def test_load_ssh_public_key_ecdsa_nist_p256_missing_data(self, backend):
ssh_key = (
b"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAy"
b"NTYAAABBBGG2MfkHXp0UkxUyllDzWNBAImsvt5t7pFtTXegZK2WbGxml8zMrgWi5"
b"teIg1TO03/FD9hbpBFgBeix3NrCF= root@cloud-server-01"
)
with pytest.raises(ValueError):
load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_ecdsa_nist_p256_bad_curve_name(self, backend):
ssh_key = (
# The curve name in here is changed to be "nistp255".
b"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAy"
b"NTUAAABBBGG2MfkHXp0UkxUyllDzWNBAImsvt5t7pFtTXegZK2WbGxml8zMrgWi5"
b"teIg1TO03/FD9hbpBFgBeix3NrCFPls= root@cloud-server-01"
)
with pytest.raises(ValueError):
load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_ecdsa_nist_p256_compressed(self, backend):
# If we ever implement compressed points, note that this is not a valid
# one, it just has the compressed marker in the right place.
ssh_key = (
b"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAy"
b"NTYAAABBAWG2MfkHXp0UkxUyllDzWNBAImsvt5t7pFtTXegZK2WbGxml8zMrgWi5"
b"teIg1TO03/FD9hbpBFgBeix3NrCFPls= root@cloud-server-01"
)
with pytest.raises(NotImplementedError):
load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_truncated_int(self, backend):
ssh_key = b'ssh-rsa AAAAB3NzaC1yc2EAAAA='
with pytest.raises(ValueError):
load_ssh_public_key(ssh_key, backend)
ssh_key = b'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAACKr+IHXo'
with pytest.raises(ValueError):
load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_rsa_extra_data_after_modulo(self, backend):
ssh_key = (
b"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDu/XRP1kyK6Cgt36gts9XAk"
b"FiiuJLW6RU0j3KKVZSs1I7Z3UmU9/9aVh/rZV43WQG8jaR6kkcP4stOR0DEtll"
b"PDA7ZRBnrfiHpSQYQ874AZaAoIjgkv7DBfsE6gcDQLub0PFjWyrYQUJhtOLQEK"
b"vY/G0vt2iRL3juawWmCFdTK3W3XvwAdgGk71i6lHt+deOPNEPN2H58E4odrZ2f"
b"sxn/adpDqfb2sM0kPwQs0aWvrrKGvUaustkivQE4XWiSFnB0oJB/lKK/CKVKuy"
b"///ImSCGHQRvhwariN2tvZ6CBNSLh3iQgeB0AkyJlng7MXB2qYq/Ci2FUOryCX"
b"2MzHvnbvAQ== testkey@localhost"
)
with pytest.raises(ValueError):
load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_rsa_different_string(self, backend):
