@electerm/ssh2 1.16.2 → 1.17.0

package/lib/protocol/crypto/build/sshcrypto.target.mk

@@ -0,0 +1,191 @@
+# This file is generated by gyp; do not edit.
+
+TOOLSET := target
+TARGET := sshcrypto
+DEFS_Debug := \
+	'-DNODE_GYP_MODULE_NAME=sshcrypto' \
+	'-DUSING_UV_SHARED=1' \
+	'-DUSING_V8_SHARED=1' \
+	'-DV8_DEPRECATION_WARNINGS=1' \
+	'-D_GLIBCXX_USE_CXX11_ABI=1' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-D_DARWIN_USE_64_BIT_INODE=1' \
+	'-D_LARGEFILE_SOURCE' \
+	'-DOPENSSL_NO_PINSHARED' \
+	'-DOPENSSL_THREADS' \
+	'-DOPENSSL_API_COMPAT=0x10100000L' \
+	'-DREAL_OPENSSL_MAJOR=3' \
+	'-DBUILDING_NODE_EXTENSION' \
+	'-DDEBUG' \
+	'-D_DEBUG'
+
+# Flags passed to all source files.
+CFLAGS_Debug := \
+	-O0 \
+	-gdwarf-2 \
+	-fno-strict-aliasing \
+	-mmacosx-version-min=11.0 \
+	-arch \
+	x86_64 \
+	-Wall \
+	-Wendif-labels \
+	-W \
+	-Wno-unused-parameter
+
+# Flags passed to only C files.
+CFLAGS_C_Debug :=
+
+# Flags passed to only C++ files.
+CFLAGS_CC_Debug := \
+	-std=gnu++17 \
+	-stdlib=libc++ \
+	-fno-rtti \
+	-fno-exceptions
+
+# Flags passed to only ObjC files.
+CFLAGS_OBJC_Debug :=
+
+# Flags passed to only ObjC++ files.
+CFLAGS_OBJCC_Debug :=
+
+INCS_Debug := \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/include/node \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/src \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/deps/openssl/config \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/deps/openssl/openssl/include \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/deps/uv/include \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/deps/zlib \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/deps/v8/include \
+	-I$(srcdir)/../../../node_modules/nan
+
+DEFS_Release := \
+	'-DNODE_GYP_MODULE_NAME=sshcrypto' \
+	'-DUSING_UV_SHARED=1' \
+	'-DUSING_V8_SHARED=1' \
+	'-DV8_DEPRECATION_WARNINGS=1' \
+	'-D_GLIBCXX_USE_CXX11_ABI=1' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-D_DARWIN_USE_64_BIT_INODE=1' \
+	'-D_LARGEFILE_SOURCE' \
+	'-DOPENSSL_NO_PINSHARED' \
+	'-DOPENSSL_THREADS' \
+	'-DOPENSSL_API_COMPAT=0x10100000L' \
+	'-DREAL_OPENSSL_MAJOR=3' \
+	'-DBUILDING_NODE_EXTENSION'
+
+# Flags passed to all source files.
+CFLAGS_Release := \
+	-O3 \
+	-gdwarf-2 \
+	-fno-strict-aliasing \
+	-mmacosx-version-min=11.0 \
+	-arch \
+	x86_64 \
+	-Wall \
+	-Wendif-labels \
+	-W \
+	-Wno-unused-parameter
+
+# Flags passed to only C files.
+CFLAGS_C_Release :=
+
+# Flags passed to only C++ files.
+CFLAGS_CC_Release := \
+	-std=gnu++17 \
+	-stdlib=libc++ \
+	-fno-rtti \
+	-fno-exceptions
+
+# Flags passed to only ObjC files.
+CFLAGS_OBJC_Release :=
+
+# Flags passed to only ObjC++ files.
+CFLAGS_OBJCC_Release :=
+
+INCS_Release := \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/include/node \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/src \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/deps/openssl/config \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/deps/openssl/openssl/include \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/deps/uv/include \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/deps/zlib \
+	-I/Users/zxd/Library/Caches/node-gyp/22.19.0/deps/v8/include \
+	-I$(srcdir)/../../../node_modules/nan
+
+OBJS := \
+	$(obj).target/$(TARGET)/src/binding.o
+
+# Add to the list of files we specially track dependencies for.
+all_deps += $(OBJS)
+
+# CFLAGS et al overrides must be target-local.
+# See "Target-specific Variable Values" in the GNU Make manual.
+$(OBJS): TOOLSET := $(TOOLSET)
+$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE))  $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE))
+$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE))  $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE))
+$(OBJS): GYP_OBJCFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE))  $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) $(CFLAGS_OBJC_$(BUILDTYPE))
+$(OBJS): GYP_OBJCXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE))  $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) $(CFLAGS_OBJCC_$(BUILDTYPE))
+
+# Suffix rules, putting all outputs into $(obj).
+
+$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.cc FORCE_DO_CMD
+	@$(call do_cmd,cxx,1)
+
+# Try building from generated source, too.
+
+$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.cc FORCE_DO_CMD
+	@$(call do_cmd,cxx,1)
+
+$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.cc FORCE_DO_CMD
+	@$(call do_cmd,cxx,1)
+
+# End of this set of suffix rules
+### Rules for final target.
+LDFLAGS_Debug := \
+	-undefined dynamic_lookup \
+	-Wl,-search_paths_first \
+	-mmacosx-version-min=11.0 \
+	-arch \
+	x86_64 \
+	-L$(builddir) \
+	-stdlib=libc++
+
+LIBTOOLFLAGS_Debug := \
+	-undefined dynamic_lookup \
+	-Wl,-search_paths_first
+
+LDFLAGS_Release := \
+	-undefined dynamic_lookup \
+	-Wl,-search_paths_first \
+	-mmacosx-version-min=11.0 \
+	-arch \
+	x86_64 \
+	-L$(builddir) \
+	-stdlib=libc++
+
+LIBTOOLFLAGS_Release := \
+	-undefined dynamic_lookup \
+	-Wl,-search_paths_first
+
+LIBS :=
+
+$(builddir)/sshcrypto.node: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE))
+$(builddir)/sshcrypto.node: LIBS := $(LIBS)
+$(builddir)/sshcrypto.node: GYP_LIBTOOLFLAGS := $(LIBTOOLFLAGS_$(BUILDTYPE))
+$(builddir)/sshcrypto.node: TOOLSET := $(TOOLSET)
+$(builddir)/sshcrypto.node: $(OBJS) FORCE_DO_CMD
+	$(call do_cmd,solink_module)
+
+all_deps += $(builddir)/sshcrypto.node
+# Add target alias
+.PHONY: sshcrypto
+sshcrypto: $(builddir)/sshcrypto.node
+
+# Short alias for building this executable.
+.PHONY: sshcrypto.node
+sshcrypto.node: $(builddir)/sshcrypto.node
+
+# Add executable to "all" target.
+.PHONY: all
+all: $(builddir)/sshcrypto.node
+

