2016-02-19 08:40:39 +00:00
|
|
|
"""SSH format parsing and formatting tools."""
|
2015-06-15 15:13:10 +00:00
|
|
|
import base64
|
2016-01-09 14:06:47 +00:00
|
|
|
import hashlib
|
|
|
|
import io
|
2016-01-04 17:17:08 +00:00
|
|
|
import logging
|
2016-01-09 14:06:47 +00:00
|
|
|
|
2015-06-15 15:13:10 +00:00
|
|
|
import ecdsa
|
2015-10-23 09:45:32 +00:00
|
|
|
import ed25519
|
2015-06-15 15:13:10 +00:00
|
|
|
|
2015-06-16 07:20:11 +00:00
|
|
|
from . import util
|
|
|
|
|
2015-06-15 15:13:10 +00:00
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
|
2016-10-14 19:20:28 +00:00
|
|
|
# Supported ECDSA curves (for SSH and GPG)
|
2016-05-05 19:28:06 +00:00
|
|
|
CURVE_NIST256 = 'nist256p1'
|
|
|
|
CURVE_ED25519 = 'ed25519'
|
2015-10-23 09:45:32 +00:00
|
|
|
SUPPORTED_CURVES = {CURVE_NIST256, CURVE_ED25519}
|
|
|
|
|
2016-10-14 19:20:28 +00:00
|
|
|
# Supported ECDH curves (for GPG)
|
|
|
|
ECDH_NIST256 = 'nist256p1'
|
|
|
|
ECDH_CURVE25519 = 'curve25519'
|
|
|
|
|
2015-10-23 09:45:32 +00:00
|
|
|
# SSH key types
|
|
|
|
SSH_NIST256_DER_OCTET = b'\x04'
|
|
|
|
SSH_NIST256_KEY_PREFIX = b'ecdsa-sha2-'
|
|
|
|
SSH_NIST256_CURVE_NAME = b'nistp256'
|
|
|
|
SSH_NIST256_KEY_TYPE = SSH_NIST256_KEY_PREFIX + SSH_NIST256_CURVE_NAME
|
|
|
|
SSH_ED25519_KEY_TYPE = b'ssh-ed25519'
|
|
|
|
SUPPORTED_KEY_TYPES = {SSH_NIST256_KEY_TYPE, SSH_ED25519_KEY_TYPE}
|
2015-06-15 15:13:10 +00:00
|
|
|
|
|
|
|
hashfunc = hashlib.sha256
|
|
|
|
|
2015-06-16 06:52:53 +00:00
|
|
|
|
|
|
|
def fingerprint(blob):
|
2016-02-19 08:40:39 +00:00
|
|
|
"""
|
|
|
|
Compute SSH fingerprint for specified blob.
|
|
|
|
|
|
|
|
See https://en.wikipedia.org/wiki/Public_key_fingerprint for details.
|
|
|
|
"""
|
2015-06-16 06:52:53 +00:00
|
|
|
digest = hashlib.md5(blob).digest()
|
|
|
|
return ':'.join('{:02x}'.format(c) for c in bytearray(digest))
|
|
|
|
|
|
|
|
|
2015-10-23 09:45:32 +00:00
|
|
|
def parse_pubkey(blob):
|
2016-02-19 08:40:39 +00:00
|
|
|
"""
|
|
|
|
Parse SSH public key from given blob.
|
|
|
|
|
2016-04-09 17:40:32 +00:00
|
|
|
Construct a verifier for ECDSA signatures.
|
2016-02-19 08:40:39 +00:00
|
|
|
The verifier returns the signatures in the required SSH format.
|
|
|
|
Currently, NIST256P1 and ED25519 elliptic curves are supported.