ssh_key = (
# "AAAAB3NzA" the final A is capitalized here to cause the string
# ssh-rsa inside the base64 encoded blob to be incorrect. It should
# be a lower case 'a'.
b"ssh-rsa AAAAB3NzAC1yc2EAAAADAQABAAABAQDDu/XRP1kyK6Cgt36gts9XAk"
b"FiiuJLW6RU0j3KKVZSs1I7Z3UmU9/9aVh/rZV43WQG8jaR6kkcP4stOR0DEtll"
b"PDA7ZRBnrfiHpSQYQ874AZaAoIjgkv7DBfsE6gcDQLub0PFjWyrYQUJhtOLQEK"
b"vY/G0vt2iRL3juawWmCFdTK3W3XvwAdgGk71i6lHt+deOPNEPN2H58E4odrZ2f"
b"sxn/adpDqfb2sM0kPwQs0aWvrrKGvUaustkivQE4XWiSFnB0oJB/lKK/CKVKuy"
b"///ImSCGHQRvhwariN2tvZ6CBNSLh3iQgeB0AkyJlng7MXB2qYq/Ci2FUOryCX"
b"2MzHvnbvAQ== testkey@localhost"
)
with pytest.raises(ValueError):
load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_dss_comment_with_spaces(self, backend):
ssh_key = (
b"ssh-dss AAAAB3NzaC1kc3MAAACBALmwUtfwdjAUjU2Dixd5DvT0NDcjjr69UD"
b"LqSD/Xt5Al7D3GXr1WOrWGpjO0NE9qzRCvMTU7zykRH6XjuNXB6Hvv48Zfm4vm"
b"nHQHFmmMg2bI75JbnOwdzWnnPZJrVU4rS23dFFPqs5ug+EbhVVrcwzxahjcSjJ"
b"7WEQSkVQWnSPbbAAAAFQDXmpD3DIkGvLSBf1GdUF4PHKtUrQAAAIB/bJFwss+2"
b"fngmfG/Li5OyL7A9iVoGdkUaFaxEUROTp7wkm2z49fXFAir+/U31v50Tu98YLf"
b"WvKlxdHcdgQYV9Ww5LIrhWwwD4UKOwC6w5S3KHVbi3pWUi7vxJFXOWfeu1mC/J"
b"TWqMKR91j+rmOtdppWIZRyIVIqLcMdGO3m+2VgAAAIANFDz5KQH5NvoljpoRQi"
b"RgyPjxWXiE7vjLElKj4v8KrpanAywBzdhIW1y/tzpGuwRwj5ihi8iNTHgSsoTa"
b"j5AG5HPomJf5vJElxpu/2O9pHA52wcNObIQ7j+JA5uWusxNIbl+pF6sSiP8abr"
b"z53N7tPF/IhHTjBHb1Ol7IFu9p9A== testkey@localhost extra"
)
load_ssh_public_key(ssh_key, backend)
def __init__(self, ssh_public_key):
"""
Extracts the useful RSA Public Key information from an SSH Public Key file.
:param ssh_public_key: SSH Public Key file contents. (i.e. 'ssh-rsa AAAAB3NzaC1yc2E..').
"""
super(RSAPublicKey, self).__init__()
self.type = SSHPublicKeyType.RSA
split_ssh_public_key = ssh_public_key.split(' ')
split_key_len = len(split_ssh_public_key)
# is there a key comment at the end?
if split_key_len > 2:
self.key_comment = ' '.join(split_ssh_public_key[2:])
else:
self.key_comment = ''
public_key = serialization.load_ssh_public_key(ssh_public_key.encode('ascii'), default_backend())
ca_pub_numbers = public_key.public_numbers()
if not isinstance(ca_pub_numbers, RSAPublicNumbers):
raise TypeError("Public Key is not the correct type or format")
self.key_size = public_key.key_size
self.e = ca_pub_numbers.e
self.n = ca_pub_numbers.n
key_bytes = base64.b64decode(split_ssh_public_key[1])
fingerprint = hashlib.md5(key_bytes).hexdigest()
self.fingerprint = 'RSA ' + ':'.join(
fingerprint[i:i + 2] for i in range(0, len(fingerprint), 2))
def test_load_ssh_public_key_rsa(self, backend):
ssh_key = (
b"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDu/XRP1kyK6Cgt36gts9XAk"
b"FiiuJLW6RU0j3KKVZSs1I7Z3UmU9/9aVh/rZV43WQG8jaR6kkcP4stOR0DEtll"
b"PDA7ZRBnrfiHpSQYQ874AZaAoIjgkv7DBfsE6gcDQLub0PFjWyrYQUJhtOLQEK"
b"vY/G0vt2iRL3juawWmCFdTK3W3XvwAdgGk71i6lHt+deOPNEPN2H58E4odrZ2f"
b"sxn/adpDqfb2sM0kPwQs0aWvrrKGvUaustkivQE4XWiSFnB0oJB/lKK/CKVKuy"
b"///ImSCGHQRvhwariN2tvZ6CBNSLh3iQgeB0AkyJlng7MXB2qYq/Ci2FUOryCX"
b"2MzHvnbv testkey@localhost"
)
key = load_ssh_public_key(ssh_key, backend)
assert key is not None
assert isinstance(key, rsa.RSAPublicKey)
numbers = key.public_numbers()
expected_e = 0x10001
expected_n = int(
'00C3BBF5D13F59322BA0A0B77EA0B6CF570241628AE24B5BA454D'
'23DCA295652B3523B67752653DFFD69587FAD9578DD6406F23691'
'EA491C3F8B2D391D0312D9653C303B651067ADF887A5241843CEF'
'8019680A088E092FEC305FB04EA070340BB9BD0F1635B2AD84142'