package/lib/protocol/crypto/src/binding.cc

@@ -84,15 +84,11 @@ class ChaChaPolyCipher : public ObjectWrap {
     SetPrototypeMethod(tpl, "encrypt", Encrypt);
     SetPrototypeMethod(tpl, "free", Free);
 
-    Local<Function> func = Nan::GetFunction(tpl).ToLocalChecked();
-    Local<Context> context = Nan::GetCurrentContext();
-    v8::Isolate* isolate = context->GetIsolate();
-
-    constructor().Set(isolate, func);
+    constructor().Reset(Nan::GetFunction(tpl).ToLocalChecked());
 
     Nan::Set(target,
              Nan::New("ChaChaPolyCipher").ToLocalChecked(),
-             func);
+             Nan::GetFunction(tpl).ToLocalChecked());
   }
 
  private:
@@ -391,8 +387,8 @@ out:
     obj->clear();
   }
 
-  static inline v8::Eternal<v8::Function> & constructor() {
-    static v8::Eternal<v8::Function> my_constructor;
+  static inline Nan::Persistent<Function> & constructor() {
+    static Nan::Persistent<Function> my_constructor;
     return my_constructor;
   }
 
@@ -418,15 +414,11 @@ class AESGCMCipher : public ObjectWrap {
     SetPrototypeMethod(tpl, "encrypt", Encrypt);
     SetPrototypeMethod(tpl, "free", Free);
 
-    Local<Function> func = Nan::GetFunction(tpl).ToLocalChecked();
-    Local<Context> context = Nan::GetCurrentContext();
-    v8::Isolate* isolate = context->GetIsolate();
-
-    constructor().Set(isolate, func);
+    constructor().Reset(Nan::GetFunction(tpl).ToLocalChecked());
 
