PyPI - dissect.target - Versions diffs - 3.19.dev11__py3-none-any.whl → 3.19.dev12__py3-none-any.whl - Mend

dissect.target 3.19.dev11py3-none-any.whl → 3.19.dev12py3-none-any.whl

Files changed (10) hide show

dissect/target/plugins/apps/ssh/openssh.py CHANGED Viewed

@@ -7,7 +7,6 @@ from typing import Iterator
 from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.fsutil import TargetPath
-from dissect.target.helpers.ssh import SSHPrivateKey
 from dissect.target.plugin import export
 from dissect.target.plugins.apps.ssh.ssh import (
     AuthorizedKeysRecord,
@@ -15,6 +14,7 @@ from dissect.target.plugins.apps.ssh.ssh import (
     PrivateKeyRecord,
     PublicKeyRecord,
     SSHPlugin,
+    SSHPrivateKey,
     calculate_fingerprints,
 )

dissect/target/plugins/apps/ssh/ssh.py CHANGED Viewed

@@ -1,10 +1,55 @@
 import base64
+import binascii
 from hashlib import md5, sha1, sha256
+from dissect.cstruct import cstruct
 from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
 from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import NamespacePlugin
+rfc4716_def = """
+struct ssh_string {
+    uint32 length;
+    char value[length];
+}
+struct ssh_private_key {
+    char magic[15];
+    ssh_string cipher;
+    ssh_string kdf_name;
+    ssh_string kdf_options;
+    uint32 number_of_keys;
+    ssh_string public;
+    ssh_string private;
+}
+"""
+c_rfc4716 = cstruct(endian=">").load(rfc4716_def)
+RFC4716_MARKER_START = b"-----BEGIN OPENSSH PRIVATE KEY-----"
+RFC4716_MARKER_END = b"-----END OPENSSH PRIVATE KEY-----"
+RFC4716_MAGIC = b"openssh-key-v1\x00"
+RFC4716_PADDING = b"\x01\x02\x03\x04\x05\x06\x07"
+RFC4716_NONE = b"none"
+PKCS8_MARKER_START = b"-----BEGIN PRIVATE KEY-----"
+PKCS8_MARKER_END = b"-----END PRIVATE KEY-----"
+PKCS8_MARKER_START_ENCRYPTED = b"-----BEGIN ENCRYPTED PRIVATE KEY-----"
+PKCS8_MARKER_END_ENCRYPTED = b"-----END ENCRYPTED PRIVATE KEY-----"
+PEM_MARKER_START_RSA = b"-----BEGIN RSA PRIVATE KEY-----"
+PEM_MARKER_END_RSA = b"-----END RSA PRIVATE KEY-----"
+PEM_MARKER_START_DSA = b"-----BEGIN DSA PRIVATE KEY-----"
+PEM_MARKER_END_DSA = b"-----END DSA PRIVATE KEY-----"
+PEM_MARKER_START_EC = b"-----BEGIN EC PRIVATE KEY-----"
+PEM_MARKER_END_EC = b"-----END EC PRIVATE KEY-----"
+PEM_ENCRYPTED = b"ENCRYPTED"
 OpenSSHUserRecordDescriptor = create_extended_descriptor([UserRecordDescriptorExtension])
 COMMON_ELLEMENTS = [
@@ -96,3 +141,135 @@ def calculate_fingerprints(public_key_decoded: bytes, ssh_keygen_format: bool =
         fingerprint_sha256 = digest_sha256.hex()
     return digest_md5.hex(), fingerprint_sha1, fingerprint_sha256
+def is_rfc4716(data: bytes) -> bool:
+    """Validate data is a valid looking SSH private key in the OpenSSH format."""
+    return data.startswith(RFC4716_MARKER_START) and data.endswith(RFC4716_MARKER_END)
+def decode_rfc4716(data: bytes) -> bytes:
+    """Base64 decode the private key data."""
+    encoded_key_data = data.removeprefix(RFC4716_MARKER_START).removesuffix(RFC4716_MARKER_END)
+    try:
+        return base64.b64decode(encoded_key_data)
+    except binascii.Error:
+        raise ValueError("Error decoding RFC4716 key data")
+def is_pkcs8(data: bytes) -> bool:
+    """Validate data is a valid looking PKCS8 SSH private key."""
+    return (data.startswith(PKCS8_MARKER_START) and data.endswith(PKCS8_MARKER_END)) or (
+        data.startswith(PKCS8_MARKER_START_ENCRYPTED) and data.endswith(PKCS8_MARKER_END_ENCRYPTED)
+    )
+def is_pem(data: bytes) -> bool:
+    """Validate data is a valid looking PEM SSH private key."""
+    return (
+        (data.startswith(PEM_MARKER_START_RSA) and data.endswith(PEM_MARKER_END_RSA))
+        or (data.startswith(PEM_MARKER_START_DSA) and data.endswith(PEM_MARKER_END_DSA))
+        or (data.startswith(PEM_MARKER_START_EC) and data.endswith(PEM_MARKER_END_EC))
+    )
+class SSHPrivateKey:
