDpL6fdJx9lcNL2RnkRC4+RMsIB+PxDw0j3vDi04dYLBXMGYjyeGH+mIFpL3PTPXGXwL2XDYXZ2H4SQX6bOoKmazTXq6QXuEB665njh1GxXldoIMcSshoJL0hrk3WrTOG22N2CQA+IfHgrXJ+A+QUzKQ=='
   SSH_PUBLIC_KEY2 = 'AAAAB3NzaC1yc2EAAAABIwAAAQEAxl6TpN7uFiY/JZ8qDnD7UrxDP+ABeh2PVg8Du1LEgXNk0+YWCeP5S6oHklqaWeDlbmAs1oHsBwCMAVpMa5tgONOLvz4JgwgkiqQEbKR8ofWJ+LADUElvqRVGmGiNEMLI6GJWeneL4sjmbb8d6U+M53c6iWG0si9XE5m7teBQSsCl0Tk3qMIkQGw5zpJeCXjZ8KpJhIJRYgexFkGgPlYRV+UYIhxpUW90t0Ra5i6JOFYwq98k5S/6SJIZQ/A9F4JNzwLw3eVxZj0yVHWxkGz1+TyELNY1kOyMxnZaqSfGzSQJTrnIXpdweVHuYh1LtOgedRQhCyiELeSMGwio1vRPKw=='
   SSH_PUBLIC_KEY3 = 'AAAAB3NzaC1kc3MAAACBALyVy5dwVwgL3CxXzsvo8DBh58qArQLBNIPW/f9pptmy7jD5QXzOw+12w0/z4lZ86ncoVutRMf44OABcX9ovhRl+luxB7jjpkVXy/p2ZaqPbeyTQUtdTmXa2y4n053Jd61VeMG+iLP7+viT+Ib96y9aVUYQfCrl5heBDUZ9cAFjdAAAAFQDFXnO7JJpFKwkeoor4GWGHtz0D2QAAAIEAqel0RUBO0MY5b3DZ69J/mRzUifN1O6twk4er2ph0JpryuUwZohLpcVZwqoGWmPQy/ZHmV1b3RtT9GWUa+HUqKdMhFVOx/iq1khVfLi83whjMMvXj3ecqd0yzGxGHnSsjVKefa2ywCLHrh4nlUVIaXI5gQpgMyVbMcromDe1WZzoAAACBAIwTRPAEcroqOzaebiVspFcmsXxDQ4wXQZQdho1ExW6FKS8s7/6pItmZYXTvJDwLXgq2/iK1fRRcKk2PJEaSuJR7WeNGsJKfWmQ2UbOhqA3wWLDazIZtcMKjFzD0hM4E8qgjHjMvKDE6WgT6SFP+tqx3nnh7pJWwsbGjSMQexpyR'
+  SSH_PUBLIC_KEY4 = 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEDgJjc1091zeQ0HRwWAoH5aLFZR3ejFAdZ/Z+ggoo71SQkBiQANKevt6PdXHMgNMx17lJ6NnjMwVA4IXzWWJx4='
 
   SSH_PUBLIC_KEY_ED25519        = 'AAAAC3NzaC1lZDI1NTE5AAAAIBrNsRCISAtKXV5OVxqV6unVcdis5Uh3oiC6B7CMB7HQ'
   SSH_PUBLIC_KEY_ED25519_0_BYTE = 'AAAAC3NzaC1lZDI1NTE5AAAAIADK9x9t3yQQH7h4OEJpUa7l2j7mcmKf4LAsNXHxNbSm'
@@ -86,23 +148,36 @@ EOF
   SSH_PUBLIC_KEY_ECDSA_384 = 'AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBP+GtUCOR8aW7xTtpkbJS0qqNZ98PgbUNtTFhE+Oe+khgoFMX+o0JG5bckVuvtkRl8dr+63kUK0QPTtzP9O5yixB9CYnB8CgCgYo1FCXZuJIImf12wW5nWKglrCH4kV1Qg=='
   SSH_PUBLIC_KEY_ECDSA_521 = 'AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACsunidnIZ77AjCHSDp/xknLGDW3M0Ia7nxLdImmp0XGbxtbwYm2ga5XUzV9dMO9wF9ICC3OuH6g9DtGOBNPru1PwFDjaPISGgm0vniEzWazLsvjJVLThOA3VyYLxmtjm0WfS+/DfxgWVS6oeCTnDjjoVVpwU/fDbUbYPPRZI84/hOGNA=='
 