     Nan::Set(target,
              Nan::New("AESGCMCipher").ToLocalChecked(),
-             func);
+             Nan::GetFunction(tpl).ToLocalChecked());
   }
 
  private:
@@ -641,8 +633,8 @@ out:
     obj->clear();
   }
 
-  static inline v8::Eternal<v8::Function> & constructor() {
-    static v8::Eternal<v8::Function> my_constructor;
+  static inline Nan::Persistent<Function> & constructor() {
+    static Nan::Persistent<Function> my_constructor;
     return my_constructor;
   }
 
@@ -659,15 +651,11 @@ class GenericCipher : public ObjectWrap {
     SetPrototypeMethod(tpl, "encrypt", Encrypt);
     SetPrototypeMethod(tpl, "free", Free);
 
-    Local<Function> func = Nan::GetFunction(tpl).ToLocalChecked();
-    Local<Context> context = Nan::GetCurrentContext();
-    v8::Isolate* isolate = context->GetIsolate();
-
-    constructor().Set(isolate, func);
+    constructor().Reset(Nan::GetFunction(tpl).ToLocalChecked());
 
     Nan::Set(target,
              Nan::New("GenericCipher").ToLocalChecked(),
-             func);
+             Nan::GetFunction(tpl).ToLocalChecked());
   }
 
  private:
@@ -1026,8 +1014,8 @@ out:
     obj->clear();
   }
 
-  static inline v8::Eternal<v8::Function> & constructor() {
-    static v8::Eternal<v8::Function> my_constructor;
+  static inline Nan::Persistent<Function> & constructor() {
+    static Nan::Persistent<Function> my_constructor;
     return my_constructor;
   }
 
@@ -1056,15 +1044,11 @@ class ChaChaPolyDecipher : public ObjectWrap {
     SetPrototypeMethod(tpl, "decryptLen", DecryptLen);
     SetPrototypeMethod(tpl, "free", Free);
 
-    Local<Function> func = Nan::GetFunction(tpl).ToLocalChecked();
-    Local<Context> context = Nan::GetCurrentContext();
-    v8::Isolate* isolate = context->GetIsolate();
-
-    constructor().Set(isolate, func);
+    constructor().Reset(Nan::GetFunction(tpl).ToLocalChecked());
 
     Nan::Set(target,
              Nan::New("ChaChaPolyDecipher").ToLocalChecked(),
-             func);
+             Nan::GetFunction(tpl).ToLocalChecked());
   }
 
  private:
@@ -1456,8 +1440,8 @@ out:
     obj->clear();
   }
 
-  static inline v8::Eternal<v8::Function> & constructor() {
-    static v8::Eternal<v8::Function> my_constructor;
+  static inline Nan::Persistent<Function> & constructor() {
+    static Nan::Persistent<Function> my_constructor;
     return my_constructor;
   }
 
@@ -1484,15 +1468,11 @@ class AESGCMDecipher : public ObjectWrap {
     SetPrototypeMethod(tpl, "decrypt", Decrypt);
     SetPrototypeMethod(tpl, "free", Free);
 
-    Local<Function> func = Nan::GetFunction(tpl).ToLocalChecked();
-    Local<Context> context = Nan::GetCurrentContext();
-    v8::Isolate* isolate = context->GetIsolate();
-
-    constructor().Set(isolate, func);
+    constructor().Reset(Nan::GetFunction(tpl).ToLocalChecked());
 
     Nan::Set(target,
              Nan::New("AESGCMDecipher").ToLocalChecked(),
-             func);
+             Nan::GetFunction(tpl).ToLocalChecked());
   }
 
  private:
@@ -1717,8 +1697,8 @@ out:
     obj->clear();
   }
 
-  static inline v8::Eternal<v8::Function> & constructor() {
-    static v8::Eternal<v8::Function> my_constructor;
+  static inline Nan::Persistent<Function> & constructor() {
+    static Nan::Persistent<Function> my_constructor;
     return my_constructor;
   }
 
@@ -1736,15 +1716,11 @@ class GenericDecipher : public ObjectWrap {
     SetPrototypeMethod(tpl, "decrypt", Decrypt);
     SetPrototypeMethod(tpl, "free", Free);
 
