| // Copyright 2012 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package ssh |
| |
| import ( |
| "bytes" |
| "errors" |
| "fmt" |
| "io" |
| "net" |
| "sort" |
| "time" |
| ) |
| |
| // Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear |
| // in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms. |
| // Unlike key algorithm names, these are not passed to AlgorithmSigner and don't |
| // appear in the Signature.Format field. |
| const ( |
| CertAlgoRSAv01 = "ssh-rsa-cert-v01@openssh.com" |
| CertAlgoDSAv01 = "ssh-dss-cert-v01@openssh.com" |
| CertAlgoECDSA256v01 = "ecdsa-sha2-nistp256-cert-v01@openssh.com" |
| CertAlgoECDSA384v01 = "ecdsa-sha2-nistp384-cert-v01@openssh.com" |
| CertAlgoECDSA521v01 = "ecdsa-sha2-nistp521-cert-v01@openssh.com" |
| CertAlgoSKECDSA256v01 = "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" |
| CertAlgoED25519v01 = "ssh-ed25519-cert-v01@openssh.com" |
| CertAlgoSKED25519v01 = "sk-ssh-ed25519-cert-v01@openssh.com" |
| |
| // CertAlgoRSASHA256v01 and CertAlgoRSASHA512v01 can't appear as a |
| // Certificate.Type (or PublicKey.Type), but only in |
| // ClientConfig.HostKeyAlgorithms. |
| CertAlgoRSASHA256v01 = "rsa-sha2-256-cert-v01@openssh.com" |
| CertAlgoRSASHA512v01 = "rsa-sha2-512-cert-v01@openssh.com" |
| ) |
| |
| const ( |
| // Deprecated: use CertAlgoRSAv01. |
| CertSigAlgoRSAv01 = CertAlgoRSAv01 |
| // Deprecated: use CertAlgoRSASHA256v01. |
| CertSigAlgoRSASHA2256v01 = CertAlgoRSASHA256v01 |
| // Deprecated: use CertAlgoRSASHA512v01. |
| CertSigAlgoRSASHA2512v01 = CertAlgoRSASHA512v01 |
| ) |
| |
| // Certificate types distinguish between host and user |
| // certificates. The values can be set in the CertType field of |
| // Certificate. |
| const ( |
| UserCert = 1 |
| HostCert = 2 |
| ) |
| |
| // Signature represents a cryptographic signature. |
| type Signature struct { |
| Format string |
| Blob []byte |
| Rest []byte `ssh:"rest"` |
| } |
| |
| // CertTimeInfinity can be used for OpenSSHCertV01.ValidBefore to indicate that |
| // a certificate does not expire. |
| const CertTimeInfinity = 1<<64 - 1 |
| |
| // An Certificate represents an OpenSSH certificate as defined in |
| // [PROTOCOL.certkeys]?rev=1.8. The Certificate type implements the |
| // PublicKey interface, so it can be unmarshaled using |
| // ParsePublicKey. |
| type Certificate struct { |
| Nonce []byte |
| Key PublicKey |
| Serial uint64 |
| CertType uint32 |
| KeyId string |
| ValidPrincipals []string |
| ValidAfter uint64 |
| ValidBefore uint64 |
| Permissions |
| Reserved []byte |
| SignatureKey PublicKey |
| Signature *Signature |
| } |
| |
| // genericCertData holds the key-independent part of the certificate data. |
| // Overall, certificates contain an nonce, public key fields and |
| // key-independent fields. |
| type genericCertData struct { |
| Serial uint64 |
| CertType uint32 |
| KeyId string |
| ValidPrincipals []byte |
| ValidAfter uint64 |
| ValidBefore uint64 |
| CriticalOptions []byte |
| Extensions []byte |
| Reserved []byte |
| SignatureKey []byte |
| Signature []byte |
| } |
| |
| func marshalStringList(namelist []string) []byte { |
| var to []byte |
| for _, name := range namelist { |
| s := struct{ N string }{name} |
| to = append(to, Marshal(&s)...) |
| } |
| return to |
| } |
| |
| type optionsTuple struct { |
| Key string |
| Value []byte |
| } |
| |
| type optionsTupleValue struct { |
| Value string |
| } |
| |
| // serialize a map of critical options or extensions |
| // issue #10569 - per [PROTOCOL.certkeys] and SSH implementation, |
| // we need two length prefixes for a non-empty string value |
| func marshalTuples(tups map[string]string) []byte { |