+  SSH_PUBLIC_KEY_ECDSA_256_COMPRESSED = 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAAAhA+YNpJJrrUsu5OLLvqGX5pAH3+x6/yEFU2AYdxb54Jk8'
+  SSH_PUBLIC_KEY_ECDSA_384_COMPRESSED = 'AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAAxAgMhp0cNvtzncxXF0W5nrkBCTrxJIcYqUTX4RcKWIM74FfxizmWJqP/C+looEz6dLQ=='
+  SSH_PUBLIC_KEY_ECDSA_521_COMPRESSED = 'AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAABDAgDoeNR4bndT24BosNaTKCLOALjL6tXrpNHn0HJzHO5z30L4SvH0Gz9jvAiqehNHOgmK3/bFbwLVW1W4TJbNsp8BVA=='
+
   KEY1_MD5_FINGERPRINT = "2a:89:84:c9:29:05:d1:f8:49:79:1c:ba:73:99:eb:af"
   KEY2_MD5_FINGERPRINT = "3c:af:74:87:cc:cc:a1:12:05:1a:09:b7:7b:ce:ed:ce"
   KEY3_MD5_FINGERPRINT = "14:f6:6a:12:96:be:44:32:e6:3c:77:43:94:52:f5:7a"
+  KEY4_MD5_FINGERPRINT = "38:0b:0f:63:36:64:b6:f0:43:94:de:32:75:eb:57:68"
   ED25519_MD5_FINGERPRINT = "6f:1a:8a:c1:4f:13:5c:36:6e:3f:be:eb:49:3b:8e:3e"
   ECDSA_256_MD5_FINGERPRINT = "d9:3a:7f:de:b2:65:04:ac:62:05:1a:1e:97:e9:2b:9d"
+  ECDSA_384_MD5_FINGERPRINT = "b5:bb:3e:f6:eb:3b:0f:1e:18:37:1f:36:ac:7c:87:0d"
+  ECDSA_521_MD5_FINGERPRINT = "98:8e:a9:4c:b9:aa:58:35:d1:42:65:c3:41:dd:04:e1"
 
   KEY1_SHA1_FINGERPRINT = "e4:f9:79:f2:fe:d6:be:2d:ef:2e:c2:fa:aa:f8:b0:17:34:fe:0d:c0"
   KEY2_SHA1_FINGERPRINT = "9a:52:78:2b:6b:cb:39:b7:85:ed:90:8a:28:62:aa:b3:98:88:e6:07"
   KEY3_SHA1_FINGERPRINT = "15:68:c6:72:ac:18:d1:fc:ab:a2:b7:b5:8c:d1:fe:8f:b9:ae:a9:47"
+  KEY4_SHA1_FINGERPRINT = "aa:b5:e6:62:27:87:b8:05:f6:d6:8f:31:dc:83:81:d9:8f:f8:71:29"
   ED25519_SHA1_FINGERPRINT = "57:41:7c:d0:e2:53:28:87:7e:87:53:d4:69:ef:ef:63:ec:c0:0e:5e"
   ECDSA_256_SHA1_FINGERPRINT = "94:e8:92:2b:1b:ec:49:de:ff:85:ea:6e:10:d6:8d:87:7a:67:40:ee"
+  ECDSA_384_SHA1_FINGERPRINT = "cc:fb:4c:d6:e9:d0:03:ae:2d:82:e1:fc:70:d8:47:98:25:e1:83:2b"
+  ECDSA_521_SHA1_FINGERPRINT = "6b:2c:a2:6e:3a:82:6c:73:28:57:91:20:71:82:bc:8f:f8:9d:6c:41"
 