-    Local<Function> func = Nan::GetFunction(tpl).ToLocalChecked();
-    Local<Context> context = Nan::GetCurrentContext();
-    v8::Isolate* isolate = context->GetIsolate();
-
-    constructor().Set(isolate, func);
+    constructor().Reset(Nan::GetFunction(tpl).ToLocalChecked());
 
     Nan::Set(target,
              Nan::New("GenericDecipher").ToLocalChecked(),
-             func);
+             Nan::GetFunction(tpl).ToLocalChecked());
   }
 
  private:
@@ -2207,8 +2183,8 @@ out:
     obj->clear();
   }
 
-  static inline v8::Eternal<v8::Function> & constructor() {
-    static v8::Eternal<v8::Function> my_constructor;
+  static inline Nan::Persistent<Function> & constructor() {
+    static Nan::Persistent<Function> my_constructor;
     return my_constructor;
   }
 

package/lib/protocol/sshCertificate.js

@@ -0,0 +1,243 @@
+'use strict';
+
+const { readUInt32BE } = require('./utils.js');
+
+/**
+ * Parse SSH certificate format from complete certificate buffer
+ * RFC: https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.17
+ * 
+ * Certificate format (for ssh-rsa-cert-v01@openssh.com):
+ *   string    "ssh-rsa-cert-v01@openssh.com"
+ *   string    nonce
+ *   mpint     e (RSA exponent)
+ *   mpint     n (RSA modulus)
+ *   uint64    serial
+ *   uint32    type (1=user, 2=host)
+ *   string    key_id
+ *   string    valid_principals
+ *   uint64    valid_after
+ *   uint64    valid_before
+ *   string    critical_options
+ *   string    extensions
+ *   string    reserved
+ *   string    signature_key
+ *   string    signature
+ */
+function parseSSHCertificate(certBuffer) {
+  if (!Buffer.isBuffer(certBuffer) || certBuffer.length < 8) {
+    return new Error('Invalid certificate buffer');
+  }
+
+  let pos = 0;
+
+  function readString() {
+    if (pos + 4 > certBuffer.length) {
+      throw new Error('Unexpected end of certificate');
+    }
+    const len = readUInt32BE(certBuffer, pos);
+    pos += 4;
+    if (pos + len > certBuffer.length) {
+      throw new Error('Unexpected end of certificate');
+    }
+    const result = certBuffer.slice(pos, pos + len);
+    pos += len;
+    return result;
+  }
+
+  function readUInt64() {
+    if (pos + 8 > certBuffer.length) {
+      throw new Error('Unexpected end of certificate');
+    }
+    const result = certBuffer.readBigUInt64BE(pos);
+    pos += 8;
+    return result;
+  }
+
+  function readUInt32() {
+    if (pos + 4 > certBuffer.length) {
+      throw new Error('Unexpected end of certificate');
+    }
+    const result = readUInt32BE(certBuffer, pos);
+    pos += 4;
+    return result;
+  }
+
+  try {
+    const cert = {};
+
+    // 1. Type string
+    const typeStr = readString().toString('utf8');
+    cert.type = typeStr;
+
+    // 2. Nonce (random bytes for uniqueness)
+    cert.nonce = readString();
+
+    // 3-4. Key-specific fields - skip them based on key type
+    // For RSA: e (exponent), n (modulus)
+    // For ECDSA: curve identifier, Q (point)
+    // For ED25519: pk (public key)
+    if (typeStr.startsWith('ssh-rsa')) {
+      // RSA: e, n
+      readString(); // e
+      readString(); // n
+    } else if (typeStr.startsWith('ecdsa-sha2-nistp')) {
+      // ECDSA: curve, Q
+      readString(); // curve identifier
+      readString(); // Q
+    } else if (typeStr.startsWith('ssh-ed25519')) {
+      // ED25519: pk
+      readString(); // pk
+    } else if (typeStr.startsWith('ssh-dss')) {
+      // DSA: p, q, g, y
+      readString(); // p
+      readString(); // q
+      readString(); // g
+      readString(); // y
+    } else {
+      return new Error(`Unsupported certificate type: ${typeStr}`);
+    }
+
+    // 5. Serial
+    cert.serial = readUInt64();
+
+    // 6. Type (1 = user cert, 2 = host cert)
+    const typeNum = readUInt32();
+    cert.certType = typeNum === 1 ? 'user' : typeNum === 2 ? 'host' : 'unknown';
+
+    // 7. Key ID (comment/identifier)
+    cert.keyId = readString().toString('utf8');
+
+    // 8. Valid principals (array of valid user/host names)