+    """A class to parse (OpenSSH-supported) SSH private keys.
+    OpenSSH supports three types of keys:
+    * RFC4716 (default)
+    * PKCS8
+    * PEM
+    """
+    def __init__(self, data: bytes):
+        self.key_type = None
+        self.public_key = None
+        self.comment = ""
+        if is_rfc4716(data):
+            self.format = "RFC4716"
+            self._parse_rfc4716(data)
+        elif is_pkcs8(data):
+            self.format = "PKCS8"
+            self.is_encrypted = data.startswith(PKCS8_MARKER_START_ENCRYPTED)
+        elif is_pem(data):
+            self.format = "PEM"
+            self._parse_pem(data)
+        else:
+            raise ValueError("Unsupported private key format")
+    def _parse_rfc4716(self, data: bytes) -> None:
+        """Parse OpenSSH format SSH private keys.
+        The format:
+        "openssh-key-v1"0x00    # NULL-terminated "Auth Magic" string
+        32-bit length, "none"   # ciphername length and string
+        32-bit length, "none"   # kdfname length and string
+        32-bit length, nil      # kdf (0 length, no kdf)
+        32-bit 0x01             # number of keys, hard-coded to 1 (no length)
+        32-bit length, sshpub   # public key in ssh format
+            32-bit length, keytype
+            32-bit length, pub0
+            32-bit length, pub1
+        32-bit length for rnd+prv+comment+pad
+            64-bit dummy checksum?  # a random 32-bit int, repeated
+            32-bit length, keytype  # the private key (including public)
+            32-bit length, pub0     # Public Key parts
+            32-bit length, pub1
+            32-bit length, prv0     # Private Key parts
+            ...                     # (number varies by type)
+            32-bit length, comment  # comment string
+            padding bytes 0x010203  # pad to blocksize (see notes below)
+        Source: https://coolaj86.com/articles/the-openssh-private-key-format/
+        """
+        key_data = decode_rfc4716(data)
+        private_key = c_rfc4716.ssh_private_key(key_data)
+        # RFC4716 only supports 1 key at the moment.
+        if private_key.magic != RFC4716_MAGIC or private_key.number_of_keys != 1:
+            raise ValueError("Unexpected number of keys for RFC4716 format private key")
+        self.is_encrypted = private_key.cipher.value != RFC4716_NONE
+        self.public_key = base64.b64encode(private_key.public.value)
+        public_key_type = c_rfc4716.ssh_string(private_key.public.value)
+        self.key_type = public_key_type.value
+        if not self.is_encrypted:
+            private_key_data = private_key.private.value.rstrip(RFC4716_PADDING)
+            # We skip the two dummy uint32s at the start.
+            private_key_index = 8
+            private_key_type = c_rfc4716.ssh_string(private_key_data[private_key_index:])
+            private_key_index += 4 + private_key_type.length
+            self.key_type = private_key_type.value
+            private_key_fields = []
+            while private_key_index < len(private_key_data):
+                field = c_rfc4716.ssh_string(private_key_data[private_key_index:])
+                private_key_index += 4 + field.length
+                private_key_fields.append(field)
+            # There is always a comment present (with a length field of 0 for empty comments).
+            self.comment = private_key_fields[-1].value
+    def _parse_pem(self, data: bytes) -> None:
+        """Detect key type and encryption of PEM keys."""
+        self.is_encrypted = PEM_ENCRYPTED in data
+        if data.startswith(PEM_MARKER_START_RSA):
+            self.key_type = "ssh-rsa"
+        elif data.startswith(PEM_MARKER_START_DSA):
+            self.key_type = "ssh-dss"
+        # This is not a valid SSH key type, but we currently do not detect the specific ecdsa variant.
+        else:
+            self.key_type = "ecdsa"

