-
Notifications
You must be signed in to change notification settings - Fork 141
Add support for SSH certificates #137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
TimWolla
wants to merge
4
commits into
mscdex:master
Choose a base branch
from
TimWolla:ssh-certificate
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
8cda5c6
SSH2Stream: authPK: Rename algoLen to pubKeyTypeLen
TimWolla 88943e6
SSH2Stream: authPK: Add new signatureType variable
TimWolla a7abff5
SSH2Stream: convertSignature: Convert the key type as well
TimWolla 447a0c6
keyParser: Properly parse ssh certificates
TimWolla File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1580,19 +1580,19 @@ SSH2Stream.prototype.authPK = function(username, pubKey, cbSign) { | |
|
|
||
| var self = this; | ||
| var outstate = this._state.outgoing; | ||
| var keyType; | ||
| var pubKeyType; | ||
|
|
||
| if (typeof pubKey.getPublicSSH === 'function') { | ||
| keyType = pubKey.type; | ||
| pubKeyType = pubKey.type; | ||
| pubKey = pubKey.getPublicSSH(); | ||
| } else { | ||
| keyType = pubKey.toString('ascii', | ||
| pubKeyType = pubKey.toString('ascii', | ||
| 4, | ||
| 4 + readUInt32BE(pubKey, 0)); | ||
| } | ||
|
|
||
| var userLen = Buffer.byteLength(username); | ||
| var algoLen = Buffer.byteLength(keyType); | ||
| var pubKeyTypeLen = Buffer.byteLength(pubKeyType); | ||
| var pubKeyLen = pubKey.length; | ||
| var sesLen = outstate.sessionId.length; | ||
| var p = 0; | ||
|
|
@@ -1602,7 +1602,7 @@ SSH2Stream.prototype.authPK = function(username, pubKey, cbSign) { | |
| + 4 + 14 // "ssh-connection" | ||
| + 4 + 9 // "publickey" | ||
| + 1 | ||
| + 4 + algoLen | ||
| + 4 + pubKeyTypeLen | ||
| + 4 + pubKeyLen | ||
| ); | ||
|
|
||
|
|
@@ -1625,10 +1625,10 @@ SSH2Stream.prototype.authPK = function(username, pubKey, cbSign) { | |
|
|
||
| buf[p += 9] = (cbSign ? 1 : 0); | ||
|
|
||
| writeUInt32BE(buf, algoLen, ++p); | ||
| buf.write(keyType, p += 4, algoLen, 'ascii'); | ||
| writeUInt32BE(buf, pubKeyTypeLen, ++p); | ||
| buf.write(pubKeyType, p += 4, pubKeyTypeLen, 'ascii'); | ||
|
|
||
| writeUInt32BE(buf, pubKeyLen, p += algoLen); | ||
| writeUInt32BE(buf, pubKeyLen, p += pubKeyTypeLen); | ||
| pubKey.copy(buf, p += 4); | ||
|
|
||
| if (!cbSign) { | ||
|
|
@@ -1638,20 +1638,24 @@ SSH2Stream.prototype.authPK = function(username, pubKey, cbSign) { | |
| } | ||
|
|
||
| cbSign(buf, function(signature) { | ||
| signature = convertSignature(signature, keyType); | ||
| if (signature === false) | ||
| var converted = convertSignature(signature, pubKeyType); | ||
|
|
||
| if (converted === false) | ||
| throw new Error('Error while converting handshake signature'); | ||
| signature = converted.signature; | ||
