def vaildate_key(key: str): try: serialization.load_ssh_private_key(str.encode(key), password=None) return True except ValueError: pass try: serialization.load_pem_private_key(str.encode(key), password=None) return True except ValueError: pass return False
def load_ssh_auth_manager(private_key_path=_DEFAULT, authorized_key_path=_DEFAULT): user_dir = os.path.expanduser('~') authorized_keys = [] # Load the authorized keys first. if authorized_key_path is _DEFAULT: authorized_key_path = os.path.join(user_dir, '.ssh', 'authorized_keys') if not authorized_key_path: authorized_key_path = '' if os.path.exists(authorized_key_path): with open(authorized_key_path, 'rb') as stm: # Read each line as an authorized key. for line in stm: try: key = load_ssh_public_key(line) authorized_keys.append(key) except Exception as exc: logger.warning("Skipping key due to error: %s", exc) # Load the private key to use here. if private_key_path is _DEFAULT: private_key_path = os.path.join(user_dir, '.ssh', 'id_ecdsa') if not os.path.exists(private_key_path): private_key_path = os.path.join(user_dir, '.ssh', 'id_rsa') if not private_key_path: private_key_path = '' if os.path.exists(private_key_path): with open(private_key_path, 'rb') as stm: private_key = load_ssh_private_key(stm.read(), password=None) return SSHAuthManager(private_key, authorized_keys)
def sign_message(self, message: str) -> bytes: """Create a signature with use of secret key for message :param message: message of which the signature is created :return: signature for the message :rtype: bytes """ if self.__KEYS['private_key'] is None: raise ValueError private_key: bytes = bytes.fromhex(self.__KEYS['private_key']) key = serialization.load_ssh_private_key(private_key, password=None, backend=default_backend()) hashed_message = hashlib.sha256(message.encode('utf-8')).hexdigest() signature = key.sign( bytes(hashed_message.encode('ascii')), padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH), hashes.SHA256()) return base64.b64encode(signature)
def decode_message(self, message: str) -> bytes: """Decode message with asymmetric keys :param message: message to be decrypted :return: decrypted message :rtype: bytes """ if self.__KEYS['private_key'] is None: raise ValueError('Key is not set') ciphertext = base64.b64decode(message) private_key: bytes = bytes.fromhex(self.__KEYS['private_key']) key = serialization.load_ssh_private_key(private_key, backend=default_backend(), password=None) plaintext = key.decrypt( ciphertext, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) return base64.b64decode(plaintext)
def PostMiddleware(request, session, spec): tyk.log("This is my post middleware", "info") customerID = request.get_header('CustomerID') #tyk.log("customerID: " + customerID, "info") payload = { "customerID": "1234", "userID": "*****@*****.**", "country": "NL", "scope": "device:read" } my_secret = 'my_super_secret' private_key = open('/opt/tyk-gateway/id_rsa', 'r').read() key = serialization.load_ssh_private_key(private_key.encode(), password=b'') #token = jwt.encode( # payload=payload, # key=my_secret #) token = jwt.encode(payload=payload, key=key, algorithm='RS256') tyk.log("jwt: " + token, "info") request.add_header("Authorization", token) return request, session
def from_openssh_key(cls, buffer: AnyStr, password: Optional[AnyStr] = None) -> PrivateKey: rsa_key = serialization.load_ssh_private_key( # type: ignore cls._bytes(buffer), cls._bytes(password) if password else b'', default_backend()) return PrivateKey(rsa_key)