| keys := make([]string, 0, len(tups)) |
| for key := range tups { |
| keys = append(keys, key) |
| } |
| sort.Strings(keys) |
| |
| var ret []byte |
| for _, key := range keys { |
| s := optionsTuple{Key: key} |
| if value := tups[key]; len(value) > 0 { |
| s.Value = Marshal(&optionsTupleValue{value}) |
| } |
| ret = append(ret, Marshal(&s)...) |
| } |
| return ret |
| } |
| |
| // issue #10569 - per [PROTOCOL.certkeys] and SSH implementation, |
| // we need two length prefixes for a non-empty option value |
| func parseTuples(in []byte) (map[string]string, error) { |
| tups := map[string]string{} |
| var lastKey string |
| var haveLastKey bool |
| |
| for len(in) > 0 { |
| var key, val, extra []byte |
| var ok bool |
| |
| if key, in, ok = parseString(in); !ok { |
| return nil, errShortRead |
| } |
| keyStr := string(key) |
| // according to [PROTOCOL.certkeys], the names must be in |
| // lexical order. |
| if haveLastKey && keyStr <= lastKey { |
| return nil, fmt.Errorf("ssh: certificate options are not in lexical order") |
| } |
| lastKey, haveLastKey = keyStr, true |
| // the next field is a data field, which if non-empty has a string embedded |
| if val, in, ok = parseString(in); !ok { |
| return nil, errShortRead |
| } |
| if len(val) > 0 { |
| val, extra, ok = parseString(val) |
| if !ok { |
| return nil, errShortRead |
| } |
| if len(extra) > 0 { |
| return nil, fmt.Errorf("ssh: unexpected trailing data after certificate option value") |
| } |
| tups[keyStr] = string(val) |
| } else { |
| tups[keyStr] = "" |
| } |
| } |
| return tups, nil |
| } |
| |
| func parseCert(in []byte, privAlgo string) (*Certificate, error) { |
| nonce, rest, ok := parseString(in) |
| if !ok { |
| return nil, errShortRead |
| } |
| |
| key, rest, err := parsePubKey(rest, privAlgo) |
| if err != nil { |
| return nil, err |
| } |
| |
| var g genericCertData |
| if err := Unmarshal(rest, &g); err != nil { |
| return nil, err |
| } |
| |
| c := &Certificate{ |
| Nonce: nonce, |
| Key: key, |
| Serial: g.Serial, |
| CertType: g.CertType, |
| KeyId: g.KeyId, |
| ValidAfter: g.ValidAfter, |
| ValidBefore: g.ValidBefore, |
| } |
| |
| for principals := g.ValidPrincipals; len(principals) > 0; { |
| principal, rest, ok := parseString(principals) |
| if !ok { |
| return nil, errShortRead |
| } |
| c.ValidPrincipals = append(c.ValidPrincipals, string(principal)) |
| principals = rest |
| } |
| |
| c.CriticalOptions, err = parseTuples(g.CriticalOptions) |
| if err != nil { |
| return nil, err |
| } |
| c.Extensions, err = parseTuples(g.Extensions) |
| if err != nil { |
| return nil, err |
| } |
| c.Reserved = g.Reserved |
| k, err := ParsePublicKey(g.SignatureKey) |
| if err != nil { |
| return nil, err |
| } |
| |
| c.SignatureKey = k |
| c.Signature, rest, ok = parseSignatureBody(g.Signature) |
| if !ok || len(rest) > 0 { |
| return nil, errors.New("ssh: signature parse error") |
| } |
| |
| return c, nil |
| } |
| |
| type openSSHCertSigner struct { |
| pub *Certificate |
| signer Signer |
| } |
| |
| type algorithmOpenSSHCertSigner struct { |
| *openSSHCertSigner |
| algorithmSigner AlgorithmSigner |
| } |
| |
| // NewCertSigner returns a Signer that signs with the given Certificate, whose |
| // private key is held by signer. It returns an error if the public key in cert |
| // doesn't match the key used by signer. |
| func NewCertSigner(cert *Certificate, signer Signer) (Signer, error) { |
| if !bytes.Equal(cert.Key.Marshal(), signer.PublicKey().Marshal()) { |
| return nil, errors.New("ssh: signer and cert have different public key") |
| } |
| |
| if algorithmSigner, ok := signer.(AlgorithmSigner); ok { |
| return &algorithmOpenSSHCertSigner{ |
