go.crypto/ssh: introduce PublicKey interface type.
Public functions affected:
-AgentKey.Key
-AgentClient.SignRequest
-ClientKeyring.Key
-MarshalPublicKey
-ParsePublicKey
R=agl, jpsugar, jmpittman
CC=golang-dev
https://golang.org/cl/13642043
diff --git a/ssh/keys.go b/ssh/keys.go
index 1dd6856..c135d3a 100644
--- a/ssh/keys.go
+++ b/ssh/keys.go
@@ -6,6 +6,7 @@
import (
"bytes"
+ "crypto"
"crypto/dsa"
"crypto/ecdsa"
"crypto/elliptic"
@@ -25,7 +26,7 @@
)
// parsePubKey parses a public key according to RFC 4253, section 6.6.
-func parsePubKey(in []byte) (out interface{}, rest []byte, ok bool) {
+func parsePubKey(in []byte) (pubKey PublicKey, rest []byte, ok bool) {
algo, in, ok := parseString(in)
if !ok {
return
@@ -41,141 +42,7 @@
case CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01:
return parseOpenSSHCertV01(in, string(algo))
}
- panic("ssh: unknown public key type")
-}
-
-// parseRSA parses an RSA key according to RFC 4253, section 6.6.
-func parseRSA(in []byte) (out *rsa.PublicKey, rest []byte, ok bool) {
- key := new(rsa.PublicKey)
-
- bigE, in, ok := parseInt(in)
- if !ok || bigE.BitLen() > 24 {
- return
- }
- e := bigE.Int64()
- if e < 3 || e&1 == 0 {
- ok = false
- return
- }
- key.E = int(e)
-
- if key.N, in, ok = parseInt(in); !ok {
- return
- }
-
- ok = true
- return key, in, ok
-}
-
-// parseDSA parses an DSA key according to RFC 4253, section 6.6.
-func parseDSA(in []byte) (out *dsa.PublicKey, rest []byte, ok bool) {
- key := new(dsa.PublicKey)
-
- if key.P, in, ok = parseInt(in); !ok {
- return
- }
-
- if key.Q, in, ok = parseInt(in); !ok {
- return
- }
-
- if key.G, in, ok = parseInt(in); !ok {
- return
- }
-
- if key.Y, in, ok = parseInt(in); !ok {
- return
- }
-
- ok = true
- return key, in, ok
-}
-
-// parseECDSA parses an ECDSA key according to RFC 5656, section 3.1.
-func parseECDSA(in []byte) (out *ecdsa.PublicKey, rest []byte, ok bool) {
- var identifier []byte
- if identifier, in, ok = parseString(in); !ok {
- return
- }
-
- key := new(ecdsa.PublicKey)
-
- switch string(identifier) {
- case "nistp256":
- key.Curve = elliptic.P256()
- case "nistp384":
- key.Curve = elliptic.P384()
- case "nistp521":
- key.Curve = elliptic.P521()
- default:
- ok = false
- return
- }
-
- var keyBytes []byte
- if keyBytes, in, ok = parseString(in); !ok {
- return
- }
-
- key.X, key.Y = elliptic.Unmarshal(key.Curve, keyBytes)
- if key.X == nil || key.Y == nil {
- ok = false
- return
- }
- return key, in, ok
-}
-
-// marshalPubRSA serializes an RSA public key according to RFC 4253, section 6.6.
-func marshalPubRSA(key *rsa.PublicKey) []byte {
- e := new(big.Int).SetInt64(int64(key.E))
- length := intLength(e)
- length += intLength(key.N)
-
- ret := make([]byte, length)
- r := marshalInt(ret, e)
- r = marshalInt(r, key.N)
-
- return ret
-}
-
-// marshalPubDSA serializes an DSA public key according to RFC 4253, section 6.6.
-func marshalPubDSA(key *dsa.PublicKey) []byte {
- length := intLength(key.P)
- length += intLength(key.Q)
- length += intLength(key.G)
- length += intLength(key.Y)
-
- ret := make([]byte, length)
- r := marshalInt(ret, key.P)
- r = marshalInt(r, key.Q)
- r = marshalInt(r, key.G)
- r = marshalInt(r, key.Y)
-
- return ret
-}
-
-// marshalPubECDSA serializes an ECDSA public key according to RFC 5656, section 3.1.
-func marshalPubECDSA(key *ecdsa.PublicKey) []byte {
- var identifier []byte
- switch key.Params().BitSize {
- case 256:
- identifier = []byte("nistp256")
- case 384:
- identifier = []byte("nistp384")
- case 521:
- identifier = []byte("nistp521")
- default:
- panic("ssh: unsupported ecdsa key size")
- }
- keyBytes := elliptic.Marshal(key.Curve, key.X, key.Y)
-
- length := stringLength(len(identifier))
- length += stringLength(len(keyBytes))
-
- ret := make([]byte, length)
- r := marshalString(ret, identifier)
- r = marshalString(r, keyBytes)
- return ret
+ return nil, nil, false
}
// parseAuthorizedKey parses a public key in OpenSSH authorized_keys format
@@ -307,28 +174,297 @@
// ParsePublicKey parses an SSH public key formatted for use in
// the SSH wire protocol.
