trezor-agent/trezor_agent/client.py

"""
Connection to hardware authentication device.

It is used for getting SSH public keys and ECDSA signing of server requests.
"""
import binascii
import io
import logging

from . import factory, formats, util

log = logging.getLogger(__name__)


class Client(object):
    """Client wrapper for SSH authentication device."""

    def __init__(self, loader=factory.load, curve=formats.CURVE_NIST256):
        """Connect to hardware device."""
        client_wrapper = loader()
        self.client = client_wrapper.connection
        self.identity_type = client_wrapper.identity_type
        self.device_name = client_wrapper.device_name
        self.call_exception = client_wrapper.call_exception
        self.curve = curve

    def __enter__(self):
        """Start a session, and test connection."""
        msg = 'Hello World!'
        assert self.client.ping(msg) == msg
        return self

    def __exit__(self, *args):
        """Keep the session open (doesn't forget PIN)."""
        log.info('disconnected from %s', self.device_name)
        self.client.close()

    def get_identity(self, label, index=0):
        """Parse label string into Identity protobuf."""
        identity = util.string_to_identity(label, self.identity_type)
        identity.proto = 'ssh'
        identity.index = index
        return identity

    def get_public_key(self, label):
        """Get SSH public key corresponding to specified by label."""
        identity = self.get_identity(label=label)
        label = util.identity_to_string(identity)  # canonize key label
        log.info('getting "%s" public key (%s) from %s...',
                 label, self.curve, self.device_name)
        addr = util.get_bip32_address(identity)
        node = self.client.get_public_node(n=addr,
                                           ecdsa_curve_name=self.curve)

        pubkey = node.node.public_key
        vk = formats.decompress_pubkey(pubkey=pubkey, curve_name=self.curve)
        return formats.export_public_key(vk=vk, label=label)

    def sign_ssh_challenge(self, label, blob):
        """Sign given blob using a private key, specified by the label."""
        identity = self.get_identity(label=label)
        msg = _parse_ssh_blob(blob)
        log.debug('%s: user %r via %r (%r)',
                  msg['conn'], msg['user'], msg['auth'], msg['key_type'])
        log.debug('nonce: %s', binascii.hexlify(msg['nonce']))
        log.debug('fingerprint: %s', msg['public_key']['fingerprint'])
        log.debug('hidden challenge size: %d bytes', len(blob))

        log.info('please confirm user "%s" login to "%s" using %s...',
                 msg['user'].decode('ascii'), label, self.device_name)

        try:
            result = self.client.sign_identity(identity=identity,
                                               challenge_hidden=blob,
                                               challenge_visual='',
                                               ecdsa_curve_name=self.curve)
        except self.call_exception as e:
            code, msg = e.args
            log.warning('%s error #%s: %s', self.device_name, code, msg)
            raise IOError(msg)  # close current connection, keep server open

        verifying_key = formats.decompress_pubkey(pubkey=result.public_key,
                                                  curve_name=self.curve)
        key_type, blob = formats.serialize_verifying_key(verifying_key)
        assert blob == msg['public_key']['blob']
        assert key_type == msg['key_type']
        assert len(result.signature) == 65
        assert result.signature[:1] == bytearray([0])

        return result.signature[1:]


def _parse_ssh_blob(data):
    res = {}
    i = io.BytesIO(data)
    res['nonce'] = util.read_frame(i)
    i.read(1)  # SSH2_MSG_USERAUTH_REQUEST == 50 (from ssh2.h, line 108)
    res['user'] = util.read_frame(i)
    res['conn'] = util.read_frame(i)
    res['auth'] = util.read_frame(i)
    i.read(1)  # have_sig == 1 (from sshconnect2.c, line 1056)
    res['key_type'] = util.read_frame(i)
    public_key = util.read_frame(i)
    res['public_key'] = formats.parse_pubkey(public_key)
    assert not i.read()
    return res
client: add docstrings 8 years ago			`"""`
			`Connection to hardware authentication device.`

			`It is used for getting SSH public keys and ECDSA signing of server requests.`
			`"""`
sort imports using isort tool 9 years ago			`import binascii`
trezor: __init__ should be short 9 years ago			`import io`
sort imports using isort tool 9 years ago			`import logging`
trezor: __init__ should be short 9 years ago
fixup imports order isort -rc trezor_agent 9 years ago			`from . import factory, formats, util`
trezor: __init__ should be short 9 years ago
			`log = logging.getLogger(__name__)`


			`class Client(object):`
client: add docstrings 8 years ago			`"""Client wrapper for SSH authentication device."""`
trezor: __init__ should be short 9 years ago
Merge Trezor and KeepKey functionality 9 years ago			`def __init__(self, loader=factory.load, curve=formats.CURVE_NIST256):`
client: add docstrings 8 years ago			`"""Connect to hardware device."""`
Merge Trezor and KeepKey functionality 9 years ago			`client_wrapper = loader()`
			`self.client = client_wrapper.connection`
			`self.identity_type = client_wrapper.identity_type`
			`self.device_name = client_wrapper.device_name`
client: catch CallException for cancellation handling 8 years ago			`self.call_exception = client_wrapper.call_exception`
trezor: add support for Ed25519 SSH keys 9 years ago			`self.curve = curve`
trezor: __init__ should be short 9 years ago
			`def __enter__(self):`
client: add docstrings 8 years ago			`"""Start a session, and test connection."""`
trezor: add ping for self-test 9 years ago			`msg = 'Hello World!'`
			`assert self.client.ping(msg) == msg`
trezor: __init__ should be short 9 years ago			`return self`