   KEY1_SHA256_FINGERPRINT = "js3llFehloxCfsVuDw5xu3NtS9AOAxcXY8WL6vkDIts="
   KEY2_SHA256_FINGERPRINT = "23f/6U/LdxIFx1CQFKHylw76n+LIHYoY4nRxKcFoos4="
   KEY3_SHA256_FINGERPRINT = "mPqEPQlOPGORrTJrU17sPax1jOqeutZja6MOsFIca+8="
+  KEY4_SHA256_FINGERPRINT = "foUpf1ox3KfG3eKgJxGoSdZFRxHPsBYJgfD+CMYky6Y="
   ED25519_SHA256_FINGERPRINT = "gyzHUKl1eO8Bk1Cvn4joRgxRlXo1+1HJ3Vho/hAtKEg="
   ECDSA_256_SHA256_FINGERPRINT = "ncy2crhoL44R58GCZPQ5chPRrjlQKKgu07FDNelDmdk="
+  ECDSA_384_SHA256_FINGERPRINT = "mrr4QcP6qD05DUS6Rwefb9f0uuvjyMcO28LSiq2283U="
+  ECDSA_521_SHA256_FINGERPRINT = "QnaiGMIVDZyTG47hMWK6Y1z/yUzHIcTBGpNNuUwlhAk="
 
   KEY1_RANDOMART = <<-EOF.rstrip
 +--[ RSA 2048]----+
@@ -144,6 +219,66 @@ EOF
 |                 |
 |                 |
 +-----------------+
+EOF
+
+  # ssh-keygen -lv -E md5 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART = <<-EOF.rstrip
++--[ECDSA 256]----+
+|    ..           |
+|   .. . .        |
+|  ..=o . . .     |
+|   B+.... E .    |
+|    @oo.S. .     |
+|   o B o. .      |
+|      o  .       |
+|                 |
+|                 |
++-----------------+
+EOF
+
+  # ssh-keygen -lv -E sha256 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART_USING_SHA256_DIGEST = <<-EOF.rstrip
++--[ECDSA 256]----+
+|      .. o++B+   |
+|       .. ...*   |
+|    . ...o  o o  |
+|   . =o.o .= .   |
+|    +o+oS o.= . .|
+|   o .oo =.. + +.|
+|  E     o +.+ = o|
+|         ..=.+ . |
+|          oo  .  |
++-----------------+
+EOF
+
+  # ssh-keygen -lv -E sha384 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART_USING_SHA384_DIGEST = <<-EOF.rstrip
++--[ECDSA 256]----+
+|           o++.  |
+| .        *oo. . |
+|o       .o+B.o.. |
+|+o      ooB+O *..|
+|.=+    .SB== ^.+.|
+|+  o    +o .O Xo.|
+| .  ...   .. + .o|
+|  . E. o +  + +..|
+|   .... . o..Bo..|
++-----------------+
+EOF
+
+  # ssh-keygen -lv -E sha512 -f ./id_ecdsa_ssh_public_key4.pub
+  KEY4_RANDOMART_USING_SHA512_DIGEST = <<-EOF.rstrip
++--[ECDSA 256]----+
+|       +*+o    oo|
+|      . .o o  . +|
+|     . o.   oo oo|
+|.. .+ .    .*.o+ |
+|..Bo.*  S  ..=o..|
+| .+X+ Oo    ...+ |
+| +o.B*+=o    .+ +|
+|+=+O.+=+.+. +.o+.|
+|@**EB*O++=o+ =o.+|
++-----------------+
 EOF
 
