@electerm/ssh2 1.16.1 → 1.17.0

package/lib/client.js

@@ -84,6 +84,7 @@ class Client extends EventEmitter {
       username: undefined,
       password: undefined,
       privateKey: undefined,
+      certificate: undefined,
       tryKeyboard: undefined,
       agent: undefined,
       allowAgentFwd: undefined,
@@ -209,6 +210,10 @@ class Client extends EventEmitter {
                               || Buffer.isBuffer(cfg.privateKey)
                               ? cfg.privateKey
                               : undefined);
+    this.config.certificate = (typeof cfg.certificate === 'string'
+                               || Buffer.isBuffer(cfg.certificate)
+                               ? cfg.certificate
+                               : undefined);
     this.config.localHostname = (typeof cfg.localHostname === 'string'
                                  ? cfg.localHostname
                                  : undefined);
@@ -268,6 +273,42 @@ class Client extends EventEmitter {
           'privateKey value does not contain a (valid) private key'
         );
       }
+
+      // Wrap with certificate if provided
+      if (this.config.certificate) {
+        const { wrapKeyWithCertificate } = require('./protocol/certificateAuth.js');
+        let certBuffer = this.config.certificate;
+        
+        // Handle string or buffer that contains OpenSSH public key format
+        let certStr;
+        if (typeof certBuffer === 'string') {
+          certStr = certBuffer.trim();
+        } else if (Buffer.isBuffer(certBuffer)) {
+          // Check if it's text format (starts with ssh-) or binary
+          const firstBytes = certBuffer.slice(0, 4).toString('utf8');
+          if (firstBytes.startsWith('ssh-') || firstBytes.startsWith('ecds')) {
+            certStr = certBuffer.toString('utf8').trim();
+          }
+        }
+        
+        if (certStr) {
+          // Parse OpenSSH public key format: "type base64data [comment]"
+          const parts = certStr.split(/\s+/);
+          if (parts.length >= 2) {
+            try {
+              certBuffer = Buffer.from(parts[1], 'base64');
+            } catch (err) {
+              throw new Error(`Cannot parse certificate: ${err.message}`);
+            }
+          }
+        }
+        
+        const wrappedKey = wrapKeyWithCertificate(privateKey, certBuffer);
+        if (wrappedKey instanceof Error) {
+          throw new Error(`Cannot wrap key with certificate: ${wrappedKey.message}`);
+        }
+        privateKey = wrappedKey;
+      }
     }
 
     let hostVerifier;

package/lib/protocol/Protocol.js

@@ -632,31 +632,88 @@ class Protocol {
     if (this._server)
       throw new Error('Client-only method called in server mode');
 
-    pubKey = parseKey(pubKey);
-    if (pubKey instanceof Error)
-      throw new Error('Invalid key');
+    const origPubKey = pubKey;
+    
+    // Only parse if it's not already a parsed key object
+    // Check for common key object properties
+    if (typeof pubKey !== 'object' || pubKey === null || 
+        typeof pubKey.type !== 'string' || typeof pubKey.getPublicSSH !== 'function') {
+      pubKey = parseKey(pubKey);
+      if (pubKey instanceof Error)
+        throw new Error('Invalid key');
+    }
 