+    const principalsBuffer = readString();
+    cert.principals = [];
+    if (principalsBuffer.length > 0) {
+      let pPos = 0;
+      while (pPos < principalsBuffer.length) {
+        const len = readUInt32BE(principalsBuffer, pPos);
+        pPos += 4;
+        cert.principals.push(principalsBuffer.slice(pPos, pPos + len).toString('utf8'));
+        pPos += len;
+      }
+    }
+
+    // 9. Valid after
+    cert.validAfter = readUInt64();
+
+    // 10. Valid before
+    cert.validBefore = readUInt64();
+
+    // 11. Critical options
+    const criticalBuffer = readString();
+    cert.criticalOptions = {};
+    if (criticalBuffer.length > 0) {
+      let cPos = 0;
+      while (cPos < criticalBuffer.length) {
+        const nameLen = readUInt32BE(criticalBuffer, cPos);
+        cPos += 4;
+        const name = criticalBuffer.slice(cPos, cPos + nameLen).toString('utf8');
+        cPos += nameLen;
+        const dataLen = readUInt32BE(criticalBuffer, cPos);
+        cPos += 4;
+        const data = criticalBuffer.slice(cPos, cPos + dataLen);
+        cPos += dataLen;
+        cert.criticalOptions[name] = data;
+      }
+    }
+
+    // 12. Extensions
+    const extensionsBuffer = readString();
+    cert.extensions = {};
+    if (extensionsBuffer.length > 0) {
+      let ePos = 0;
+      while (ePos < extensionsBuffer.length) {
+        const nameLen = readUInt32BE(extensionsBuffer, ePos);
+        ePos += 4;
+        const name = extensionsBuffer.slice(ePos, ePos + nameLen).toString('utf8');
+        ePos += nameLen;
+        const dataLen = readUInt32BE(extensionsBuffer, ePos);
+        ePos += 4;
+        const data = extensionsBuffer.slice(ePos, ePos + dataLen);
+        ePos += dataLen;
+        cert.extensions[name] = data;
+      }
+    }
+
+    // 13. Reserved (currently unused)
+    readString();
+
+    // 14. Signature key
+    cert.signatureKeyBlob = readString();
+
+    // 15. Signature
+    cert.signature = readString();
+
+    return cert;
+  } catch (err) {
+    return err;
+  }
+}
+
+/**
+ * Check if a buffer represents an SSH certificate
+ */
+function isCertificate(data) {
+  if (!Buffer.isBuffer(data) || data.length < 16) {
+    return false;
+  }
+
+  try {
+    // Check if the type string indicates a certificate (ends with -cert-v01@openssh.com or similar)
+    if (data.length < 4) {
+      return false;
+    }
+
+    const len = readUInt32BE(data, 0);
+    if (len > 64 || data.length < 4 + len) {
+      return false;
+    }
+
+    const type = data.slice(4, 4 + len).toString('utf8');
+    return type.includes('-cert-v');
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if a certificate is valid for the given username
+ */
+function validateCertificate(cert, username) {
+  if (cert instanceof Error) {
+    return { valid: false, reason: cert.message };
+  }
+
+  const now = BigInt(Math.floor(Date.now() / 1000));
+
+  // Check if currently expired
+  if (cert.validBefore && now >= cert.validBefore) {
+    return { valid: false, reason: 'Certificate has expired' };
+  }
+
+  // Check if not yet valid
+  if (cert.validAfter && now < cert.validAfter) {
+    return { valid: false, reason: 'Certificate is not yet valid' };
+  }
+
+  // Check if username is in principals (for user certificates)
+  if (cert.certType === 'user' && cert.principals && cert.principals.length > 0) {
+    if (!cert.principals.includes(username)) {
+      return {
+        valid: false,
+        reason: `Username "${username}" not in certificate principals: ${cert.principals.join(', ')}`,
+      };
+    }
+  }
+
+  return { valid: true };
+}
+
+module.exports = {
+  parseSSHCertificate,
+  isCertificate,
+  validateCertificate,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@electerm/ssh2",
-  "version": "1.16.2",
+  "version": "1.17.0",
   "author": "Brian White <mscdex@mscdex.net>",
   "description": "SSH2 client and server modules written in pure JavaScript for node.js",
   "main": "./lib/index.js",