   KEY1_SSHFP = <<-EOF.rstrip
@@ -205,6 +340,7 @@ EOF
     @key1 = SSHKey.new(SSH_PRIVATE_KEY1, :comment => "me@example.com")
     @key2 = SSHKey.new(SSH_PRIVATE_KEY2, :comment => "me@example.com")
     @key3 = SSHKey.new(SSH_PRIVATE_KEY3, :comment => "me@example.com")
+    @key4 = SSHKey.new(SSH_PRIVATE_KEY4, :comment => "me@example.com")
     @key_without_comment = SSHKey.new(SSH_PRIVATE_KEY1)
   end
 
@@ -217,7 +353,14 @@ EOF
   end
 
   def test_generator_with_type
+    assert_equal "rsa", SSHKey.generate(:type => "rsa").type
     assert_equal "dsa", SSHKey.generate(:type => "dsa").type
+
+    if ecdsa_supported?
+      assert_equal "ecdsa", SSHKey.generate(:type => "ecdsa").type
+    else
+      assert_raises(NotImplementedError) { SSHKey.generate(:type => "ecdsa").type }
+    end
   end
 
   def test_generator_with_passphrase
@@ -239,6 +382,30 @@ EOF
     assert_equal SSH_PRIVATE_KEY3, @key3.dsa_private_key
   end
 
+  def test_private_key4
+    if ecdsa_supported?
+      assert_equal SSH_PRIVATE_KEY4, @key4.private_key
+    else
+      assert_raises(NotImplementedError) { @key4.private_key }
+    end
+  end
+
+  def test_public_key_1
+    assert_equal PUBLIC_KEY1, @key1.public_key
+  end
+
+  def test_public_key_2
+    assert_equal PUBLIC_KEY2, @key2.public_key
+  end
+
+  def test_public_key_3
+    assert_equal PUBLIC_KEY3, @key3.public_key
+  end
+
+  def test_public_key_4
+    assert_equal PUBLIC_KEY4, @key4.public_key
+  end
+
   def test_ssh_public_key_decoded1
     assert_equal Base64.decode64(SSH_PUBLIC_KEY1), @key1.send(:ssh_public_key_conversion)
   end
@@ -251,6 +418,14 @@ EOF
     assert_equal Base64.decode64(SSH_PUBLIC_KEY3), @key3.send(:ssh_public_key_conversion)
   end
 
+  def test_ssh_public_key_decoded4
+    if ecdsa_supported?
+      assert_equal Base64.decode64(SSH_PUBLIC_KEY4), @key4.send(:ssh_public_key_conversion)
+    else
+      assert_raises(NotImplementedError) { @key4.send(:ssh_public_key_conversion) }
+    end
+  end
+
   def test_ssh_public_key_encoded1
     assert_equal SSH_PUBLIC_KEY1, Base64.encode64(@key1.send(:ssh_public_key_conversion)).gsub("\n", "")
   end
@@ -263,15 +438,31 @@ EOF
     assert_equal SSH_PUBLIC_KEY3, Base64.encode64(@key3.send(:ssh_public_key_conversion)).gsub("\n", "")
   end
 
+  def test_ssh_public_key_encoded4
+    if ecdsa_supported?
+      assert_equal SSH_PUBLIC_KEY4, Base64.encode64(@key4.send(:ssh_public_key_conversion)).gsub("\n", "")
+    else
+      assert_raises(NotImplementedError) { Base64.encode64(@key4.send(:ssh_public_key_conversion)) }
+    end
+  end
+
   def test_ssh_public_key_output
     expected1 = "ssh-rsa #{SSH_PUBLIC_KEY1} me@example.com"
     expected2 = "ssh-rsa #{SSH_PUBLIC_KEY2} me@example.com"
     expected3 = "ssh-dss #{SSH_PUBLIC_KEY3} me@example.com"
-    expected4 = "ssh-rsa #{SSH_PUBLIC_KEY1}"
+    expected4 = "ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4} me@example.com"
+    expected1b = "ssh-rsa #{SSH_PUBLIC_KEY1}"
     assert_equal expected1, @key1.ssh_public_key
     assert_equal expected2, @key2.ssh_public_key
     assert_equal expected3, @key3.ssh_public_key
-    assert_equal expected4, @key_without_comment.ssh_public_key
+
+    if ecdsa_supported?
+      assert_equal expected4, @key4.ssh_public_key
+    else
+      assert_raises(NotImplementedError) { @key4.ssh_public_key }
+    end
+
+    assert_equal expected1b, @key_without_comment.ssh_public_key
   end
 
   def test_ssh2_public_key_output
@@ -285,6 +476,24 @@ EOF
       'x-private-use-header' => 'some value that is long enough to go to wrap around to a new line.'})
   end
 
