def test_key(self):
"""Check key import and export"""
for keytype in self.keytypes:
with self.subTest(keytype=keytype):
self.make_keypair('priv', 'pub', keytype)
self.make_keypair('privca', 'pubca', keytype)
run('chmod 600 priv privca')
if self.base_format == 'openssh':
run('cp -p pub sshpub')
else:
run('ssh-keygen -i -f pub -m %s > sshpub' %
self.base_format)
self.privkey = read_private_key('priv')
self.pubkey = read_public_key('pub')
self.privca = read_private_key('privca')
self.pubca = read_public_key('pubca')
self.check_encode_errors()
self.check_decode_errors()
self.check_sshkey_base_errors()
self.check_sign_and_verify()
if 'pkcs1' in self.private_formats:
self.check_pkcs1_private()
if 'pkcs1' in self.public_formats:
self.check_pkcs1_public()
if 'pkcs8' in self.private_formats:
self.check_pkcs8_private()
if 'pkcs8' in self.public_formats:
self.check_pkcs8_public()
if 'openssh' in self.private_formats: # pragma: no branch
self.check_openssh_private()
if 'openssh' in self.public_formats: # pragma: no branch
self.check_openssh_public()
if 'rfc4716' in self.public_formats: # pragma: no branch
self.check_rfc4716_public()
for cert_type in (CERT_TYPE_USER, CERT_TYPE_HOST):
for version in self.cert_versions:
for fmt in ('openssh', 'rfc4716'):
with self.subTest(cert_type=cert_type,
version=version, fmt=fmt):
self.check_certificate(cert_type, version, fmt)
self.check_certificate_errors(cert_type)
def test_key(self):
"""Check key import and export"""
for keytype in self.keytypes:
with self.subTest(keytype=keytype):
self.make_keypair('priv', 'pub', keytype)
self.make_keypair('privca', 'pubca', keytype)
run('chmod 600 priv privca')
if self.base_format == 'openssh':
run('cp -p pub sshpub')
else:
run('ssh-keygen -i -f pub -m %s > sshpub' %
self.base_format)
self.privkey = read_private_key('priv')
self.pubkey = read_public_key('pub')
self.privca = read_private_key('privca')
self.pubca = read_public_key('pubca')
self.check_encode_errors()
self.check_decode_errors()
self.check_sshkey_base_errors()
self.check_sign_and_verify()
if 'pkcs1' in self.private_formats:
self.check_pkcs1_private()
if 'pkcs1' in self.public_formats and _pkcs1_public_supported:
self.check_pkcs1_public()
if 'pkcs8' in self.private_formats:
self.check_pkcs8_private()
if 'pkcs8' in self.public_formats:
self.check_pkcs8_public()
if 'openssh' in self.private_formats: # pragma: no branch
self.check_openssh_private()
if 'openssh' in self.public_formats: # pragma: no branch
self.check_openssh_public()
if 'rfc4716' in self.public_formats: # pragma: no branch
self.check_rfc4716_public()
for cert_type in (CERT_TYPE_USER, CERT_TYPE_HOST):
for fmt in ('openssh', 'rfc4716'):
with self.subTest(cert_type=cert_type, fmt=fmt):
self.check_certificate(cert_type, fmt)
self.check_certificate_errors(cert_type)
def export_pkcs1_public(self, fmt):
"""Check export of a PKCS#1 public key"""
self.privkey.write_public_key('pubout', 'pkcs1-%s' % fmt)
if self.keyclass == 'dsa':
# OpenSSL no longer has support for PKCS#1 DSA, so we can
# only test against ourselves.
read_public_key('pubout').write_public_key('new', 'pkcs1-%s' % fmt)
else:
run('openssl %s -RSAPublicKey_in -in pubout -inform %s -out new '
'-outform pem' % (self.keyclass, fmt))
self.check_public()
def export_pkcs1_public(self, fmt):
"""Check export of a PKCS#1 public key"""
self.privkey.write_public_key('pubout', 'pkcs1-%s' % fmt)
if self.keyclass == 'dsa':