{dissect.target-3.19.dev11.dist-info → dissect.target-3.19.dev12.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.19.dev11
+Version: 3.19.dev12
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.19.dev11.dist-info → dissect.target-3.19.dev12.dist-info}/RECORD RENAMED Viewed

@@ -65,7 +65,6 @@ dissect/target/helpers/record.py,sha256=lWl7k2Mp9Axllm0tXzPGJx2zj2zONsyY_p5g424T
 dissect/target/helpers/record_modifier.py,sha256=3I_rC5jqvl0TsW3V8OQ6Dltz_D8J4PU1uhhzbJGKm9c,3245
 dissect/target/helpers/regutil.py,sha256=kX-sSZbW8Qkg29Dn_9zYbaQrwLumrr4Y8zJ1EhHXIAM,27337
 dissect/target/helpers/shell_folder_ids.py,sha256=Behhb8oh0kMxrEk6YYKYigCDZe8Hw5QS6iK_d2hTs2Y,24978
-dissect/target/helpers/ssh.py,sha256=obB7sqUH0IoUo78NAmHM8TX0pgA_4GHICZ3TA3TW_0E,6324
 dissect/target/helpers/targetd.py,sha256=ELhUulzQ4OgXgHsWhsLgM14vut8Wm6btr7qTynlwKaE,1812
 dissect/target/helpers/utils.py,sha256=r36Bn0UL0E6Z8ajmQrHzC6RyUxTRdwJ1PNsd904Lmzs,4027
 dissect/target/helpers/compat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -135,10 +134,10 @@ dissect/target/plugins/apps/remoteaccess/teamviewer.py,sha256=SiEH36HM2NvdPuCjfL
 dissect/target/plugins/apps/shell/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/shell/powershell.py,sha256=biPSMRWxPI6kRqP0-75yMtrw0Ti2Bzfl_xI3xbmmF48,2641
 dissect/target/plugins/apps/ssh/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/apps/ssh/openssh.py,sha256=yt3bX93Q9wfF25_vG9APMwfZWUUqCPyLlVJdhu20syI,7250
+dissect/target/plugins/apps/ssh/openssh.py,sha256=oaJeKmTvVMo4aePo4Ep7t0ludJPNuuokGEW07w4gAvQ,7216
 dissect/target/plugins/apps/ssh/opensshd.py,sha256=DaXKdgGF3GYHHA4buEvphcm6FF4C8YFjgD96Dv6rRnM,5510
 dissect/target/plugins/apps/ssh/putty.py,sha256=EmsXr2NbOB13-EWS5AkpEPMUhOkVl6FAy8JGUiaDhxk,10133
-dissect/target/plugins/apps/ssh/ssh.py,sha256=tTA87u0B8yY1yVCPV0VJdRUct6ggkir_pIziP-eKnVo,3009
+dissect/target/plugins/apps/ssh/ssh.py,sha256=d3U8PJbtMvOV3K0wV_9KzGt2oRs-mfNQz1_Xd6SNx0Y,9320
 dissect/target/plugins/apps/vpn/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/vpn/openvpn.py,sha256=d-DGINTIHP_bvv3T09ZwbezHXGctvCyAhJ482m2_-a0,7654
 dissect/target/plugins/apps/vpn/wireguard.py,sha256=SoAMED_bwWJQ3nci5qEY-qV4wJKSSDZQ8K7DoJRYq0k,6521
@@ -345,10 +344,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.19.dev11.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.19.dev11.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.19.dev11.dist-info/METADATA,sha256=K__-QEn5j-2bVryeNdtzhb6et_uhqklZ7KSWkBT33pM,12719
-dissect.target-3.19.dev11.dist-info/WHEEL,sha256=Wyh-_nZ0DJYolHNn1_hMa4lM7uDedD_RGVwbmTjyItk,91
-dissect.target-3.19.dev11.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.19.dev11.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.19.dev11.dist-info/RECORD,,
+dissect.target-3.19.dev12.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.19.dev12.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.19.dev12.dist-info/METADATA,sha256=UR_OR6Mke9csuzDPtguApwOU8mClzRRkkWmmiqNv364,12719
+dissect.target-3.19.dev12.dist-info/WHEEL,sha256=Wyh-_nZ0DJYolHNn1_hMa4lM7uDedD_RGVwbmTjyItk,91
+dissect.target-3.19.dev12.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.19.dev12.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.19.dev12.dist-info/RECORD,,