+  def test_ssh_public_key_output_from_generated
+    generated_rsa   = SSHKey.generate(:type => "rsa",   :comment => "rsa key")
+    generated_dsa   = SSHKey.generate(:type => "dsa",   :comment => "dsa key")
+    generated_ecdsa = SSHKey.generate(:type => "ecdsa", :comment => "ecdsa key") if ecdsa_supported?
+
+    encoded_rsa   = Base64.encode64(generated_rsa.send(:ssh_public_key_conversion)).gsub("\n", "")
+    encoded_dsa   = Base64.encode64(generated_dsa.send(:ssh_public_key_conversion)).gsub("\n", "")
+    encoded_ecdsa = Base64.encode64(generated_ecdsa.send(:ssh_public_key_conversion)).gsub("\n", "") if ecdsa_supported?
+
+    expected_rsa   = "ssh-rsa #{encoded_rsa} rsa key"
+    expected_dsa   = "ssh-dss #{encoded_dsa} dsa key"
+    expected_ecdsa = "ecdsa-sha2-nistp256 #{encoded_ecdsa} ecdsa key"
+
+    assert_equal expected_rsa,   generated_rsa.ssh_public_key
+    assert_equal expected_dsa,   generated_dsa.ssh_public_key
+    assert_equal expected_ecdsa, generated_ecdsa.ssh_public_key if ecdsa_supported?
+  end
+
   def test_public_key_directives
     assert_equal [], SSHKey.generate.directives
 
@@ -367,6 +576,19 @@ EOF
     assert !SSHKey.valid_ssh_public_key?(invalid4)
   end
 
+  def test_ssh_public_key_validation_with_comments
+    expected1 = "# Comment\nssh-rsa #{SSH_PUBLIC_KEY1}"
+    expected2 = "# First comment\n\n# Second comment\n\nssh-ed25519 #{SSH_PUBLIC_KEY_ED25519} me@example.com"
+    invalid1  = "No starting hash # Valid comment\nssh-rsa #{SSH_PUBLIC_KEY1} me@example.com"
+    invalid2  = "# First comment\n\nSecond comment without hash\n\necdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256}\nme@example.com"
+
+    assert SSHKey.valid_ssh_public_key?(expected1)
+    assert SSHKey.valid_ssh_public_key?(expected2)
+
+    assert !SSHKey.valid_ssh_public_key?(invalid1)
+    assert !SSHKey.valid_ssh_public_key?(invalid2)
+  end
+
   def test_ssh_public_key_sshfp
     assert_equal KEY1_SSHFP, SSHKey.sshfp("localhost", "ssh-rsa #{SSH_PUBLIC_KEY1}\n")
     assert_equal KEY2_SSHFP, SSHKey.sshfp("localhost", "ssh-rsa #{SSH_PUBLIC_KEY2}\n")
@@ -383,6 +605,12 @@ EOF
     expected4 = "ssh-rsa #{SSH_PUBLIC_KEY1}"
     expected5 = %Q{from="trusted.eng.cam.ac.uk",no-port-forwarding,no-pty ssh-rsa #{SSH_PUBLIC_KEY1}}
     invalid1  = "#{SSH_PUBLIC_KEY1} me@example.com"
+    ecdsa256 = "ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256}"
+    ecdsa384 = "ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384}"
+    ecdsa521 = "ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521}"
+    ecdsa256_compressed = "ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256_COMPRESSED}"
+    ecdsa384_compressed = "ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384_COMPRESSED}"
+    ecdsa521_compressed = "ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521_COMPRESSED}"
 