|
|
|
|
"""
|
2015-10-23 09:45:32 +00:00
|
|
|
fp = fingerprint(blob)
|
2015-06-15 15:13:10 +00:00
|
|
|
s = io.BytesIO(blob)
|
|
|
|
key_type = util.read_frame(s)
|
|
|
|
log.debug('key type: %s', key_type)
|
2015-10-23 09:45:32 +00:00
|
|
|
assert key_type in SUPPORTED_KEY_TYPES, key_type
|
|
|
|
|
|
|
|
result = {'blob': blob, 'type': key_type, 'fingerprint': fp}
|
|
|
|
|
|
|
|
if key_type == SSH_NIST256_KEY_TYPE:
|
|
|
|
curve_name = util.read_frame(s)
|
|
|
|
log.debug('curve name: %s', curve_name)
|
|
|
|
point = util.read_frame(s)
|
|
|
|
assert s.read() == b''
|
|
|
|
_type, point = point[:1], point[1:]
|
|
|
|
assert _type == SSH_NIST256_DER_OCTET
|
|
|
|
size = len(point) // 2
|
|
|
|
assert len(point) == 2 * size
|
|
|
|
coords = (util.bytes2num(point[:size]), util.bytes2num(point[size:]))
|
|
|
|
|
|
|
|
curve = ecdsa.NIST256p
|
|
|
|
point = ecdsa.ellipticcurve.Point(curve.curve, *coords)
|
|
|
|
|
|
|
|
def ecdsa_verifier(sig, msg):
|
|
|
|
assert len(sig) == 2 * size
|
|
|
|
sig_decode = ecdsa.util.sigdecode_string
|
2016-01-04 17:17:08 +00:00
|
|
|
vk = ecdsa.VerifyingKey.from_public_point(point, curve, hashfunc)
|
2015-10-23 09:45:32 +00:00
|
|
|
vk.verify(signature=sig, data=msg, sigdecode=sig_decode)
|
|
|
|
parts = [sig[:size], sig[size:]]
|
|
|
|
return b''.join([util.frame(b'\x00' + p) for p in parts])
|
|
|
|
|
|
|
|
result.update(point=coords, curve=CURVE_NIST256,
|
|
|
|
verifier=ecdsa_verifier)
|
|
|
|
|
|
|
|
if key_type == SSH_ED25519_KEY_TYPE:
|
|
|
|
pubkey = util.read_frame(s)
|
|
|
|
assert s.read() == b''
|
|
|
|
|
|
|
|
def ed25519_verify(sig, msg):
|
|
|
|
assert len(sig) == 64
|
2016-01-04 17:17:08 +00:00
|
|
|
vk = ed25519.VerifyingKey(pubkey)
|
2015-10-23 09:45:32 +00:00
|
|
|
vk.verify(sig, msg)
|
|
|
|
return sig
|
|
|
|
|
|
|
|
result.update(curve=CURVE_ED25519, verifier=ed25519_verify)
|
2015-06-15 15:13:10 +00:00
|
|
|
|
|
|
|
return result
|
|
|
|
|
|
|
|
|
2015-12-18 14:03:50 +00:00
|
|
|
def _decompress_ed25519(pubkey):
|
2016-02-19 08:40:39 +00:00
|
|
|
"""Load public key from the serialized blob (stripping the prefix byte)."""
|
2015-12-18 14:03:50 +00:00
|
|
|
if pubkey[:1] == b'\x00':
|
2015-10-23 09:45:32 +00:00
|
|
|
# set by Trezor fsm_msgSignIdentity() and fsm_msgGetPublicKey()
|
2015-12-18 14:03:50 +00:00
|
|
|
return ed25519.VerifyingKey(pubkey[1:])
|
2015-10-23 09:45:32 +00:00
|
|
|
|
2015-12-18 14:03:50 +00:00
|
|
|
|
|
|
|
def _decompress_nist256(pubkey):
|
2016-02-19 08:40:39 +00:00
|
|
|
"""
|
|
|
|
Load public key from the serialized blob.
|
|
|
|
|
|
|
|
The leading byte least-significant bit is used to decide how to recreate
|
|
|
|
the y-coordinate from the specified x-coordinate. See bitcoin/main.py#L198
|
|
|
|
(from https://github.com/vbuterin/pybitcointools/) for details.
|
|
|
|
"""
|
2015-12-18 14:03:50 +00:00
|
|
|
if pubkey[:1] in {b'\x02', b'\x03'}: # set by ecdsa_get_public_key33()
|
2015-10-23 09:45:32 +00:00
|
|
|
curve = ecdsa.NIST256p
|
|
|
|
P = curve.curve.p()
|
|
|
|
A = curve.curve.a()
|
|
|
|
B = curve.curve.b()
|
2015-12-18 14:03:50 +00:00
|
|
|
x = util.bytes2num(pubkey[1:33])
|
2015-10-23 09:45:32 +00:00
|
|
|
beta = pow(int(x * x * x + A * x + B), int((P + 1) // 4), int(P))
|
2015-07-21 11:38:40 +00:00
|
|
|
|
2015-12-18 14:03:50 +00:00
|
|
|
p0 = util.bytes2num(pubkey[:1])
|
2015-10-23 09:45:32 +00:00
|
|
|
y = (P - beta) if ((beta + p0) % 2) else beta
|
2015-06-15 15:13:10 +00:00
|
|
|
|
2015-10-23 09:45:32 +00:00
|
|
|
point = ecdsa.ellipticcurve.Point(curve.curve, x, y)
|
|
|
|
return ecdsa.VerifyingKey.from_public_point(point, curve=curve,
|
|
|
|
hashfunc=hashfunc)
|
2015-12-18 14:03:50 +00:00
|
|
|
|
|
|
|
|
|
|
|
def decompress_pubkey(pubkey, curve_name):
|
2016-02-19 08:40:39 +00:00
|
|
|
"""
|
|
|
|
Load public key from the serialized blob.
|
|
|
|
|
|
|
|
Raise ValueError on parsing error.