     let keyType = pubKey.type;
+    
+    // Check if this is a certificate-wrapped key
+    let pubKeyData = pubKey.getPublicSSH();
+    let isCertificate = false;
+    if (pubKey.getCertificateBuffer) {
+      // This is a CertificateKey, use the certificate data instead
+      pubKeyData = pubKey.getCertificateBuffer();
+      isCertificate = true;
+      this._debug && this._debug('Using SSH certificate for authentication');
+    }
+
+    // Upgrade RSA to SHA2 variants if server supports them
+    // signAlgo is the actual algorithm used for signing
+    // NOTE: Order must match getKeyAlgos() in client.js - rsa-sha2-256 first
+    let signAlgo = keyType;
     if (keyType === 'ssh-rsa') {
-      for (const algo of ['rsa-sha2-512', 'rsa-sha2-256']) {
+      for (const algo of ['rsa-sha2-256', 'rsa-sha2-512']) {
         if (this._remoteHostKeyAlgorithms.includes(algo)) {
-          keyType = algo;
+          signAlgo = algo;
           break;
         }
       }
     }
-    pubKey = pubKey.getPublicSSH();
+    
+    // For certificates, append the cert suffix to the algorithm for the packet
+    // but keep signAlgo as the base signing algorithm
+    if (isCertificate) {
+      // Map the signing algorithm to certificate algorithm
+      // e.g., rsa-sha2-512 -> rsa-sha2-512-cert-v01@openssh.com
+      if (signAlgo === 'rsa-sha2-512') {
+        keyType = 'rsa-sha2-512-cert-v01@openssh.com';
+      } else if (signAlgo === 'rsa-sha2-256') {
+        keyType = 'rsa-sha2-256-cert-v01@openssh.com';
+      } else if (signAlgo === 'ssh-rsa' || keyType === 'ssh-rsa') {
+        keyType = 'ssh-rsa-cert-v01@openssh.com';
+      } else if (keyType === 'ssh-dss') {
+        keyType = 'ssh-dss-cert-v01@openssh.com';
+      } else if (keyType === 'ecdsa-sha2-nistp256') {
+        keyType = 'ecdsa-sha2-nistp256-cert-v01@openssh.com';
+      } else if (keyType === 'ecdsa-sha2-nistp384') {
+        keyType = 'ecdsa-sha2-nistp384-cert-v01@openssh.com';
+      } else if (keyType === 'ecdsa-sha2-nistp521') {
+        keyType = 'ecdsa-sha2-nistp521-cert-v01@openssh.com';
+      } else if (keyType === 'ssh-ed25519') {
+        keyType = 'ssh-ed25519-cert-v01@openssh.com';
+      }
+      this._debug && this._debug(`Certificate key algorithm: ${keyType}`);
+    } else {
+      // For non-certificates, keyType should be signAlgo
+      keyType = signAlgo;
+    }
 
     if (typeof keyAlgo === 'function') {
       cbSign = keyAlgo;
       keyAlgo = undefined;
     }
-    if (!keyAlgo)
+    
+    // For certificates, we must use the certificate algorithm regardless of what was passed
+    if (isCertificate) {
+      keyAlgo = keyType;
+    } else if (!keyAlgo) {
       keyAlgo = keyType;
+    }
 
     const userLen = Buffer.byteLength(username);
     const algoLen = Buffer.byteLength(keyAlgo);
-    const pubKeyLen = pubKey.length;
+    // For certificates, signAlgo is the base signing algorithm (e.g., rsa-sha2-512)
+    // For non-certificates, signAlgo equals keyAlgo
+    const signAlgoLen = Buffer.byteLength(signAlgo);
+    const pubKeyLen = pubKeyData.length;
     const sessionID = this._kex.sessionID;
     const sesLen = sessionID.length;
     const payloadLen =
@@ -692,7 +749,7 @@ class Protocol {
     packet.utf8Write(keyAlgo, p += 4, algoLen);
 
     writeUInt32BE(packet, pubKeyLen, p += algoLen);
-    packet.set(pubKey, p += 4);
+    packet.set(pubKeyData, p += 4);
 
     if (!cbSign) {
       this._authsQueue.push('publickey');
@@ -705,7 +762,7 @@ class Protocol {
     }
 
     cbSign(packet, (signature) => {
-      signature = convertSignature(signature, keyType);
+      signature = convertSignature(signature, signAlgo);
       if (signature === false)
         throw new Error('Error while converting handshake signature');
 
@@ -713,7 +770,7 @@ class Protocol {
       p = this._packetRW.write.allocStart;
       packet = this._packetRW.write.alloc(
         1 + 4 + userLen + 4 + 14 + 4 + 9 + 1 + 4 + algoLen + 4 + pubKeyLen + 4
-          + 4 + algoLen + 4 + sigLen
+          + 4 + signAlgoLen + 4 + sigLen
       );
 
       // TODO: simply copy from original "packet" to new `packet` to avoid
@@ -735,14 +792,17 @@ class Protocol {
       packet.utf8Write(keyAlgo, p += 4, algoLen);
 
       writeUInt32BE(packet, pubKeyLen, p += algoLen);
-      packet.set(pubKey, p += 4);
+      packet.set(pubKeyData, p += 4);
 
-      writeUInt32BE(packet, 4 + algoLen + 4 + sigLen, p += pubKeyLen);
+      // Signature blob: length-prefixed (algorithm string + raw signature)
+      // For RSA signatures, use the base signing algorithm (without cert suffix)
+      // The cert suffix is only used in the public key algorithm field of the main packet
+      writeUInt32BE(packet, 4 + signAlgoLen + 4 + sigLen, p += pubKeyLen);
 