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected1)
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected2)
@@ -390,6 +618,12 @@ EOF
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected4)
     assert_equal 2048, SSHKey.ssh_public_key_bits(expected5)
     assert_equal 512,  SSHKey.ssh_public_key_bits(SSHKey.generate(:bits => 512).ssh_public_key)
+    assert_equal 256, SSHKey.ssh_public_key_bits(ecdsa256)
+    assert_equal 384, SSHKey.ssh_public_key_bits(ecdsa384)
+    assert_equal 521, SSHKey.ssh_public_key_bits(ecdsa521)
+    assert_equal 256, SSHKey.ssh_public_key_bits(ecdsa256_compressed)
+    assert_equal 384, SSHKey.ssh_public_key_bits(ecdsa384_compressed)
+    assert_equal 521, SSHKey.ssh_public_key_bits(ecdsa521_compressed)
 
     exception1 = assert_raises(SSHKey::PublicKeyError) { SSHKey.ssh_public_key_bits( expected1.gsub('A','.') ) }
     exception2 = assert_raises(SSHKey::PublicKeyError) { SSHKey.ssh_public_key_bits( expected1[0..-20] ) }
@@ -427,22 +661,43 @@ EOF
     assert_equal KEY2_MD5_FINGERPRINT, @key2.md5_fingerprint
     assert_equal KEY3_MD5_FINGERPRINT, @key3.md5_fingerprint
 
+    if ecdsa_supported?
+      assert_equal KEY4_MD5_FINGERPRINT, @key4.md5_fingerprint
+    else
+      assert_raises(NotImplementedError) { @key4.md5_fingerprint }
+    end
+
     assert_equal KEY1_SHA1_FINGERPRINT, @key1.sha1_fingerprint
     assert_equal KEY2_SHA1_FINGERPRINT, @key2.sha1_fingerprint
     assert_equal KEY3_SHA1_FINGERPRINT, @key3.sha1_fingerprint
 
+    if ecdsa_supported?
+      assert_equal KEY4_SHA1_FINGERPRINT, @key4.sha1_fingerprint
+    else
+      assert_raises(NotImplementedError) { @key4.sha1_fingerprint }
+    end
+
     assert_equal KEY1_SHA256_FINGERPRINT, @key1.sha256_fingerprint
     assert_equal KEY2_SHA256_FINGERPRINT, @key2.sha256_fingerprint
     assert_equal KEY3_SHA256_FINGERPRINT, @key3.sha256_fingerprint
 
+    if ecdsa_supported?
+      assert_equal KEY4_SHA256_FINGERPRINT, @key4.sha256_fingerprint
+    else
+      assert_raises(NotImplementedError) { @key4.sha256_fingerprint }
+    end
+
     assert_equal KEY1_MD5_FINGERPRINT, SSHKey.md5_fingerprint(SSH_PRIVATE_KEY1)
     assert_equal KEY1_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY1}")
     assert_equal KEY2_MD5_FINGERPRINT, SSHKey.md5_fingerprint(SSH_PRIVATE_KEY2)
     assert_equal KEY2_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY2} me@me.com")
     assert_equal KEY3_MD5_FINGERPRINT, SSHKey.md5_fingerprint(SSH_PRIVATE_KEY3)
     assert_equal KEY3_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-dss #{SSH_PUBLIC_KEY3}")
+    assert_equal KEY4_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4}")
     assert_equal ED25519_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ssh-ed25519 #{SSH_PUBLIC_KEY_ED25519}")
     assert_equal ECDSA_256_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256} me@me.com")
+    assert_equal ECDSA_384_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384} me@me.com")
+    assert_equal ECDSA_521_MD5_FINGERPRINT, SSHKey.md5_fingerprint("ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521} me@me.com")
 