| &openSSHCertSigner{cert, signer}, algorithmSigner}, nil |
| } else { |
| return &openSSHCertSigner{cert, signer}, nil |
| } |
| } |
| |
| func (s *openSSHCertSigner) Sign(rand io.Reader, data []byte) (*Signature, error) { |
| return s.signer.Sign(rand, data) |
| } |
| |
| func (s *openSSHCertSigner) PublicKey() PublicKey { |
| return s.pub |
| } |
| |
| func (s *algorithmOpenSSHCertSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) { |
| return s.algorithmSigner.SignWithAlgorithm(rand, data, algorithm) |
| } |
| |
| const sourceAddressCriticalOption = "source-address" |
| |
| // CertChecker does the work of verifying a certificate. Its methods |
| // can be plugged into ClientConfig.HostKeyCallback and |
| // ServerConfig.PublicKeyCallback. For the CertChecker to work, |
| // minimally, the IsAuthority callback should be set. |
| type CertChecker struct { |
| // SupportedCriticalOptions lists the CriticalOptions that the |
| // server application layer understands. These are only used |
| // for user certificates. |
| SupportedCriticalOptions []string |
| |
| // IsUserAuthority should return true if the key is recognized as an |
| // authority for the given user certificate. This allows for |
| // certificates to be signed by other certificates. This must be set |
| // if this CertChecker will be checking user certificates. |
| IsUserAuthority func(auth PublicKey) bool |
| |
| // IsHostAuthority should report whether the key is recognized as |
| // an authority for this host. This allows for certificates to be |
| // signed by other keys, and for those other keys to only be valid |
| // signers for particular hostnames. This must be set if this |
| // CertChecker will be checking host certificates. |
| IsHostAuthority func(auth PublicKey, address string) bool |
| |
| // Clock is used for verifying time stamps. If nil, time.Now |
| // is used. |
| Clock func() time.Time |
| |
| // UserKeyFallback is called when CertChecker.Authenticate encounters a |
| // public key that is not a certificate. It must implement validation |
| // of user keys or else, if nil, all such keys are rejected. |
| UserKeyFallback func(conn ConnMetadata, key PublicKey) (*Permissions, error) |
| |
| // HostKeyFallback is called when CertChecker.CheckHostKey encounters a |
| // public key that is not a certificate. It must implement host key |
| // validation or else, if nil, all such keys are rejected. |
| HostKeyFallback HostKeyCallback |
| |
| // IsRevoked is called for each certificate so that revocation checking |
| // can be implemented. It should return true if the given certificate |
| // is revoked and false otherwise. If nil, no certificates are |
| // considered to have been revoked. |
| IsRevoked func(cert *Certificate) bool |
| } |
| |
| // CheckHostKey checks a host key certificate. This method can be |
| // plugged into ClientConfig.HostKeyCallback. |
| func (c *CertChecker) CheckHostKey(addr string, remote net.Addr, key PublicKey) error { |
| cert, ok := key.(*Certificate) |
| if !ok { |
| if c.HostKeyFallback != nil { |
| return c.HostKeyFallback(addr, remote, key) |
| } |
| return errors.New("ssh: non-certificate host key") |
| } |
| if cert.CertType != HostCert { |
| return fmt.Errorf("ssh: certificate presented as a host key has type %d", cert.CertType) |
| } |
| if !c.IsHostAuthority(cert.SignatureKey, addr) { |
| return fmt.Errorf("ssh: no authorities for hostname: %v", addr) |
| } |
| |
| hostname, _, err := net.SplitHostPort(addr) |
| if err != nil { |
| return err |
| } |
| |
| // Pass hostname only as principal for host certificates (consistent with OpenSSH) |
| return c.CheckCert(hostname, cert) |
