Beispiel #1
0
    def test_key(self):
        """Check key import and export"""

        for keytype in self.keytypes:
            with self.subTest(keytype=keytype):
                self.make_keypair('priv', 'pub', keytype)
                self.make_keypair('privca', 'pubca', keytype)

                run('chmod 600 priv privca')

                if self.base_format == 'openssh':
                    run('cp -p pub sshpub')
                else:
                    run('ssh-keygen -i -f pub -m %s > sshpub' %
                        self.base_format)

                self.privkey = read_private_key('priv')
                self.pubkey = read_public_key('pub')
                self.privca = read_private_key('privca')
                self.pubca = read_public_key('pubca')

                self.check_encode_errors()
                self.check_decode_errors()
                self.check_sshkey_base_errors()
                self.check_sign_and_verify()

                if 'pkcs1' in self.private_formats:
                    self.check_pkcs1_private()

                if 'pkcs1' in self.public_formats:
                    self.check_pkcs1_public()

                if 'pkcs8' in self.private_formats:
                    self.check_pkcs8_private()

                if 'pkcs8' in self.public_formats:
                    self.check_pkcs8_public()

                if 'openssh' in self.private_formats: # pragma: no branch
                    self.check_openssh_private()

                if 'openssh' in self.public_formats: # pragma: no branch
                    self.check_openssh_public()

                if 'rfc4716' in self.public_formats: # pragma: no branch
                    self.check_rfc4716_public()

                for cert_type in (CERT_TYPE_USER, CERT_TYPE_HOST):
                    for version in self.cert_versions:
                        for fmt in ('openssh', 'rfc4716'):
                            with self.subTest(cert_type=cert_type,
                                              version=version, fmt=fmt):
                                self.check_certificate(cert_type, version, fmt)

                    self.check_certificate_errors(cert_type)
Beispiel #2
0
    def test_key(self):
        """Check key import and export"""

        for keytype in self.keytypes:
            with self.subTest(keytype=keytype):
                self.make_keypair('priv', 'pub', keytype)
                self.make_keypair('privca', 'pubca', keytype)

                run('chmod 600 priv privca')

                if self.base_format == 'openssh':
                    run('cp -p pub sshpub')
                else:
                    run('ssh-keygen -i -f pub -m %s > sshpub' %
                        self.base_format)

                self.privkey = read_private_key('priv')
                self.pubkey = read_public_key('pub')
                self.privca = read_private_key('privca')
                self.pubca = read_public_key('pubca')

                self.check_encode_errors()
                self.check_decode_errors()
                self.check_sshkey_base_errors()
                self.check_sign_and_verify()

                if 'pkcs1' in self.private_formats:
                    self.check_pkcs1_private()

                if 'pkcs1' in self.public_formats and _pkcs1_public_supported:
                    self.check_pkcs1_public()

                if 'pkcs8' in self.private_formats:
                    self.check_pkcs8_private()

                if 'pkcs8' in self.public_formats:
                    self.check_pkcs8_public()

                if 'openssh' in self.private_formats:  # pragma: no branch
                    self.check_openssh_private()

                if 'openssh' in self.public_formats:  # pragma: no branch
                    self.check_openssh_public()

                if 'rfc4716' in self.public_formats:  # pragma: no branch
                    self.check_rfc4716_public()

                for cert_type in (CERT_TYPE_USER, CERT_TYPE_HOST):
                    for fmt in ('openssh', 'rfc4716'):
                        with self.subTest(cert_type=cert_type, fmt=fmt):
                            self.check_certificate(cert_type, fmt)

                    self.check_certificate_errors(cert_type)
Beispiel #3
0
    def export_pkcs1_public(self, fmt):
        """Check export of a PKCS#1 public key"""

        self.privkey.write_public_key('pubout', 'pkcs1-%s' % fmt)

        if self.keyclass == 'dsa':
            # OpenSSL no longer has support for PKCS#1 DSA, so we can
            # only test against ourselves.
            read_public_key('pubout').write_public_key('new', 'pkcs1-%s' % fmt)
        else:
            run('openssl %s -RSAPublicKey_in -in pubout -inform %s -out new '
                '-outform pem' % (self.keyclass, fmt))

        self.check_public()
Beispiel #4
0
    def export_pkcs1_public(self, fmt):
        """Check export of a PKCS#1 public key"""

        self.privkey.write_public_key('pubout', 'pkcs1-%s' % fmt)

        if self.keyclass == 'dsa':
            # OpenSSL no longer has support for PKCS#1 DSA, so we can
            # only test against ourselves.
            read_public_key('pubout').write_public_key('new', 'pkcs1-%s' % fmt)
        else:
            run('openssl %s -RSAPublicKey_in -in pubout -inform %s -out new '
                '-outform pem' % (self.keyclass, fmt))

        self.check_public()
Beispiel #5
0
    def check_sign_and_verify(self):
        """Check key signing and verification"""

        with self.subTest('Sign/verify test'):
            pubkey = read_public_key('pub')
            data = os.urandom(8)

            sig = self.privkey.sign(data)
            with self.subTest('Good signature'):
                self.assertTrue(pubkey.verify(data, sig))

            badsig = bytearray(sig)
            badsig[-1] ^= 0xff
            badsig = bytes(badsig)
            with self.subTest('Bad signature'):
                self.assertFalse(pubkey.verify(data, badsig))

            with self.subTest('Empty signature'):
                self.assertFalse(
                    pubkey.verify(data,
                                  String(pubkey.algorithm) + String(b'')))