			`def __exit__(self, *args):`
client: keep the session open (doesn't forget PIN) 8 years ago			`"""Keep the session open (doesn't forget PIN)."""`
Merge Trezor and KeepKey functionality 9 years ago			`log.info('disconnected from %s', self.device_name)`
trezor: __init__ should be short 9 years ago			`self.client.close()`

client: pass index as default argument 9 years ago			`def get_identity(self, label, index=0):`
client: add docstrings 8 years ago			`"""Parse label string into Identity protobuf."""`
util: move BIP32 address related functions 8 years ago			`identity = util.string_to_identity(label, self.identity_type)`
trezor: simplify client API 9 years ago			`identity.proto = 'ssh'`
client: pass index as default argument 9 years ago			`identity.index = index`
trezor: __init__ should be short 9 years ago			`return identity`

trezor: add support for Ed25519 SSH keys 9 years ago			`def get_public_key(self, label):`
client: add docstrings 8 years ago			`"""Get SSH public key corresponding to specified by label."""`
trezor: add support for Ed25519 SSH keys 9 years ago			`identity = self.get_identity(label=label)`
util: move BIP32 address related functions 8 years ago			`label = util.identity_to_string(identity) # canonize key label`
Merge Trezor and KeepKey functionality 9 years ago			`log.info('getting "%s" public key (%s) from %s...',`
			`label, self.curve, self.device_name)`
util: move BIP32 address related functions 8 years ago			`addr = util.get_bip32_address(identity)`
trezor: set NIST256P1 curve when needed 9 years ago			`node = self.client.get_public_node(n=addr,`
trezor: add support for Ed25519 SSH keys 9 years ago			`ecdsa_curve_name=self.curve)`
trezor: __init__ should be short 9 years ago
			`pubkey = node.node.public_key`
formats: verify public key according to requested ECDSA curve 9 years ago			`vk = formats.decompress_pubkey(pubkey=pubkey, curve_name=self.curve)`
			`return formats.export_public_key(vk=vk, label=label)`
trezor: __init__ should be short 9 years ago
client: not visual challength for SSH 8 years ago			`def sign_ssh_challenge(self, label, blob):`
client: add docstrings 8 years ago			`"""Sign given blob using a private key, specified by the label."""`
trezor: add support for Ed25519 SSH keys 9 years ago			`identity = self.get_identity(label=label)`
trezor: __init__ should be short 9 years ago			`msg = _parse_ssh_blob(blob)`
client: move logging from parsing code 9 years ago			`log.debug('%s: user %r via %r (%r)',`
			`msg['conn'], msg['user'], msg['auth'], msg['key_type'])`
			`log.debug('nonce: %s', binascii.hexlify(msg['nonce']))`
			`log.debug('fingerprint: %s', msg['public_key']['fingerprint'])`
client: add logging for challenge sizes 8 years ago			`log.debug('hidden challenge size: %d bytes', len(blob))`
trezor: __init__ should be short 9 years ago
Merge Trezor and KeepKey functionality 9 years ago			`log.info('please confirm user "%s" login to "%s" using %s...',`
ssh: pretty-print user name 8 years ago			`msg['user'].decode('ascii'), label, self.device_name)`
trezor: __init__ should be short 9 years ago
client: catch CallException for cancellation handling 8 years ago			`try:`
			`result = self.client.sign_identity(identity=identity,`
			`challenge_hidden=blob,`
client: not visual challength for SSH 8 years ago			`challenge_visual='',`
client: catch CallException for cancellation handling 8 years ago			`ecdsa_curve_name=self.curve)`
			`except self.call_exception as e:`
			`code, msg = e.args`
			`log.warning('%s error #%s: %s', self.device_name, code, msg)`
protocol: fail gracefully on cancellation 8 years ago			`raise IOError(msg) # close current connection, keep server open`
trezor: add support for Ed25519 SSH keys 9 years ago
formats: verify public key according to requested ECDSA curve 9 years ago			`verifying_key = formats.decompress_pubkey(pubkey=result.public_key,`
			`curve_name=self.curve)`
trezor: add support for Ed25519 SSH keys 9 years ago			`key_type, blob = formats.serialize_verifying_key(verifying_key)`
			`assert blob == msg['public_key']['blob']`
			`assert key_type == msg['key_type']`
trezor: __init__ should be short 9 years ago			`assert len(result.signature) == 65`
trezor: fix Python 3 bytes issue 9 years ago			`assert result.signature[:1] == bytearray([0])`
trezor: __init__ should be short 9 years ago
trezor: add support for Ed25519 SSH keys 9 years ago			`return result.signature[1:]`
trezor: refactor common code 9 years ago

trezor: __init__ should be short 9 years ago			`def _parse_ssh_blob(data):`
			`res = {}`
client: remove unneeded 'if' 9 years ago			`i = io.BytesIO(data)`
			`res['nonce'] = util.read_frame(i)`
client: elaborate SSH blob parsing 9 years ago			`i.read(1) # SSH2_MSG_USERAUTH_REQUEST == 50 (from ssh2.h, line 108)`
client: remove unneeded 'if' 9 years ago			`res['user'] = util.read_frame(i)`
			`res['conn'] = util.read_frame(i)`
			`res['auth'] = util.read_frame(i)`
client: elaborate SSH blob parsing 9 years ago			`i.read(1) # have_sig == 1 (from sshconnect2.c, line 1056)`
client: remove unneeded 'if' 9 years ago			`res['key_type'] = util.read_frame(i)`
			`public_key = util.read_frame(i)`
			`res['public_key'] = formats.parse_pubkey(public_key)`
			`assert not i.read()`
trezor: __init__ should be short 9 years ago			`return res`