-      writeUInt32BE(packet, algoLen, p += 4);
-      packet.utf8Write(keyAlgo, p += 4, algoLen);
+      writeUInt32BE(packet, signAlgoLen, p += 4);
+      packet.utf8Write(signAlgo, p += 4, signAlgoLen);
 
-      writeUInt32BE(packet, sigLen, p += algoLen);
+      writeUInt32BE(packet, sigLen, p += signAlgoLen);
       packet.set(signature, p += 4);
 
       // Servers shouldn't send packet type 60 in response to signed publickey

package/lib/protocol/certificateAuth.js

@@ -0,0 +1,104 @@
+'use strict';
+
+const {
+  parseSSHCertificate,
+  isCertificate,
+} = require('./sshCertificate.js');
+
+/**
+ * Handle SSH certificate public key authentication
+ * This extends regular publickey auth to support certificates
+ */
+
+class CertificateKey {
+  constructor(baseKey, certificate, certBuffer) {
+    this.baseKey = baseKey; // The underlying parsed key
+    this.certificate = certificate; // Parsed certificate data
+    this.certBuffer = certBuffer; // Raw certificate buffer
+    this.type = baseKey.type;
+    this.comment = baseKey.comment;
+  }
+
+  isPrivateKey() {
+    return this.baseKey.isPrivateKey();
+  }
+
+  getPublicPEM() {
+    return this.baseKey.getPublicPEM?.();
+  }
+
+  getPublicSSH(algo) {
+    return this.baseKey.getPublicSSH?.(algo);
+  }
+
+  sign(data, algo) {
+    return this.baseKey.sign(data, algo);
+  }
+
+  verify(data, signature, algo) {
+    return this.baseKey.verify(data, signature, algo);
+  }
+
+  getCertificate() {
+    return this.certificate;
+  }
+
+  getCertificateBuffer() {
+    return this.certBuffer;
+  }
+}
+
+/**
+ * Wrap a parsed key with certificate information
+ */
+function wrapKeyWithCertificate(key, certBuffer) {
+  if (!Buffer.isBuffer(certBuffer)) {
+    return new Error('Certificate must be a Buffer');
+  }
+
+  try {
+    // Verify this is a certificate
+    if (!isCertificate(certBuffer)) {
+      return new Error('Buffer does not appear to be a certificate');
+    }
+
+    // Parse the certificate - it expects the complete buffer including type string
+    const certificate = parseSSHCertificate(certBuffer);
+
+    if (certificate instanceof Error) {
+      return certificate;
+    }
+
+    return new CertificateKey(key, certificate, certBuffer);
+  } catch (err) {
+    return err;
+  }
+}
+
+/**
+ * Extract certificate from OpenSSH public key format
+ * Returns { certBuffer, remainingData } or Error
+ */
+function extractCertificateFromData(data) {
+  if (!Buffer.isBuffer(data)) {
+    return new Error('Data must be a Buffer');
+  }
+
+  if (!isCertificate(data)) {
+    return null; // Not a certificate
+  }
+
+  try {
+    // The data is in binary SSH format: [type-len][type][data-len][data]...
+    // For a certificate, the entire data IS the certificate
+    return { certBuffer: data };
+  } catch (err) {
+    return err;
+  }
+}
+
+module.exports = {
+  CertificateKey,
+  wrapKeyWithCertificate,
+  extractCertificateFromData,
+};

package/lib/protocol/crypto/build/Makefile

@@ -148,10 +148,10 @@ cmd_pch_mm = $(CC.$(TOOLSET)) $(GYP_PCH_OBJCXXFLAGS) $(DEPFLAGS) -c -o $@ $<
 # Use $(4) for the command, since $(2) and $(3) are used as flag by do_cmd
 # already.
 quiet_cmd_mac_tool = MACTOOL $(4) $<
-cmd_mac_tool = ./gyp-mac-tool $(4) $< "$@"
+cmd_mac_tool = /usr/local/opt/python@3.14/bin/python3.14 gyp-mac-tool $(4) $< "$@"
 
 quiet_cmd_mac_package_framework = PACKAGE FRAMEWORK $@
-cmd_mac_package_framework = ./gyp-mac-tool package-framework "$@" $(4)
+cmd_mac_package_framework = /usr/local/opt/python@3.14/bin/python3.14 gyp-mac-tool package-framework "$@" $(4)
 