| var signatureType = converted.keyType; | ||
| var signatureTypeLen = Buffer.byteLength(signatureType); | ||
|
|
||
| var sigLen = signature.length; | ||
| var sigbuf = Buffer.allocUnsafe(1 | ||
| + 4 + userLen | ||
| + 4 + 14 // "ssh-connection" | ||
| + 4 + 9 // "publickey" | ||
| + 1 | ||
| + 4 + algoLen | ||
| + 4 + pubKeyTypeLen | ||
| + 4 + pubKeyLen | ||
| + 4 // 4 + algoLen + 4 + sigLen | ||
| + 4 + algoLen | ||
| + 4 // 4 + signatureTypeLen + 4 + sigLen | ||
| + 4 + signatureTypeLen | ||
| + 4 + sigLen); | ||
|
|
||
| p = 0; | ||
|
|
@@ -1669,15 +1673,15 @@ SSH2Stream.prototype.authPK = function(username, pubKey, cbSign) { | |
|
|
||
| sigbuf[p += 9] = 1; | ||
|
|
||
| writeUInt32BE(sigbuf, algoLen, ++p); | ||
| sigbuf.write(keyType, p += 4, algoLen, 'ascii'); | ||
| writeUInt32BE(sigbuf, pubKeyTypeLen, ++p); | ||
| sigbuf.write(pubKeyType, p += 4, pubKeyTypeLen, 'ascii'); | ||
|
|
||
| writeUInt32BE(sigbuf, pubKeyLen, p += algoLen); | ||
| writeUInt32BE(sigbuf, pubKeyLen, p += pubKeyTypeLen); | ||
| pubKey.copy(sigbuf, p += 4); | ||
| writeUInt32BE(sigbuf, 4 + algoLen + 4 + sigLen, p += pubKeyLen); | ||
| writeUInt32BE(sigbuf, algoLen, p += 4); | ||
| sigbuf.write(keyType, p += 4, algoLen, 'ascii'); | ||
| writeUInt32BE(sigbuf, sigLen, p += algoLen); | ||
| writeUInt32BE(sigbuf, 4 + signatureTypeLen + 4 + sigLen, p += pubKeyLen); | ||
| writeUInt32BE(sigbuf, signatureTypeLen, p += 4); | ||
| sigbuf.write(signatureType, p += 4, signatureTypeLen, 'ascii'); | ||
| writeUInt32BE(sigbuf, sigLen, p += signatureTypeLen); | ||
| signature.copy(sigbuf, p += 4); | ||
|
|
||
| // Servers shouldn't send packet type 60 in response to signed publickey | ||
|
|
@@ -1753,10 +1757,11 @@ SSH2Stream.prototype.authHostbased = function(username, pubKey, hostname, | |
| buf.write(userlocal, p += 4, userlocalLen, 'utf8'); | ||
|
|
||
| cbSign(buf, function(signature) { | ||
| signature = convertSignature(signature, keyType); | ||
| var converted = convertSignature(signature, keyType); | ||
| if (signature === false) | ||
| throw new Error('Error while converting handshake signature'); | ||
|
|
||
| signature = converted.signature; | ||
| var sigLen = signature.length; | ||
| var sigbuf = Buffer.allocUnsafe((buf.length - sesLen) + sigLen); | ||
|
|
||
|
|
@@ -5000,14 +5005,16 @@ function KEXDH_REPLY(self, e) { // Server | |
| return false; | ||
| } | ||
|
|
||
| signature = convertSignature(signature, hostkeyAlgo); | ||
| var converted = convertSignature(signature, hostkeyAlgo); | ||
| if (signature === false) { | ||
| signature.message = 'Error while converting handshake signature'; | ||
| signature.level = 'handshake'; | ||
| self.emit('error', signature); | ||