            badalg = String('xxx')
            with self.subTest('Bad algorithm'):
                self.assertFalse(pubkey.verify(data, badalg))

            with self.subTest('Sign with public key'):
                with self.assertRaises(ValueError):
                    pubkey.sign(data)
Beispiel #6
0
    def check_sign_and_verify(self):
        """Check key signing and verification"""

        with self.subTest('Sign/verify test'):
            pubkey = read_public_key('pub')
            data = os.urandom(8)

            sig = self.privkey.sign(data)
            with self.subTest('Good signature'):
                self.assertTrue(pubkey.verify(data, sig))

            badsig = bytearray(sig)
            badsig[-1] ^= 0xff
            badsig = bytes(badsig)
            with self.subTest('Bad signature'):
                self.assertFalse(pubkey.verify(data, badsig))

            with self.subTest('Empty signature'):
                self.assertFalse(pubkey.verify(data, String(pubkey.algorithm) +
                                               String(b'')))

            badalg = String('xxx')
            with self.subTest('Bad algorithm'):
                self.assertFalse(pubkey.verify(data, badalg))

            with self.subTest('Sign with public key'):
                with self.assertRaises(ValueError):
                    pubkey.sign(data)
Beispiel #7
0
    def begin_auth(self, username):
        """Handle client authentication request"""

        if self._set_keys:
            self._conn.set_authorized_keys('authorized_keys')
        else:
            self._client_key = asyncssh.read_public_key('ckey.pub')

        return True
Beispiel #8
0
    def check_public(self):
        """Check for a public key match"""

        newkey = read_public_key('new')
        self.assertEqual(newkey, self.pubkey)
        self.assertEqual(hash(newkey), hash(self.pubkey))

        run('cat new new > list')
        keylist = read_public_key_list('list')
        self.assertEqual(keylist[0], newkey)
        self.assertEqual(keylist[1], newkey)
Beispiel #9
0
    def check_public(self):
        """Check for a public key match"""

        newkey = read_public_key('new')
        self.assertEqual(newkey, self.pubkey)
        self.assertEqual(hash(newkey), hash(self.pubkey))

        run('cat new new > list')
        keylist = read_public_key_list('list')
        self.assertEqual(keylist[0], newkey)
        self.assertEqual(keylist[1], newkey)
Beispiel #10
0
    def asyncSetUpClass(cls):
        """Set up keys and an SSH server for the tests to use"""

        run('ssh-keygen -q -b 2048 -t rsa -N "" -f ckey')

        output = run('ssh-agent -a agent')
        cls._agent_pid = int(output.splitlines()[2].split()[3][:-1])

        os.environ['SSH_AUTH_SOCK'] = 'agent'
        run('ssh-add ckey')

        cls._public_key = asyncssh.read_public_key('ckey.pub')
Beispiel #11
0
    def asyncSetUpClass(cls):
        """Set up keys and an SSH server for the tests to use"""

        run('ssh-keygen -q -b 2048 -t rsa -N "" -f ckey')

        output = run('ssh-agent -a agent')
        cls._agent_pid = int(output.splitlines()[2].split()[3][:-1])

        os.environ['SSH_AUTH_SOCK'] = 'agent'
        run('ssh-add ckey')

        cls._public_key = asyncssh.read_public_key('ckey.pub')
Beispiel #12
0
def generate_user_cert(role, hostname, username, cfg):
    """Generate a Signed user cert"""
    user_key = asyncssh.read_public_key(get_user_pubkey(username))

    if cfg.get('require_host', True):
        principal = '%s@%s' % (role, hostname)
        comment = '%s-%s@%s' % (role, username, hostname)
    else:
        principal = role
        comment = '%s-%s' % (role, username)

    valid_before = cfg.get('valid_before', '2h')

    cert = ca.generate_user_certificate(user_key,
                                        username,
                                        principals=[principal],
                                        valid_before=valid_before,
                                        serial=int(time.time()),
                                        comment=comment,
                                        **permissions)
    return cert
Beispiel #13
0
def generate_user_cert(role, hostname, username):
    """Generate a Signed user cert
    KeyID: username
    Serial: Current Unix Time
    Principals: role@hostname or role
    """
    try:
        cfg = config['roles'][role]
    except KeyError:
        raise CertError(101, "Invalid role")

    if hostname and not hostname.isalnum():
        raise CertError(104, "Invalid hostname")

    if cfg.get('require_host', True) and not hostname:
        raise CertError(102, "Require hostname")

    if username not in cfg['users']:
        raise CertError(103, "Permission denied")

    user_key = asyncssh.read_public_key(get_user_pubkey(username))

    if cfg.get('require_host', True):
        principal = '%s@%s' % (role, hostname)
        comment = '%s-%s@%s' % (role, username, hostname)
    else:
        principal = role
        comment = '%s-%s' % (role, username)

    valid_before = cfg.get('valid_before', '2h')

    cert = ca.generate_user_certificate(user_key,
                                        username,
                                        principals=[principal],
                                        valid_before=valid_before,
                                        serial=int(time.time()),
                                        comment=comment,
                                        **permissions)
    return cert
Beispiel #14
0
 def check_public(self):
     newkey = read_public_key('new')
     self.assertEqual(newkey.encode_ssh_public(), self.sshpub)
Beispiel #15
0
 def check_public(self):
     newkey = read_public_key('new')
     self.assertEqual(newkey.encode_ssh_public(), self.sshpub)