| } |
| |
| // Authenticate checks a user certificate. Authenticate can be used as |
| // a value for ServerConfig.PublicKeyCallback. |
| func (c *CertChecker) Authenticate(conn ConnMetadata, pubKey PublicKey) (*Permissions, error) { |
| cert, ok := pubKey.(*Certificate) |
| if !ok { |
| if c.UserKeyFallback != nil { |
| return c.UserKeyFallback(conn, pubKey) |
| } |
| return nil, errors.New("ssh: normal key pairs not accepted") |
| } |
| |
| if cert.CertType != UserCert { |
| return nil, fmt.Errorf("ssh: cert has type %d", cert.CertType) |
| } |
| if !c.IsUserAuthority(cert.SignatureKey) { |
| return nil, fmt.Errorf("ssh: certificate signed by unrecognized authority") |
| } |
| |
| if err := c.CheckCert(conn.User(), cert); err != nil { |
| return nil, err |
| } |
| |
| return &cert.Permissions, nil |
| } |
| |
| // CheckCert checks CriticalOptions, ValidPrincipals, revocation, timestamp and |
| // the signature of the certificate. |
| func (c *CertChecker) CheckCert(principal string, cert *Certificate) error { |
| if c.IsRevoked != nil && c.IsRevoked(cert) { |
| return fmt.Errorf("ssh: certificate serial %d revoked", cert.Serial) |
| } |
| |
| for opt := range cert.CriticalOptions { |
| // sourceAddressCriticalOption will be enforced by |
| // serverAuthenticate |
| if opt == sourceAddressCriticalOption { |
| continue |
| } |
| |
| found := false |
| for _, supp := range c.SupportedCriticalOptions { |
| if supp == opt { |
| found = true |
| break |
| } |
| } |
| if !found { |
| return fmt.Errorf("ssh: unsupported critical option %q in certificate", opt) |
| } |
| } |
| |
| if len(cert.ValidPrincipals) > 0 { |
| // By default, certs are valid for all users/hosts. |
| found := false |
| for _, p := range cert.ValidPrincipals { |
| if p == principal { |
| found = true |
| break |
| } |
| } |
| if !found { |
| return fmt.Errorf("ssh: principal %q not in the set of valid principals for given certificate: %q", principal, cert.ValidPrincipals) |
| } |
| } |
| |
| clock := c.Clock |
| if clock == nil { |
| clock = time.Now |
| } |
| |
| unixNow := clock().Unix() |
| if after := int64(cert.ValidAfter); after < 0 || unixNow < int64(cert.ValidAfter) { |
| return fmt.Errorf("ssh: cert is not yet valid") |
| } |
| if before := int64(cert.ValidBefore); cert.ValidBefore != uint64(CertTimeInfinity) && (unixNow >= before || before < 0) { |
| return fmt.Errorf("ssh: cert has expired") |
| } |
| if err := cert.SignatureKey.Verify(cert.bytesForSigning(), cert.Signature); err != nil { |
| return fmt.Errorf("ssh: certificate signature does not verify") |
| } |
| |
| return nil |
| } |
| |
| // SignCert signs the certificate with an authority, setting the Nonce, |
| // SignatureKey, and Signature fields. |
| func (c *Certificate) SignCert(rand io.Reader, authority Signer) error { |
| c.Nonce = make([]byte, 32) |
| if _, err := io.ReadFull(rand, c.Nonce); err != nil { |
| return err |
| } |
| c.SignatureKey = authority.PublicKey() |
| |
| // Default to KeyAlgoRSASHA512 for ssh-rsa signers. |
| if v, ok := authority.(AlgorithmSigner); ok && v.PublicKey().Type() == KeyAlgoRSA { |
| sig, err := v.SignWithAlgorithm(rand, c.bytesForSigning(), KeyAlgoRSASHA512) |
| if err != nil { |
| return err |
| } |
| c.Signature = sig |
| return nil |
| } |
| |
| sig, err := authority.Sign(rand, c.bytesForSigning()) |
| if err != nil { |
| return err |
| } |
| c.Signature = sig |
| return nil |
| } |
| |
| // certKeyAlgoNames is a mapping from known certificate algorithm names to the |
| // corresponding public key signature algorithm. |
| // |
| // This map must be kept in sync with the one in agent/client.go. |
| var certKeyAlgoNames = map[string]string{ |