| self.disconnect(DISCONNECT_REASON.KEY_EXCHANGE_FAILED); | ||
| return false; | ||
| } | ||
| signature = converted.signature; | ||
| hostKeyAlgo = converted.keyType; | ||
|
|
||
| /* | ||
| byte SSH_MSG_KEXDH_REPLY | ||
|
|
@@ -5250,16 +5257,35 @@ function tryComputeSecret(dh, e) { | |
| } | ||
|
|
||
| function convertSignature(signature, keyType) { | ||
| switch (keyType) { | ||
| case '[email protected]': | ||
| case '[email protected]': | ||
| case 'ecdsa-sha2-nistp256': | ||
| case '[email protected]': | ||
| case '[email protected]': | ||
| case '[email protected]': | ||
| keyType = keyType.replace(/[email protected]$/, ''); | ||
| } | ||
|
|
||
| switch (keyType) { | ||
| case 'ssh-dss': | ||
| return DSASigBERToBare(signature); | ||
| signature = DSASigBERToBare(signature); | ||
| break; | ||
| case 'ecdsa-sha2-nistp256': | ||
| case 'ecdsa-sha2-nistp384': | ||
| case 'ecdsa-sha2-nistp521': | ||
| return ECDSASigASN1ToSSH(signature); | ||
| signature = ECDSASigASN1ToSSH(signature); | ||
| break; | ||
| } | ||
|
|
||
| return signature; | ||
| if (signature === false) { | ||
| return false; | ||
| } | ||
|
|
||
| return { | ||
| signature: signature, | ||
| keyType: keyType | ||
| } | ||
| } | ||
|
|
||
| var timingSafeEqual = (function() { | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| [email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgz5fIcgoIkQsJZQDfctoMKo7Iq/3X0DMXdPjncT7qzAAAAAADAQABAAABAQC23GMXX23QWyEy0GLUvR4fIXhyxqyfFfoJG/bBIi4br8CTkvAqkt6dMuOHOPKRlDwrMjcM0fIuSm87LDrZ1at1z0xtuVjHBoBXfp1FyGfKc2qFtqVnIX6pq2PFoVf8dcL/xR/OP9VMqx6O+PMv/jEXkENw6hEy0PtXuwYDg9VLI04QDtrx6v44BUbUvu8Qq9f8G5zcFBxMr8BdaPP6sdyWGVk05MRa7j+uC5zS3KS8dGV0PIOEeUmcVuhJsRRSVgBzzUq2mA1doui3GWA7vMQOyn4x89fMi3gXfjM8XMZA7Kc/35Nc0GxqtTYQT8G/axp2WdA7vyI1uz+4lk29ITW/AAAAAAAAAAAAAAABAAAAFHNzaDItc3RyZWFtcy1maXh0dXJlAAAAAAAAAABdNHdgAAAAAF00hcAAAAAdAAAADWZvcmNlLWNvbW1hbmQAAAAIAAAABGxzIC8AAAAdAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAqQ9PJtVu1y4XS8SvQnmV5va1RtiaSrcPdAcT7PE93lQMLpvsx2qDHSRy8KfqD2rZO9IjU8H6fEqKJEcuLkt+sECk3UlHLFgxhD7MYYW0KFpxfzoE8h5W/8qppXkqIu8uzwn3/+DcgTx2Ce6XN8B/yXBT1kFpnmpiRnyXS8CVKX0HMVYpdlsfUexy3BtXIphSUJsyYGs/1SUuybO0mYPguoYORtp0Od0/vScFgz/h6rzQtJgMsDns+XG4EoRmt1JMzdbBVEC/f154RCBqV2w1CGYlZ09nqOExZTEwGKktAImYn3LElqEcjzWf0PSBJ7awNVF/bGwMO+kQRJCfeKGlFwAAAQ8AAAAHc3NoLXJzYQAAAQCDThDHnBzeoEIlMYr7vzhl8hC7AxiXlsuLathqkYzn7H0AU5eGspfvJysV38vnXt/21TzFBorQ66be8cc/YHLfAaJqdpZEJWsxxqSRkVmAkpzaVN8k9OcVx9BqBS2VFwuanDoAw5JM2NEeZ6byQGd0cgWJcdGZ1K/EXzhYXCFcMPe1ye2Y2mdViDH+mellwuSw+H6Uq+UQbpbHf9fyJjReJ4Pu8C7PRMlD0JaZCFTKi58QlQcneOaQuVrtvZ4wDmvgLtWl+Zsqt9lUTpXZjwazXYDr8zyJ0cU+HMMVZ4E5StOKzTGg91jcOuChhZvkVOeJ2B4+KAsL2X9pu51iJj9h ssh certificate |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| { | ||