def cast_private_key(value: str, key_format: EncryptionKeyFormat, passphrase: Optional[str] = None) -> Optional[PrivateKey]: """ Parse a string into a valid cryptographic private key. the string can represent a file path in which the key exists, or the actual key contents. """ if value is None: return None if isinstance(value, PrivateKey.__args__): return value if passphrase is None: password = None else: password = passphrase.encode('utf-8') key_path = os.path.expanduser(value) if os.path.isfile(key_path): raw_key = open(key_path, "rb").read() else: raw_key = maybe_decode_multiline_key(value) if key_format == EncryptionKeyFormat.pem: return serialization.load_pem_private_key(raw_key, password=password, backend=default_backend()) if key_format == EncryptionKeyFormat.ssh: return serialization.load_ssh_private_key(raw_key, password=password, backend=default_backend()) if key_format == EncryptionKeyFormat.der: return serialization.load_der_private_key(raw_key, password=password, backend=default_backend())
def private_key_from_encoding(data, password=None): try: key = load_pem_private_key(data, password=password, backend=default_backend()) return key except ValueError: pass try: key = load_ssh_private_key(data, password=password, backend=default_backend()) return key except ValueError: pass try: key = load_der_private_key(data, password=password, backend=default_backend()) return key except ValueError: pass raise ValueError("Unsupported key format")
def importkey(self, phandle, pauth, objauth, privkey, objattrs=None, seal=None, alg=None, passin=None): if privkey and len(privkey) > 0: exists = os.path.isfile(privkey) if not exists: raise RuntimeError("File '%s' path is invalid or is missing" % privkey) else: sys.exit("Invalid file path") _, priv = mkstemp(prefix='', suffix='.priv', dir=self._tmp) _, pub = mkstemp(prefix='', suffix='.pub', dir=self._tmp) # If the key is an OpenSSH key, convert it to PEM format pem_priv_name = None with open(privkey, "rb") as f: privey_data = f.read() if privey_data.startswith(b'-----BEGIN OPENSSH PRIVATE KEY-----'): if passin: # Parse passin to extract the password if passin.startswith('env:'): password_bytes = os.getenvb(passin[4:].encode()) elif passin.startswith('file:'): with open(passin[5:], 'rb') as f: password_bytes = f.read() elif passin.startswith('pass:'******'ecc' elif isinstance(ssh_key, RSAPrivateKey): alg = 'rsa' else: raise NotImplementedError( "Unsupported SSH key type {}".format(type(ssh_key))) pem_key = ssh_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=enc_alg) pem_priv_fd, pem_priv_name = mkstemp(prefix='', suffix='.privpem', dir=self._tmp) os.write(pem_priv_fd, pem_key) os.close(pem_priv_fd) privkey = pem_priv_name elif alg is None: # Guess the key algorithm from the PEM header if privey_data.startswith(b'-----BEGIN EC PARAMETERS-----'): alg = 'ecc' elif privey_data.startswith(b'-----BEGIN EC PRIVATE KEY-----'): alg = 'ecc' elif privey_data.startswith(b'-----BEGIN RSA PRIVATE KEY-----'): alg = 'rsa' else: raise RuntimeError( "Unable to detect key type, use --algorithm to specify it") parent_path = str(phandle) cmd = [ 'tpm2_import', '-V', '-C', parent_path, '-i', privkey, '-u', pub, '-r', priv ] if pauth and len(pauth) > 0: cmd.extend(['-P', pauth]) if objauth and len(objauth) > 0: cmd.extend(['-p', objauth]) if objattrs != None: cmd.extend(['-a', objattrs]) if seal != None: cmd.extend(['-i', '-']) if alg != None: cmd.extend(['-G', alg]) if passin is not None: cmd.extend(['--passin', passin]) p = Popen(cmd, stdout=PIPE, stderr=PIPE, stdin=PIPE, env=os.environ) stdout, stderr = p.communicate(input=seal) rc = p.wait() if pem_priv_name is not None: os.remove(pem_priv_name) if (rc != 0): os.remove(pub) os.remove(priv) print("command: %s" % str(" ".join(cmd))) raise RuntimeError("Could not execute tpm2_import: %s" % stderr) return priv, pub, stdout