 quiet_cmd_infoplist = INFOPLIST $@
 cmd_infoplist = $(CC.$(TOOLSET)) -E -P -Wno-trigraphs -x c $(INFOPLIST_DEFINES) "$<" -o "$@"
@@ -167,7 +167,7 @@ quiet_cmd_symlink = SYMLINK $@
 cmd_symlink = ln -sf "$<" "$@"
 
 quiet_cmd_alink = LIBTOOL-STATIC $@
-cmd_alink = rm -f $@ && ./gyp-mac-tool filter-libtool libtool $(GYP_LIBTOOLFLAGS) -static -o $@ $(filter %.o,$^)
+cmd_alink = rm -f $@ && /usr/local/opt/python@3.14/bin/python3.14 gyp-mac-tool filter-libtool libtool $(GYP_LIBTOOLFLAGS) -static -o $@ $(filter %.o,$^)
 
 quiet_cmd_link = LINK($(TOOLSET)) $@
 cmd_link = $(LINK.$(TOOLSET)) $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -o "$@" $(LD_INPUTS) $(LIBS)
@@ -331,8 +331,8 @@ ifeq ($(strip $(foreach prefix,$(NO_LOAD),\
 endif
 
 quiet_cmd_regen_makefile = ACTION Regenerating $@
-cmd_regen_makefile = cd $(srcdir); /Users/home/.nvm/versions/node/v18.17.1/lib/node_modules/npm/node_modules/node-gyp/gyp/gyp_main.py -fmake --ignore-environment "-Dlibrary=shared_library" "-Dvisibility=default" "-Dnode_root_dir=/Users/home/Library/Caches/node-gyp/18.17.1" "-Dnode_gyp_dir=/Users/home/.nvm/versions/node/v18.17.1/lib/node_modules/npm/node_modules/node-gyp" "-Dnode_lib_file=/Users/home/Library/Caches/node-gyp/18.17.1/<(target_arch)/node.lib" "-Dmodule_root_dir=/Users/home/dev/ssh2/lib/protocol/crypto" "-Dnode_engine=v8" "--depth=." "-Goutput_dir=." "--generator-output=build" -I/Users/home/dev/ssh2/lib/protocol/crypto/build/config.gypi -I/Users/home/.nvm/versions/node/v18.17.1/lib/node_modules/npm/node_modules/node-gyp/addon.gypi -I/Users/home/Library/Caches/node-gyp/18.17.1/include/node/common.gypi "--toplevel-dir=." binding.gyp
-Makefile: $(srcdir)/build/config.gypi $(srcdir)/binding.gyp $(srcdir)/../../../../../.nvm/versions/node/v18.17.1/lib/node_modules/npm/node_modules/node-gyp/addon.gypi $(srcdir)/../../../../../Library/Caches/node-gyp/18.17.1/include/node/common.gypi
+cmd_regen_makefile = cd $(srcdir); /Users/zxd/.nvm/versions/node/v22.19.0/lib/node_modules/npm/node_modules/node-gyp/gyp/gyp_main.py -fmake --ignore-environment "-Dlibrary=shared_library" "-Dvisibility=default" "-Dnode_root_dir=/Users/zxd/Library/Caches/node-gyp/22.19.0" "-Dnode_gyp_dir=/Users/zxd/.nvm/versions/node/v22.19.0/lib/node_modules/npm/node_modules/node-gyp" "-Dnode_lib_file=/Users/zxd/Library/Caches/node-gyp/22.19.0/<(target_arch)/node.lib" "-Dmodule_root_dir=/Users/zxd/dev/ssh2/lib/protocol/crypto" "-Dnode_engine=v8" "--depth=." "-Goutput_dir=." "--generator-output=build" -I/Users/zxd/dev/ssh2/lib/protocol/crypto/build/config.gypi -I/Users/zxd/.nvm/versions/node/v22.19.0/lib/node_modules/npm/node_modules/node-gyp/addon.gypi -I/Users/zxd/Library/Caches/node-gyp/22.19.0/include/node/common.gypi "--toplevel-dir=." binding.gyp
+Makefile: $(srcdir)/binding.gyp $(srcdir)/../../../../../.nvm/versions/node/v22.19.0/lib/node_modules/npm/node_modules/node-gyp/addon.gypi $(srcdir)/../../../../../Library/Caches/node-gyp/22.19.0/include/node/common.gypi $(srcdir)/build/config.gypi
 	$(call do_cmd,regen_makefile)
 
 # "all" is a concatenation of the "all" targets from all the included