dissect/target/helpers/ssh.py DELETED Viewed

@@ -1,177 +0,0 @@
-import base64
-import binascii
-from dissect.cstruct import cstruct
-rfc4716_def = """
-struct ssh_string {
-    uint32 length;
-    char value[length];
-}
-struct ssh_private_key {
-    char magic[15];
-    ssh_string cipher;
-    ssh_string kdf_name;
-    ssh_string kdf_options;
-    uint32 number_of_keys;
-    ssh_string public;
-    ssh_string private;
-}
-"""
-c_rfc4716 = cstruct(endian=">").load(rfc4716_def)
-RFC4716_MARKER_START = b"-----BEGIN OPENSSH PRIVATE KEY-----"
-RFC4716_MARKER_END = b"-----END OPENSSH PRIVATE KEY-----"
-RFC4716_MAGIC = b"openssh-key-v1\x00"
-RFC4716_PADDING = b"\x01\x02\x03\x04\x05\x06\x07"
-RFC4716_NONE = b"none"
-PKCS8_MARKER_START = b"-----BEGIN PRIVATE KEY-----"
-PKCS8_MARKER_END = b"-----END PRIVATE KEY-----"
-PKCS8_MARKER_START_ENCRYPTED = b"-----BEGIN ENCRYPTED PRIVATE KEY-----"
-PKCS8_MARKER_END_ENCRYPTED = b"-----END ENCRYPTED PRIVATE KEY-----"
-PEM_MARKER_START_RSA = b"-----BEGIN RSA PRIVATE KEY-----"
-PEM_MARKER_END_RSA = b"-----END RSA PRIVATE KEY-----"
-PEM_MARKER_START_DSA = b"-----BEGIN DSA PRIVATE KEY-----"
-PEM_MARKER_END_DSA = b"-----END DSA PRIVATE KEY-----"
-PEM_MARKER_START_EC = b"-----BEGIN EC PRIVATE KEY-----"
-PEM_MARKER_END_EC = b"-----END EC PRIVATE KEY-----"
-PEM_ENCRYPTED = b"ENCRYPTED"
-class SSHPrivateKey:
-    """A class to parse (OpenSSH-supported) SSH private keys.
-    OpenSSH supports three types of keys:
-    * RFC4716 (default)
-    * PKCS8
-    * PEM
-    """
-    def __init__(self, data: bytes):
-        self.key_type = None
-        self.public_key = None
-        self.comment = ""
-        if is_rfc4716(data):
-            self.format = "RFC4716"
-            self._parse_rfc4716(data)
-        elif is_pkcs8(data):
-            self.format = "PKCS8"
-            self.is_encrypted = data.startswith(PKCS8_MARKER_START_ENCRYPTED)
-        elif is_pem(data):
-            self.format = "PEM"
-            self._parse_pem(data)
-        else:
-            raise ValueError("Unsupported private key format")
-    def _parse_rfc4716(self, data: bytes) -> None:
-        """Parse OpenSSH format SSH private keys.
-        The format:
-        "openssh-key-v1"0x00    # NULL-terminated "Auth Magic" string
-        32-bit length, "none"   # ciphername length and string
-        32-bit length, "none"   # kdfname length and string
-        32-bit length, nil      # kdf (0 length, no kdf)
-        32-bit 0x01             # number of keys, hard-coded to 1 (no length)
-        32-bit length, sshpub   # public key in ssh format
-            32-bit length, keytype
-            32-bit length, pub0
-            32-bit length, pub1
-        32-bit length for rnd+prv+comment+pad
-            64-bit dummy checksum?  # a random 32-bit int, repeated
-            32-bit length, keytype  # the private key (including public)
-            32-bit length, pub0     # Public Key parts
-            32-bit length, pub1
-            32-bit length, prv0     # Private Key parts
-            ...                     # (number varies by type)
-            32-bit length, comment  # comment string
-            padding bytes 0x010203  # pad to blocksize (see notes below)
-        Source: https://coolaj86.com/articles/the-openssh-private-key-format/
-        """
-        key_data = decode_rfc4716(data)
-        private_key = c_rfc4716.ssh_private_key(key_data)
-        # RFC4716 only supports 1 key at the moment.
-        if private_key.magic != RFC4716_MAGIC or private_key.number_of_keys != 1:
-            raise ValueError("Unexpected number of keys for RFC4716 format private key")