def add_ssh_key(private_key, passphrase, key_name): # type: (str, str, str) -> Optional[Callable] ssh_socket_path = os.environ.get('SSH_AUTH_SOCK') header, _, _ = private_key.partition('\n') if 'BEGIN OPENSSH PRIVATE KEY' in header: private_key = serialization.load_ssh_private_key( private_key.encode(), password=passphrase.encode() if passphrase else None) else: private_key = serialization.load_pem_private_key( private_key.encode(), password=passphrase.encode() if passphrase else None) if isinstance(private_key, rsa.RSAPrivateKey): private_numbers = private_key.private_numbers() public_numbers = private_key.public_key().public_numbers() store_payload = SSH2_AGENTC_ADD_IDENTITY.to_bytes(1, byteorder='big') store_payload += ssh_agent_encode_str('ssh-rsa') store_payload += ssh_agent_encode_long(public_numbers.n) store_payload += ssh_agent_encode_long(public_numbers.e) store_payload += ssh_agent_encode_long(private_numbers.d) store_payload += ssh_agent_encode_long(private_numbers.iqmp) store_payload += ssh_agent_encode_long(private_numbers.p) store_payload += ssh_agent_encode_long(private_numbers.q) store_payload += ssh_agent_encode_str(key_name) # windows ssh implementation does not support constrained identity # store_payload += SSH_AGENT_CONSTRAIN_LIFETIME.to_bytes(1, byteorder='big') # store_payload += int(10).to_bytes(4, byteorder='big') remove_payload = ssh_agent_encode_str('ssh-rsa') remove_payload += ssh_agent_encode_long(public_numbers.e) remove_payload += ssh_agent_encode_long(public_numbers.n) remove_payload = SSH2_AGENTC_REMOVE_IDENTITY.to_bytes( 1, byteorder='big') + ssh_agent_encode_bytes(remove_payload) elif isinstance(private_key, ec.EllipticCurvePrivateKey): private_numbers = private_key.private_numbers() curve_name = 'nistp256' store_payload = SSH2_AGENTC_ADD_IDENTITY.to_bytes(1, byteorder='big') store_payload += ssh_agent_encode_str(f'ecdsa-sha2-{curve_name}') store_payload += ssh_agent_encode_str(curve_name) public_key_bytes = private_key.public_key().public_bytes( encoding=serialization.Encoding.X962, format=serialization.PublicFormat.UncompressedPoint) store_payload += ssh_agent_encode_bytes(public_key_bytes) store_payload += ssh_agent_encode_long(private_numbers.private_value) store_payload += ssh_agent_encode_str(key_name) remove_payload = ssh_agent_encode_str(f'ecdsa-sha2-{curve_name}') remove_payload += ssh_agent_encode_str(curve_name) remove_payload += ssh_agent_encode_bytes(public_key_bytes) remove_payload = SSH2_AGENTC_REMOVE_IDENTITY.to_bytes( 1, byteorder='big') + ssh_agent_encode_bytes(remove_payload) elif isinstance(private_key, ed25519.Ed25519PrivateKey): public_key_bytes = private_key.public_key().public_bytes( encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw) private_key_bytes = private_key.private_bytes( encoding=serialization.Encoding.Raw, format=serialization.PrivateFormat.Raw, encryption_algorithm=serialization.NoEncryption()) store_payload = SSH2_AGENTC_ADD_IDENTITY.to_bytes(1, byteorder='big') store_payload += ssh_agent_encode_str('ssh-ed25519') store_payload += ssh_agent_encode_bytes(public_key_bytes) store_payload += ssh_agent_encode_bytes(private_key_bytes + public_key_bytes) store_payload += ssh_agent_encode_str(key_name) remove_payload = ssh_agent_encode_str('ssh-ed25519') remove_payload += ssh_agent_encode_bytes(public_key_bytes) remove_payload = SSH2_AGENTC_REMOVE_IDENTITY.to_bytes( 1, byteorder='big') + ssh_agent_encode_bytes(remove_payload) else: if private_key: key_type = type(private_key) raise Exception( f'Add ssh-key. Key type \"{key_type.__name__}\" is not supported yet.' ) else: raise Exception('Cannot load SSH private key.') if store_payload: with ConnectSshAgent(ssh_socket_path) as fd: recv_payload = fd.send(store_payload) if recv_payload and recv_payload[0] == SSH_AGENT_FAILURE: raise Exception( f'Add ssh-key. Failed to add ssh key \"{key_name}\" to ssh-agent' ) if remove_payload: def remove_key(): delete_ssh_key(remove_payload) return remove_key
def __setstate__(self, state): self.__dict__.update(state) self._private_key = serialization.load_ssh_private_key( self._private_key, password=None)