def validate(self):
"""
Verify that the contents of the certificate have been signed by the
signing key in the certificate. This only does the cryptographic
verification. Validation that the signing key is an accepted CA key
or verifying other information such as timestamps or principals is
not done here and is the responsibility of the application using the
certificate.
:return bool:
True if the certificate data was signed by the CA in the cert.
False if not.
"""
if self.signature is None or self.signature_key is None:
return False
# The signature_key is just a string containing the binary data of
# the key. This will create a message of that data, determine the key
# type from the first field, and then pass the message to the
# appropriate key class.
ca_key_msg = Message(self.signature_key)
ca_key_type = ca_key_msg.get_text()
ca_key_msg.rewind()
ca_key_class = Transport._key_info.get(ca_key_type)
if ca_key_class == None:
err = "Unknown signature key type"
raise SSHException(err)
ca_key = ca_key_class(msg=ca_key_msg)
# Create the certificate body if it hasn't been done already.
if self._body_bytes is None:
self._body_bytes = self.generate_body(ca_key, self.nonce)
return ca_key.verify_ssh_sig(self._body_bytes, Message(self.signature))
def sign_token(key_path, fingerprint, data):
# from agent
pkey = get_key_from_agent(fingerprint)
if not pkey:
# or from file (without passphrase)
# assuming '.pub' file extension
if not os.path.exists(key_path[:-4]):
raise SignatureException('WrongKeyPath')
try:
pkey = RSAKey.from_private_key_file(key_path[:-4])
except PasswordRequiredException:
raise SignatureException('EncryptedKey')
if not pkey:
raise SignatureException('KeyNotFound')
try:
# paramiko is inconsistent here in that the agent's key
# returns Message objects for 'sign_ssh_data' whereas RSAKey
# objects returns byte strings.
# Workaround: cast both return values to string and build a
# new Message object
s = str(pkey.sign_ssh_data(data))
m = Message(s)
m.rewind()
if not m.get_string() == 'ssh-rsa':
raise SignatureException('RSAKeyRequired')
return base64.b64encode(m.get_string())
except Exception:
raise SignatureException('SignatureCreateFailure')
def sign_token(key_path, fingerprint, data):
# from agent
pkey = get_key_from_agent(fingerprint)
if not pkey:
# or from file (without passphrase)
# assuming '.pub' file extension
if not os.path.exists(key_path[:-4]):
raise SignatureException('WrongKeyPath')
try:
pkey = RSAKey.from_private_key_file(key_path[:-4])
except PasswordRequiredException:
raise SignatureException('EncryptedKey')
if not pkey:
raise SignatureException('KeyNotFound')
try:
# paramiko is inconsistent here in that the agent's key
# returns Message objects for 'sign_ssh_data' whereas RSAKey
# objects returns byte strings.
# Workaround: cast both return values to string and build a
# new Message object
s = str(pkey.sign_ssh_data(data))
m = Message(s)
m.rewind()
if not m.get_string() == 'ssh-rsa':
raise SignatureException('RSAKeyRequired')
return base64.b64encode(m.get_string())
except Exception:
raise SignatureException('SignatureCreateFailure')
def _parse_ecdsa_key(msg):
# See comment for _parse_rsa_key
key_msg = Message()
curve = msg.get_text()
key_msg.add_string('ecdsa-sha2-{}'.format(curve))
key_msg.add_string(curve)
key_msg.add_string(msg.get_binary())
key_msg.rewind()
return ECDSAKey(msg=key_msg)
def test_4_misc(self):
msg = Message(self.__d)
self.assertEquals(msg.get_int(), 5)
self.assertEquals(msg.get_mpint(), 0x1122334455L)
self.assertEquals(msg.get_so_far(), self.__d[:13])
self.assertEquals(msg.get_remainder(), self.__d[13:])
msg.rewind()
self.assertEquals(msg.get_int(), 5)
self.assertEquals(msg.get_so_far(), self.__d[:4])
self.assertEquals(msg.get_remainder(), self.__d[4:])
def _parse_dsa_key(msg):
# See comment for _parse_rsa_key
key_msg = Message()
key_msg.add_string('ssh-dss')
key_msg.add_mpint(msg.get_mpint())
key_msg.add_mpint(msg.get_mpint())
key_msg.add_mpint(msg.get_mpint())
key_msg.add_mpint(msg.get_mpint())
key_msg.rewind()
return DSSKey(msg=key_msg)
def test_4_misc(self):
msg = Message(self.__d)
self.assertEquals(msg.get_int(), 5)
self.assertEquals(msg.get_mpint(), 0x1122334455)
self.assertEquals(msg.get_so_far(), self.__d[:13])
self.assertEquals(msg.get_remainder(), self.__d[13:])
msg.rewind()
self.assertEquals(msg.get_int(), 5)
self.assertEquals(msg.get_so_far(), self.__d[:4])
self.assertEquals(msg.get_remainder(), self.__d[4:])
def test_4_misc(self):
msg = Message(self.__d)
self.assertEqual(msg.get_adaptive_int(), 5)
self.assertEqual(msg.get_adaptive_int(), 0x1122334455)
self.assertEqual(msg.get_adaptive_int(), 0xf00000000000000000)
self.assertEqual(msg.get_so_far(), self.__d[:29])
self.assertEqual(msg.get_remainder(), self.__d[29:])
msg.rewind()
self.assertEqual(msg.get_adaptive_int(), 5)
self.assertEqual(msg.get_so_far(), self.__d[:4])
self.assertEqual(msg.get_remainder(), self.__d[4:])
def _parse_rsa_key(msg):
# This method avoids having to keep track of how paramiko handles keys
# or having to go into the cryptography.hazmat modules. It takes the
# parts of the key from the certificate then puts them in a Message that
# resembles a normally encoded keyh. That Message is then handed to the
# key constructor which should be able to handle the parsing.
key_msg = Message()
key_msg.add_string('ssh-rsa')
key_msg.add_mpint(msg.get_mpint())
key_msg.add_mpint(msg.get_mpint())
key_msg.rewind()
return RSAKey(msg=key_msg)
def _request_auth(self):
#if MSG_SERVICE_REQUEST already sent, do not send again
if hasattr(self.transport, '_SERVICE_REQUEST_SENT'):
#triger userauth manually
m = Message()
m.add_string('ssh-userauth')
m.rewind()
self._parse_service_accept(m)
return
m = Message()
m.add_byte(chr(MSG_SERVICE_REQUEST))
m.add_string('ssh-userauth')
self.transport._send_message(m)
self.transport._SERVICE_REQUEST_SENT = True
def __init__(self, session: 'ssh_proxy_server.session.Session', m: Message) -> None:
self.session = session
self.client_version = session.transport.remote_version
self.cookie = m.get_bytes(16) # cookie (random bytes)
self.kex_algorithms = m.get_list() # kex_algorithms
self.server_host_key_algorithms = m.get_list()
self.encryption_algorithms_client_to_server = m.get_list()
self.encryption_algorithms_server_to_client = m.get_list()
self.mac_algorithms_client_to_server = m.get_list()
self.mac_algorithms_server_to_client = m.get_list()
self.compression_algorithms_client_to_server = m.get_list()
self.compression_algorithms_server_to_client = m.get_list()
self.languages_client_to_server = m.get_list()
self.languages_server_to_client = m.get_list()
self.first_kex_packet_follows = m.get_boolean()
m.rewind()