|
|
|
|
"""
|
2015-12-18 14:03:50 +00:00
|
|
|
vk = None
|
|
|
|
if len(pubkey) == 33:
|
|
|
|
decompress = {
|
|
|
|
CURVE_NIST256: _decompress_nist256,
|
2016-10-14 19:20:28 +00:00
|
|
|
CURVE_ED25519: _decompress_ed25519,
|
|
|
|
ECDH_CURVE25519: _decompress_ed25519,
|
2015-12-18 14:03:50 +00:00
|
|
|
}[curve_name]
|
|
|
|
vk = decompress(pubkey)
|
|
|
|
|
|
|
|
if not vk:
|
|
|
|
msg = 'invalid {!s} public key: {!r}'.format(curve_name, pubkey)
|
|
|
|
raise ValueError(msg)
|
|
|
|
|
|
|
|
return vk
|
2015-07-22 10:47:53 +00:00
|
|
|
|
2015-08-11 17:46:13 +00:00
|
|
|
|
2015-07-22 10:47:53 +00:00
|
|
|
def serialize_verifying_key(vk):
|
2016-02-19 08:40:39 +00:00
|
|
|
"""
|
|
|
|
Serialize a public key into SSH format (for exporting to text format).
|
|
|
|
|
|
|
|
Currently, NIST256P1 and ED25519 elliptic curves are supported.
|
|
|
|
Raise TypeError on unsupported key format.
|
|
|
|
"""
|
2015-10-23 09:45:32 +00:00
|
|
|
if isinstance(vk, ed25519.keys.VerifyingKey):
|
|
|
|
pubkey = vk.to_bytes()
|
|
|
|
key_type = SSH_ED25519_KEY_TYPE
|
|
|
|
blob = util.frame(SSH_ED25519_KEY_TYPE) + util.frame(pubkey)
|
|
|
|
return key_type, blob
|
|
|
|
|
|
|
|
if isinstance(vk, ecdsa.keys.VerifyingKey):
|
|
|
|
curve_name = SSH_NIST256_CURVE_NAME
|
|
|
|
key_blob = SSH_NIST256_DER_OCTET + vk.to_string()
|
|
|
|
parts = [SSH_NIST256_KEY_TYPE, curve_name, key_blob]
|
|
|
|
key_type = SSH_NIST256_KEY_TYPE
|
|
|
|
blob = b''.join([util.frame(p) for p in parts])
|
|
|
|
return key_type, blob
|
|
|
|
|
|
|
|
raise TypeError('unsupported {!r}'.format(vk))
|
2015-07-20 14:21:46 +00:00
|
|
|
|
|
|
|
|
2015-12-18 14:03:50 +00:00
|
|
|
def export_public_key(vk, label):
|
2016-02-19 08:40:39 +00:00
|
|
|
"""
|
|
|
|
Export public key to text format.
|
|
|
|
|
|
|
|
The resulting string can be written into a .pub file or
|
|
|
|
appended to the ~/.ssh/authorized_keys file.
|
|
|
|
"""
|
2015-12-18 14:03:50 +00:00
|
|
|
key_type, blob = serialize_verifying_key(vk)
|
2015-07-20 13:39:50 +00:00
|
|
|
log.debug('fingerprint: %s', fingerprint(blob))
|
2015-07-21 11:38:40 +00:00
|
|
|
b64 = base64.b64encode(blob).decode('ascii')
|
2015-07-22 11:30:12 +00:00
|
|
|
return '{} {} {}\n'.format(key_type.decode('ascii'), b64, label)
|
2015-07-20 15:28:00 +00:00
|
|
|
|
|
|
|
|
|
|
|
def import_public_key(line):
|
2016-02-19 08:40:39 +00:00
|
|
|
"""Parse public key textual format, as saved at a .pub file."""
|
2015-10-23 09:45:32 +00:00
|
|
|
log.debug('loading SSH public key: %r', line)
|
2015-07-20 15:28:00 +00:00
|
|
|
file_type, base64blob, name = line.split()
|
|
|
|
blob = base64.b64decode(base64blob)
|
|
|
|
result = parse_pubkey(blob)
|
|
|
|
result['name'] = name.encode('ascii')
|
|
|
|
assert result['type'] == file_type.encode('ascii')
|
2015-10-23 09:45:32 +00:00
|
|
|
log.debug('loaded %s public key: %s', file_type, result['fingerprint'])
|
2015-07-20 15:28:00 +00:00
|
|
|
return result
|
2016-10-14 19:20:28 +00:00
|
|
|
|
|
|
|
|
|
|
|
def get_ecdh_curve_name(signature_curve_name):
|
|
|
|
"""Return appropriate curve for ECDH for specified signing curve."""
|
|
|
|
return {
|
|
|
|
CURVE_NIST256: ECDH_NIST256,
|
|
|
|
CURVE_ED25519: ECDH_CURVE25519,
|
2016-10-14 20:10:05 +00:00
|
|
|
ECDH_CURVE25519: ECDH_CURVE25519,
|
2016-10-14 19:20:28 +00:00
|
|
|
}[signature_curve_name]
|