'61B4E2D010ABD8FC6D2FB768912F78EE6B05A60857532B75B75EF'
'C007601A4EF58BA947B7E75E38F3443CDD87E7C138A1DAD9D9FB3'
'19FF69DA43A9F6F6B0CD243F042CD1A5AFAEB286BD46AEB2D922B'
'D01385D6892167074A0907F94A2BF08A54ABB2FFFFC89920861D0'
'46F8706AB88DDADBD9E8204D48B87789081E074024C8996783B31'
'7076A98ABF0A2D8550EAF2097D8CCC7BE76EF', 16)
expected = rsa.RSAPublicNumbers(expected_e, expected_n)
assert numbers == expected
def _get_publickey(path):
with open(path, 'rb') as kfile:
pk = serialization.load_ssh_public_key(
kfile.read(),
backend=default_backend()
)
return pk
def prepare_key(key_path, key_type=None):
if key_type is None:
key_type = 'pub'
try:
assert key_type.strip().lower() in PUB_TYPES + PRIV_TYPES
except:
raise ValueError("The type of key is not qualified. " + key_type)
if key_type in PUB_TYPES:
with open(key_path, 'rb') as pk_stream:
key = serialization.load_ssh_public_key(
data=pk_stream.read(),
backend=default_backend()
)
elif key_type in PRIV_TYPES:
with open(key_path, 'rb') as sk_stream:
key = serialization.load_pem_private_key(
data=sk_stream.read(),
password=None,
backend=default_backend()
)
else:
key = None
return key
def test_generate_key_pair_1024_bits(self):
bits = 1024
(private_key, public_key, fingerprint) = crypto.generate_key_pair(bits)
pub_bytes = public_key.encode('utf-8')
pkey = serialization.load_ssh_public_key(
pub_bytes, backends.default_backend())
self.assertEqual(bits, pkey.key_size)
def test_encode_decode_with_rsa_sha512(self):
# PEM-formatted RSA key
with open('tests/testkey_rsa', 'r') as rsa_priv_file:
priv_rsakey = load_pem_private_key(ensure_bytes(rsa_priv_file.read()),
password=None, backend=default_backend())
jwt_message = jwt.encode(self.payload, priv_rsakey,
algorithm='RS512')
with open('tests/testkey_rsa.pub', 'r') as rsa_pub_file:
pub_rsakey = load_ssh_public_key(ensure_bytes(rsa_pub_file.read()),
backend=default_backend())
assert jwt.decode(jwt_message, pub_rsakey)
load_output = jwt.load(jwt_message)
jwt.verify_signature(key=pub_rsakey, *load_output)
# string-formatted key
with open('tests/testkey_rsa', 'r') as rsa_priv_file:
priv_rsakey = rsa_priv_file.read()
jwt_message = jwt.encode(self.payload, priv_rsakey,
algorithm='RS512')
with open('tests/testkey_rsa.pub', 'r') as rsa_pub_file:
pub_rsakey = rsa_pub_file.read()
assert jwt.decode(jwt_message, pub_rsakey)
load_output = jwt.load(jwt_message)
jwt.verify_signature(key=pub_rsakey, *load_output)
def validate(self, request):
"""Validate uploaded test results."""
super(TestResultValidator, self).validate(request)
if request.headers.get('X-Signature') or \
request.headers.get('X-Public-Key'):
try:
sign = binascii.a2b_hex(request.headers.get('X-Signature', ''))
except (binascii.Error, TypeError) as e:
raise api_exc.ValidationError('Malformed signature', e)
try:
key = load_ssh_public_key(
request.headers.get('X-Public-Key', ''),
backend=backends.default_backend()
)
except (binascii.Error, ValueError) as e:
raise api_exc.ValidationError('Malformed public key', e)
verifier = key.verifier(sign, padding.PKCS1v15(), hashes.SHA256())
verifier.update(request.body)
try:
verifier.verify()
except InvalidSignature:
raise api_exc.ValidationError('Signature verification failed')
if self._is_empty_result(request):
raise api_exc.ValidationError('Uploaded results must contain at '
'least one passing test.')
def validate(self, request):
"""Validate uploaded test results."""