| CertAlgoRSAv01: KeyAlgoRSA, |
| CertAlgoRSASHA256v01: KeyAlgoRSASHA256, |
| CertAlgoRSASHA512v01: KeyAlgoRSASHA512, |
| CertAlgoDSAv01: KeyAlgoDSA, |
| CertAlgoECDSA256v01: KeyAlgoECDSA256, |
| CertAlgoECDSA384v01: KeyAlgoECDSA384, |
| CertAlgoECDSA521v01: KeyAlgoECDSA521, |
| CertAlgoSKECDSA256v01: KeyAlgoSKECDSA256, |
| CertAlgoED25519v01: KeyAlgoED25519, |
| CertAlgoSKED25519v01: KeyAlgoSKED25519, |
| } |
| |
| // underlyingAlgo returns the signature algorithm associated with algo (which is |
| // an advertised or negotiated public key or host key algorithm). These are |
| // usually the same, except for certificate algorithms. |
| func underlyingAlgo(algo string) string { |
| if a, ok := certKeyAlgoNames[algo]; ok { |
| return a |
| } |
| return algo |
| } |
| |
| // certificateAlgo returns the certificate algorithms that uses the provided |
| // underlying signature algorithm. |
| func certificateAlgo(algo string) (certAlgo string, ok bool) { |
| for certName, algoName := range certKeyAlgoNames { |
| if algoName == algo { |
| return certName, true |
| } |
| } |
| return "", false |
| } |
| |
| func (cert *Certificate) bytesForSigning() []byte { |
| c2 := *cert |
| c2.Signature = nil |
| out := c2.Marshal() |
| // Drop trailing signature length. |
| return out[:len(out)-4] |
| } |
| |
| // Marshal serializes c into OpenSSH's wire format. It is part of the |
| // PublicKey interface. |
| func (c *Certificate) Marshal() []byte { |
| generic := genericCertData{ |
| Serial: c.Serial, |
| CertType: c.CertType, |
| KeyId: c.KeyId, |
| ValidPrincipals: marshalStringList(c.ValidPrincipals), |
| ValidAfter: uint64(c.ValidAfter), |
| ValidBefore: uint64(c.ValidBefore), |
| CriticalOptions: marshalTuples(c.CriticalOptions), |
| Extensions: marshalTuples(c.Extensions), |
| Reserved: c.Reserved, |
| SignatureKey: c.SignatureKey.Marshal(), |
| } |
| if c.Signature != nil { |
| generic.Signature = Marshal(c.Signature) |
| } |
| genericBytes := Marshal(&generic) |
| keyBytes := c.Key.Marshal() |
| _, keyBytes, _ = parseString(keyBytes) |
| prefix := Marshal(&struct { |
| Name string |
| Nonce []byte |
| Key []byte `ssh:"rest"` |
| }{c.Type(), c.Nonce, keyBytes}) |
| |
| result := make([]byte, 0, len(prefix)+len(genericBytes)) |
| result = append(result, prefix...) |
| result = append(result, genericBytes...) |
| return result |
| } |
| |
| // Type returns the certificate algorithm name. It is part of the PublicKey interface. |
| func (c *Certificate) Type() string { |
| certName, ok := certificateAlgo(c.Key.Type()) |
| if !ok { |
| panic("unknown certificate type for key type " + c.Key.Type()) |
| } |
| return certName |
| } |
| |
| // Verify verifies a signature against the certificate's public |
| // key. It is part of the PublicKey interface. |
| func (c *Certificate) Verify(data []byte, sig *Signature) error { |
| return c.Key.Verify(data, sig) |
| } |
| |
| func parseSignatureBody(in []byte) (out *Signature, rest []byte, ok bool) { |
| format, in, ok := parseString(in) |
| if !ok { |
| return |
| } |
| |
| out = &Signature{ |
| Format: string(format), |
| } |
| |
| if out.Blob, in, ok = parseString(in); !ok { |
| return |
| } |
| |
| switch out.Format { |
| case KeyAlgoSKECDSA256, CertAlgoSKECDSA256v01, KeyAlgoSKED25519, CertAlgoSKED25519v01: |
| out.Rest = in |
| return out, nil, ok |
| } |
| |
| return out, in, ok |
| } |
| |
| func parseSignature(in []byte) (out *Signature, rest []byte, ok bool) { |
| sigBytes, rest, ok := parseString(in) |
| if !ok { |
| return |
| } |
| |
| out, trailing, ok := parseSignatureBody(sigBytes) |
| if !ok || len(trailing) > 0 { |
| return nil, nil, false |
| } |
| return |
| } |