     assert_equal KEY1_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint(SSH_PRIVATE_KEY1)
     assert_equal KEY1_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY1}")
@@ -450,8 +705,11 @@ EOF
     assert_equal KEY2_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY2} me@me.com")
     assert_equal KEY3_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint(SSH_PRIVATE_KEY3)
     assert_equal KEY3_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-dss #{SSH_PUBLIC_KEY3}")
+    assert_equal KEY4_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4}")
     assert_equal ED25519_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ssh-ed25519 #{SSH_PUBLIC_KEY_ED25519}")
     assert_equal ECDSA_256_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256} me@me.com")
+    assert_equal ECDSA_384_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384} me@me.com")
+    assert_equal ECDSA_521_SHA1_FINGERPRINT, SSHKey.sha1_fingerprint("ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521} me@me.com")
 
     assert_equal KEY1_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint(SSH_PRIVATE_KEY1)
     assert_equal KEY1_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY1}")
@@ -459,14 +717,24 @@ EOF
     assert_equal KEY2_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-rsa #{SSH_PUBLIC_KEY2} me@me.com")
     assert_equal KEY3_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint(SSH_PRIVATE_KEY3)
     assert_equal KEY3_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-dss #{SSH_PUBLIC_KEY3}")
+    assert_equal KEY4_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY4}")
     assert_equal ED25519_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ssh-ed25519 #{SSH_PUBLIC_KEY_ED25519}")
     assert_equal ECDSA_256_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp256 #{SSH_PUBLIC_KEY_ECDSA_256} me@me.com")
+    assert_equal ECDSA_384_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp384 #{SSH_PUBLIC_KEY_ECDSA_384} me@me.com")
+    assert_equal ECDSA_521_SHA256_FINGERPRINT, SSHKey.sha256_fingerprint("ecdsa-sha2-nistp521 #{SSH_PUBLIC_KEY_ECDSA_521} me@me.com")
   end
 
   def test_bits
     assert_equal 2048, @key1.bits
     assert_equal 2048, @key2.bits
     assert_equal 1024, @key3.bits
+
+    if ecdsa_supported?
+      assert_equal 256, @key4.bits
+    else
+      assert_raises(NotImplementedError) { @key4.bits }
+    end
+
     assert_equal 512, SSHKey.generate(:bits => 512).bits
   end
 
@@ -474,6 +742,19 @@ EOF
     assert_equal KEY1_RANDOMART, @key1.randomart
     assert_equal KEY2_RANDOMART, @key2.randomart
     assert_equal KEY3_RANDOMART, @key3.randomart
+
+    if ecdsa_supported?
+      assert_equal KEY4_RANDOMART, @key4.randomart
+    else
+      assert_raises(NotImplementedError) { @key4.randomart }
+    end
+
+    if ecdsa_supported?
+      assert_equal KEY4_RANDOMART_USING_SHA256_DIGEST, @key4.randomart("SHA256")
+      assert_equal KEY4_RANDOMART_USING_SHA384_DIGEST, @key4.randomart("SHA384")
+      assert_equal KEY4_RANDOMART_USING_SHA512_DIGEST, @key4.randomart("SHA512")
+    end
+
   end
 
   def test_sshfp

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sshkey
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 3.0.0
 platform: ruby
 authors:
 - James Miller
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-02-11 00:00:00.000000000 Z
+date: 2023-08-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -45,8 +45,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
 - ".gitignore"
-- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
@@ -59,7 +59,7 @@ homepage: https://github.com/bensie/sshkey
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -67,16 +67,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: sshkey
-rubygems_version: 2.5.2.3
-signing_key: 
+rubygems_version: 3.4.18
+signing_key:
 specification_version: 4
 summary: SSH private/public key generator in Ruby
 test_files:

data/.travis.yml

@@ -1,21 +0,0 @@
-language: ruby
-
-rvm:
-  - 2.0
-  - 2.1
-  - 2.2
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-  - ruby-head
-  - jruby
-  - jruby-head
-
-matrix:
-  allow_failures:
-    - rvm: ruby-head
-    - rvm: jruby-head
-
-sudo: required
-dist: xenial