-func ParsePublicKey(in []byte) (out interface{}, rest []byte, ok bool) {
+func ParsePublicKey(in []byte) (out PublicKey, rest []byte, ok bool) {
return parsePubKey(in)
}
// MarshalAuthorizedKey returns a byte stream suitable for inclusion
// in an OpenSSH authorized_keys file following the format specified
// in the sshd(8) manual page.
-func MarshalAuthorizedKey(key interface{}) []byte {
+func MarshalAuthorizedKey(key PublicKey) []byte {
b := &bytes.Buffer{}
- b.WriteString(algoName(key))
+ b.WriteString(key.PublicKeyAlgo())
b.WriteByte(' ')
e := base64.NewEncoder(base64.StdEncoding, b)
- e.Write(serializePublicKey(key))
+ e.Write(MarshalPublicKey(key))
e.Close()
b.WriteByte('\n')
return b.Bytes()
}
-// MarshalPublicKey serializes a supported key or certificate for use by the
-// SSH wire protocol. It can be used for comparison with the pubkey argument
-// of ServerConfig's PublicKeyCallback as well as for generating an
-// authorized_keys or host_keys file.
-func MarshalPublicKey(key interface{}) []byte {
- return serializePublicKey(key)
+// PublicKey is an abstraction of different types of public keys.
+type PublicKey interface {
+ // PrivateKeyAlgo returns the name of the encryption system.
+ PrivateKeyAlgo() string
+
+ // PublicKeyAlgo returns the algorithm for the public key,
+ // which may be different from PrivateKeyAlgo for certificates.
+ PublicKeyAlgo() string
+
+ // Marshal returns the serialized key data in SSH wire format,
+ // without the name prefix. Callers should typically use
+ // MarshalPublicKey().
+ Marshal() []byte
+
+ // Verify that sig is a signature on the given data using this
+ // key. This function will hash the data appropriately first.
+ Verify(data []byte, sigBlob []byte) bool
+
+ // RawKey returns the underlying object, eg. *rsa.PublicKey.
+ RawKey() interface{}
+}
+
+// TODO(hanwen): define PrivateKey too.
+
+type rsaPublicKey rsa.PublicKey
+
+func (r *rsaPublicKey) PrivateKeyAlgo() string {
+ return "ssh-rsa"
+}
+
+func (r *rsaPublicKey) PublicKeyAlgo() string {
+ return "ssh-rsa"
+}
+
+func (r *rsaPublicKey) RawKey() interface{} {
+ return (*rsa.PublicKey)(r)
+}
+
+// parseRSA parses an RSA key according to RFC 4253, section 6.6.
+func parseRSA(in []byte) (out PublicKey, rest []byte, ok bool) {
+ key := new(rsa.PublicKey)
+
+ bigE, in, ok := parseInt(in)
+ if !ok || bigE.BitLen() > 24 {
+ return
+ }
+ e := bigE.Int64()
+ if e < 3 || e&1 == 0 {
+ ok = false
+ return
+ }
+ key.E = int(e)
+
+ if key.N, in, ok = parseInt(in); !ok {
+ return
+ }
+
+ ok = true
+ return NewRSAPublicKey(key), in, ok
+}
+
+func (r *rsaPublicKey) Marshal() []byte {
+ // See RFC 4253, section 6.6.
+ e := new(big.Int).SetInt64(int64(r.E))
+ length := intLength(e)
+ length += intLength(r.N)
+
+ ret := make([]byte, length)
+ rest := marshalInt(ret, e)
+ marshalInt(rest, r.N)
+
+ return ret
+}
+
+func (r *rsaPublicKey) Verify(data []byte, sig []byte) bool {
+ h := crypto.SHA1.New()
+ h.Write(data)
+ digest := h.Sum(nil)
+ return rsa.VerifyPKCS1v15((*rsa.PublicKey)(r), crypto.SHA1, digest, sig) == nil
+}
+
+func NewRSAPublicKey(k *rsa.PublicKey) PublicKey {
+ return (*rsaPublicKey)(k)
+}
+
+type dsaPublicKey dsa.PublicKey
+
+func (r *dsaPublicKey) PrivateKeyAlgo() string {
+ return "ssh-dss"
+}
+func (r *dsaPublicKey) PublicKeyAlgo() string {
+ return "ssh-dss"
+}
+func (r *dsaPublicKey) RawKey() interface{} {
+ return (*dsa.PublicKey)(r)
+}
+
+// parseDSA parses an DSA key according to RFC 4253, section 6.6.
+func parseDSA(in []byte) (out PublicKey, rest []byte, ok bool) {
+ key := new(dsa.PublicKey)
+
+ if key.P, in, ok = parseInt(in); !ok {
+ return
+ }
+
+ if key.Q, in, ok = parseInt(in); !ok {
+ return
+ }
+
+ if key.G, in, ok = parseInt(in); !ok {
+ return
+ }
+
+ if key.Y, in, ok = parseInt(in); !ok {
+ return
+ }
+
+ ok = true
+ return NewDSAPublicKey(key), in, ok
+}
+
+func (r *dsaPublicKey) Marshal() []byte {
+ // See RFC 4253, section 6.6.