# OpenSSL no longer has support for PKCS#1 DSA, so we can
# only test against ourselves.
read_public_key('pubout').write_public_key('new', 'pkcs1-%s' % fmt)
else:
run('openssl %s -RSAPublicKey_in -in pubout -inform %s -out new '
'-outform pem' % (self.keyclass, fmt))
self.check_public()
def check_sign_and_verify(self):
"""Check key signing and verification"""
with self.subTest('Sign/verify test'):
pubkey = read_public_key('pub')
data = os.urandom(8)
sig = self.privkey.sign(data)
with self.subTest('Good signature'):
self.assertTrue(pubkey.verify(data, sig))
badsig = bytearray(sig)
badsig[-1] ^= 0xff
badsig = bytes(badsig)
with self.subTest('Bad signature'):
self.assertFalse(pubkey.verify(data, badsig))
with self.subTest('Empty signature'):
self.assertFalse(
pubkey.verify(data,
String(pubkey.algorithm) + String(b'')))
badalg = String('xxx')
with self.subTest('Bad algorithm'):
self.assertFalse(pubkey.verify(data, badalg))
with self.subTest('Sign with public key'):
with self.assertRaises(ValueError):
pubkey.sign(data)
def check_sign_and_verify(self):
"""Check key signing and verification"""
with self.subTest('Sign/verify test'):
pubkey = read_public_key('pub')
data = os.urandom(8)
sig = self.privkey.sign(data)
with self.subTest('Good signature'):
self.assertTrue(pubkey.verify(data, sig))
badsig = bytearray(sig)
badsig[-1] ^= 0xff
badsig = bytes(badsig)
with self.subTest('Bad signature'):
self.assertFalse(pubkey.verify(data, badsig))
with self.subTest('Empty signature'):
self.assertFalse(pubkey.verify(data, String(pubkey.algorithm) +
String(b'')))
badalg = String('xxx')
with self.subTest('Bad algorithm'):
self.assertFalse(pubkey.verify(data, badalg))
with self.subTest('Sign with public key'):
with self.assertRaises(ValueError):
pubkey.sign(data)
def begin_auth(self, username):
"""Handle client authentication request"""
if self._set_keys:
self._conn.set_authorized_keys('authorized_keys')
else:
self._client_key = asyncssh.read_public_key('ckey.pub')
return True
def check_public(self):
"""Check for a public key match"""
newkey = read_public_key('new')
self.assertEqual(newkey, self.pubkey)
self.assertEqual(hash(newkey), hash(self.pubkey))
run('cat new new > list')
keylist = read_public_key_list('list')
self.assertEqual(keylist[0], newkey)
self.assertEqual(keylist[1], newkey)
def check_public(self):
"""Check for a public key match"""
newkey = read_public_key('new')
self.assertEqual(newkey, self.pubkey)
self.assertEqual(hash(newkey), hash(self.pubkey))
run('cat new new > list')
keylist = read_public_key_list('list')
self.assertEqual(keylist[0], newkey)
self.assertEqual(keylist[1], newkey)
def asyncSetUpClass(cls):
"""Set up keys and an SSH server for the tests to use"""
run('ssh-keygen -q -b 2048 -t rsa -N "" -f ckey')
output = run('ssh-agent -a agent')
cls._agent_pid = int(output.splitlines()[2].split()[3][:-1])
os.environ['SSH_AUTH_SOCK'] = 'agent'
run('ssh-add ckey')
cls._public_key = asyncssh.read_public_key('ckey.pub')
def asyncSetUpClass(cls):
"""Set up keys and an SSH server for the tests to use"""
run('ssh-keygen -q -b 2048 -t rsa -N "" -f ckey')
output = run('ssh-agent -a agent')
cls._agent_pid = int(output.splitlines()[2].split()[3][:-1])
os.environ['SSH_AUTH_SOCK'] = 'agent'
run('ssh-add ckey')
cls._public_key = asyncssh.read_public_key('ckey.pub')
def generate_user_cert(role, hostname, username, cfg):
"""Generate a Signed user cert"""
user_key = asyncssh.read_public_key(get_user_pubkey(username))
if cfg.get('require_host', True):
principal = '%s@%s' % (role, hostname)
comment = '%s-%s@%s' % (role, username, hostname)
else:
principal = role
comment = '%s-%s' % (role, username)
valid_before = cfg.get('valid_before', '2h')
cert = ca.generate_user_certificate(user_key,
username,
principals=[principal],
valid_before=valid_before,
serial=int(time.time()),
comment=comment,
**permissions)
return cert
def generate_user_cert(role, hostname, username):
"""Generate a Signed user cert
KeyID: username
Serial: Current Unix Time
Principals: role@hostname or role
"""
try:
cfg = config['roles'][role]
except KeyError:
raise CertError(101, "Invalid role")
if hostname and not hostname.isalnum():
raise CertError(104, "Invalid hostname")
if cfg.get('require_host', True) and not hostname:
raise CertError(102, "Require hostname")
if username not in cfg['users']:
raise CertError(103, "Permission denied")
user_key = asyncssh.read_public_key(get_user_pubkey(username))
if cfg.get('require_host', True):
principal = '%s@%s' % (role, hostname)
comment = '%s-%s@%s' % (role, username, hostname)
else:
principal = role
comment = '%s-%s' % (role, username)
valid_before = cfg.get('valid_before', '2h')
cert = ca.generate_user_certificate(user_key,
username,
principals=[principal],
valid_before=valid_before,
serial=int(time.time()),
comment=comment,
**permissions)
return cert
def check_public(self):
newkey = read_public_key('new')
self.assertEqual(newkey.encode_ssh_public(), self.sshpub)
def check_public(self):
newkey = read_public_key('new')
self.assertEqual(newkey.encode_ssh_public(), self.sshpub)