-        self.is_encrypted = private_key.cipher.value != RFC4716_NONE
-        self.public_key = base64.b64encode(private_key.public.value)
-        public_key_type = c_rfc4716.ssh_string(private_key.public.value)
-        self.key_type = public_key_type.value
-        if not self.is_encrypted:
-            private_key_data = private_key.private.value.rstrip(RFC4716_PADDING)
-            # We skip the two dummy uint32s at the start.
-            private_key_index = 8
-            private_key_type = c_rfc4716.ssh_string(private_key_data[private_key_index:])
-            private_key_index += 4 + private_key_type.length
-            self.key_type = private_key_type.value
-            private_key_fields = []
-            while private_key_index < len(private_key_data):
-                field = c_rfc4716.ssh_string(private_key_data[private_key_index:])
-                private_key_index += 4 + field.length
-                private_key_fields.append(field)
-            # There is always a comment present (with a length field of 0 for empty comments).
-            self.comment = private_key_fields[-1].value
-    def _parse_pem(self, data: bytes) -> None:
-        """Detect key type and encryption of PEM keys."""
-        self.is_encrypted = PEM_ENCRYPTED in data
-        if data.startswith(PEM_MARKER_START_RSA):
-            self.key_type = "ssh-rsa"
-        elif data.startswith(PEM_MARKER_START_DSA):
-            self.key_type = "ssh-dss"
-        # This is not a valid SSH key type, but we currently do not detect the specific ecdsa variant.
-        else:
-            self.key_type = "ecdsa"
-def is_rfc4716(data: bytes) -> bool:
-    """Validate data is a valid looking SSH private key in the OpenSSH format."""
-    return data.startswith(RFC4716_MARKER_START) and data.endswith(RFC4716_MARKER_END)
-def decode_rfc4716(data: bytes) -> bytes:
-    """Base64 decode the private key data."""
-    encoded_key_data = data.removeprefix(RFC4716_MARKER_START).removesuffix(RFC4716_MARKER_END)
-    try:
-        return base64.b64decode(encoded_key_data)
-    except binascii.Error:
-        raise ValueError("Error decoding RFC4716 key data")
-def is_pkcs8(data: bytes) -> bool:
-    """Validate data is a valid looking PKCS8 SSH private key."""
-    return (data.startswith(PKCS8_MARKER_START) and data.endswith(PKCS8_MARKER_END)) or (
-        data.startswith(PKCS8_MARKER_START_ENCRYPTED) and data.endswith(PKCS8_MARKER_END_ENCRYPTED)
-    )
-def is_pem(data: bytes) -> bool:
-    """Validate data is a valid looking PEM SSH private key."""
-    return (
-        (data.startswith(PEM_MARKER_START_RSA) and data.endswith(PEM_MARKER_END_RSA))
-        or (data.startswith(PEM_MARKER_START_DSA) and data.endswith(PEM_MARKER_END_DSA))
-        or (data.startswith(PEM_MARKER_START_EC) and data.endswith(PEM_MARKER_END_EC))
-    )

{dissect.target-3.19.dev11.dist-info → dissect.target-3.19.dev12.dist-info}/COPYRIGHT RENAMED Viewed

File without changes

{dissect.target-3.19.dev11.dist-info → dissect.target-3.19.dev12.dist-info}/LICENSE RENAMED Viewed

File without changes

{dissect.target-3.19.dev11.dist-info → dissect.target-3.19.dev12.dist-info}/WHEEL RENAMED Viewed

File without changes

{dissect.target-3.19.dev11.dist-info → dissect.target-3.19.dev12.dist-info}/entry_points.txt RENAMED Viewed

File without changes

{dissect.target-3.19.dev11.dist-info → dissect.target-3.19.dev12.dist-info}/top_level.txt RENAMED Viewed

File without changes

dissect.target 3.19.dev11__py3-none-any.whl → 3.19.dev12__py3-none-any.whl

dissect.target 3.19.dev11py3-none-any.whl → 3.19.dev12py3-none-any.whl