+ length := intLength(r.P)
+ length += intLength(r.Q)
+ length += intLength(r.G)
+ length += intLength(r.Y)
+
+ ret := make([]byte, length)
+ rest := marshalInt(ret, r.P)
+ rest = marshalInt(rest, r.Q)
+ rest = marshalInt(rest, r.G)
+ marshalInt(rest, r.Y)
+
+ return ret
+}
+
+func (k *dsaPublicKey) Verify(data []byte, sigBlob []byte) bool {
+ h := crypto.SHA1.New()
+ h.Write(data)
+ digest := h.Sum(nil)
+
+ // Per RFC 4253, section 6.6,
+ // The value for 'dss_signature_blob' is encoded as a string containing
+ // r, followed by s (which are 160-bit integers, without lengths or
+ // padding, unsigned, and in network byte order).
+ // For DSS purposes, sig.Blob should be exactly 40 bytes in length.
+ if len(sigBlob) != 40 {
+ return false
+ }
+ r := new(big.Int).SetBytes(sigBlob[:20])
+ s := new(big.Int).SetBytes(sigBlob[20:])
+ return dsa.Verify((*dsa.PublicKey)(k), digest, r, s)
+}
+
+func NewDSAPublicKey(k *dsa.PublicKey) PublicKey {
+ return (*dsaPublicKey)(k)
+}
+
+type ecdsaPublicKey ecdsa.PublicKey
+
+func NewECDSAPublicKey(k *ecdsa.PublicKey) PublicKey {
+ return (*ecdsaPublicKey)(k)
+}
+func (r *ecdsaPublicKey) RawKey() interface{} {
+ return (*ecdsa.PublicKey)(r)
+}
+
+func (key *ecdsaPublicKey) PrivateKeyAlgo() string {
+ return "ecdh-sha2-" + key.nistID()
+}
+
+func (key *ecdsaPublicKey) nistID() string {
+ switch key.Params().BitSize {
+ case 256:
+ return "nistp256"
+ case 384:
+ return "nistp384"
+ case 521:
+ return "nistp521"
+ }
+ panic("ssh: unsupported ecdsa key size")
+}
+
+// RFC 5656, section 6.2.1 (for ECDSA).
+func (key *ecdsaPublicKey) hash() crypto.Hash {
+ switch key.Params().BitSize {
+ case 256:
+ return crypto.SHA256
+ case 384:
+ return crypto.SHA384
+ case 521:
+ return crypto.SHA512
+ }
+ panic("ssh: unsupported ecdsa key size")
+}
+
+func (key *ecdsaPublicKey) PublicKeyAlgo() string {
+ switch key.Params().BitSize {
+ case 256:
+ return KeyAlgoECDSA256
+ case 384:
+ return KeyAlgoECDSA384
+ case 521:
+ return KeyAlgoECDSA521
+ }
+ panic("ssh: unsupported ecdsa key size")
+}
+
+// parseECDSA parses an ECDSA key according to RFC 5656, section 3.1.
+func parseECDSA(in []byte) (out PublicKey, rest []byte, ok bool) {
+ var identifier []byte
+ if identifier, in, ok = parseString(in); !ok {
+ return
+ }
+
+ key := new(ecdsa.PublicKey)
+
+ switch string(identifier) {
+ case "nistp256":
+ key.Curve = elliptic.P256()
+ case "nistp384":
+ key.Curve = elliptic.P384()
+ case "nistp521":
+ key.Curve = elliptic.P521()
+ default:
+ ok = false
+ return
+ }
+
+ var keyBytes []byte
+ if keyBytes, in, ok = parseString(in); !ok {
+ return
+ }
+
+ key.X, key.Y = elliptic.Unmarshal(key.Curve, keyBytes)
+ if key.X == nil || key.Y == nil {
+ ok = false
+ return
+ }
+ return NewECDSAPublicKey(key), in, ok
+}
+
+func (key *ecdsaPublicKey) Marshal() []byte {
+ // See RFC 5656, section 3.1.
+ keyBytes := elliptic.Marshal(key.Curve, key.X, key.Y)
+
+ ID := key.nistID()
+ length := stringLength(len(ID))
+ length += stringLength(len(keyBytes))
+
+ ret := make([]byte, length)
+ r := marshalString(ret, []byte(ID))
+ r = marshalString(r, keyBytes)
+ return ret
+}
+
+func (key *ecdsaPublicKey) Verify(data []byte, sigBlob []byte) bool {
+ h := key.hash().New()
+ h.Write(data)
+ digest := h.Sum(nil)
+
+ // Per RFC 5656, section 3.1.2,
+ // The ecdsa_signature_blob value has the following specific encoding:
+ // mpint r
+ // mpint s
+ r, rest, ok := parseInt(sigBlob)
+ if !ok {
+ return false
+ }
+ s, rest, ok := parseInt(rest)
+ if !ok || len(rest) > 0 {
+ return false
+ }
+ return ecdsa.Verify((*ecdsa.PublicKey)(key), digest, r, s)
}