| "type": "[email protected]", | ||
| "comment": "ssh certificate", | ||
| "public": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAttxjF19t0FshMtBi1L0e\nHyF4csasnxX6CRv2wSIuG6/Ak5LwKpLenTLjhzjykZQ8KzI3DNHyLkpvOyw62dWr\ndc9MbblYxwaAV36dRchnynNqhbalZyF+qatjxaFX/HXC/8Ufzj/VTKsejvjzL/4x\nF5BDcOoRMtD7V7sGA4PVSyNOEA7a8er+OAVG1L7vEKvX/Buc3BQcTK/AXWjz+rHc\nlhlZNOTEWu4/rguc0tykvHRldDyDhHlJnFboSbEUUlYAc81KtpgNXaLotxlgO7zE\nDsp+MfPXzIt4F34zPFzGQOynP9+TXNBsarU2EE/Bv2sadlnQO78iNbs/uJZNvSE1\nvwIDAQAB\n-----END PUBLIC KEY-----", | ||
| "publicSSH": "AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgz5fIcgoIkQsJZQDfctoMKo7Iq/3X0DMXdPjncT7qzAAAAAADAQABAAABAQC23GMXX23QWyEy0GLUvR4fIXhyxqyfFfoJG/bBIi4br8CTkvAqkt6dMuOHOPKRlDwrMjcM0fIuSm87LDrZ1at1z0xtuVjHBoBXfp1FyGfKc2qFtqVnIX6pq2PFoVf8dcL/xR/OP9VMqx6O+PMv/jEXkENw6hEy0PtXuwYDg9VLI04QDtrx6v44BUbUvu8Qq9f8G5zcFBxMr8BdaPP6sdyWGVk05MRa7j+uC5zS3KS8dGV0PIOEeUmcVuhJsRRSVgBzzUq2mA1doui3GWA7vMQOyn4x89fMi3gXfjM8XMZA7Kc/35Nc0GxqtTYQT8G/axp2WdA7vyI1uz+4lk29ITW/AAAAAAAAAAAAAAABAAAAFHNzaDItc3RyZWFtcy1maXh0dXJlAAAAAAAAAABdNHdgAAAAAF00hcAAAAAdAAAADWZvcmNlLWNvbW1hbmQAAAAIAAAABGxzIC8AAAAdAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAqQ9PJtVu1y4XS8SvQnmV5va1RtiaSrcPdAcT7PE93lQMLpvsx2qDHSRy8KfqD2rZO9IjU8H6fEqKJEcuLkt+sECk3UlHLFgxhD7MYYW0KFpxfzoE8h5W/8qppXkqIu8uzwn3/+DcgTx2Ce6XN8B/yXBT1kFpnmpiRnyXS8CVKX0HMVYpdlsfUexy3BtXIphSUJsyYGs/1SUuybO0mYPguoYORtp0Od0/vScFgz/h6rzQtJgMsDns+XG4EoRmt1JMzdbBVEC/f154RCBqV2w1CGYlZ09nqOExZTEwGKktAImYn3LElqEcjzWf0PSBJ7awNVF/bGwMO+kQRJCfeKGlFwAAAQ8AAAAHc3NoLXJzYQAAAQCDThDHnBzeoEIlMYr7vzhl8hC7AxiXlsuLathqkYzn7H0AU5eGspfvJysV38vnXt/21TzFBorQ66be8cc/YHLfAaJqdpZEJWsxxqSRkVmAkpzaVN8k9OcVx9BqBS2VFwuanDoAw5JM2NEeZ6byQGd0cgWJcdGZ1K/EXzhYXCFcMPe1ye2Y2mdViDH+mellwuSw+H6Uq+UQbpbHf9fyJjReJ4Pu8C7PRMlD0JaZCFTKi58QlQcneOaQuVrtvZ4wDmvgLtWl+Zsqt9lUTpXZjwazXYDr8zyJ0cU+HMMVZ4E5StOKzTGg91jcOuChhZvkVOeJ2B4+KAsL2X9pu51iJj9h", | ||
| "private": null | ||
| } |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd suggest this entire
switchstatement is unnecessary and you could just perform thereplaceblind. But this particularcasestatement seems redundant as it doesn't end in the appropriate string to qualify for the replace call?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In fact the two cases below are also identical. These should've been
[email protected],[email protected], and[email protected].Not going to fix it, because this PR realistically is not going to be merged due to the planned rewrite of this library.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are this issues the same in mscdex/ssh2#808 (which also "primarily awaits an updated PR")?