super(PubkeyValidator, self).validate(request)
body = json.loads(request.body.decode('utf-8'))
key_format = body['raw_key'].strip().split()[0]
if key_format not in ('ssh-dss', 'ssh-rsa',
'pgp-sign-rsa', 'pgp-sign-dss'):
raise api_exc.ValidationError('Public key has unsupported format')
try:
sign = binascii.a2b_hex(body['self_signature'])
except (binascii.Error, TypeError) as e:
raise api_exc.ValidationError('Malformed signature', e)
try:
key = load_ssh_public_key(body['raw_key'].encode('utf-8'),
backend=backends.default_backend())
except (binascii.Error, ValueError) as e:
raise api_exc.ValidationError('Malformed public key', e)
verifier = key.verifier(sign, padding.PKCS1v15(), hashes.SHA256())
verifier.update('signature'.encode('utf-8'))
try:
verifier.verify()
except InvalidSignature:
raise api_exc.ValidationError('Signature verification failed')
def test_load_ssh_public_key_ecdsa_nist_p521(self, backend):
_skip_curve_unsupported(backend, ec.SECP521R1())
ssh_key = (
b"ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1"
b"MjEAAACFBAGTrRhMSEgF6Ni+PXNz+5fjS4lw3ypUILVVQ0Av+0hQxOx+MyozELon"
b"I8NKbrbBjijEs1GuImsmkTmWsMXS1j2A7wB4Kseh7W9KA9IZJ1+TMrzWUEwvOOXi"
b"wT23pbaWWXG4NaM7vssWfZBnvz3S174TCXnJ+DSccvWBFnKP0KchzLKxbg== "
b"root@cloud-server-01"
)
key = load_ssh_public_key(ssh_key, backend)
expected_x = int(
"54124123120178189598842622575230904027376313369742467279346415219"
"77809037378785192537810367028427387173980786968395921877911964629"
"142163122798974160187785455", 10
)
expected_y = int(
"16111775122845033200938694062381820957441843014849125660011303579"
"15284560361402515564433711416776946492019498546572162801954089916"
"006665939539407104638103918", 10
)
assert key.public_numbers() == ec.EllipticCurvePublicNumbers(
expected_x, expected_y, ec.SECP521R1()
)
def test_load_ssh_public_key_dss_different_string(self, backend):
ssh_key = (
# "AAAAB3NzA" the final A is capitalized here to cause the string
# ssh-dss inside the base64 encoded blob to be incorrect. It should
# be a lower case 'a'.
b"ssh-dss AAAAB3NzAC1kc3MAAACBALmwUtfwdjAUjU2Dixd5DvT0NDcjjr69UD"
b"LqSD/Xt5Al7D3GXr1WOrWGpjO0NE9qzRCvMTU7zykRH6XjuNXB6Hvv48Zfm4vm"
b"nHQHFmmMg2bI75JbnOwdzWnnPZJrVU4rS23dFFPqs5ug+EbhVVrcwzxahjcSjJ"
b"7WEQSkVQWnSPbbAAAAFQDXmpD3DIkGvLSBf1GdUF4PHKtUrQAAAIB/bJFwss+2"
b"fngmfG/Li5OyL7A9iVoGdkUaFaxEUROTp7wkm2z49fXFAir+/U31v50Tu98YLf"
b"WvKlxdHcdgQYV9Ww5LIrhWwwD4UKOwC6w5S3KHVbi3pWUi7vxJFXOWfeu1mC/J"
b"TWqMKR91j+rmOtdppWIZRyIVIqLcMdGO3m+2VgAAAIANFDz5KQH5NvoljpoRQi"
b"RgyPjxWXiE7vjLElKj4v8KrpanAywBzdhIW1y/tzpGuwRwj5ihi8iNTHgSsoTa"
b"j5AG5HPomJf5vJElxpu/2O9pHA52wcNObIQ7j+JA5uWusxNIbl+pF6sSiP8abr"
b"z53N7tPF/IhHTjBHb1Ol7IFu9p9A== testkey@localhost"
)
with pytest.raises(ValueError):
load_ssh_public_key(ssh_key, backend)
def build_signature_verifier(cls, public_key_binary, signature):
public_key = crypto_serial.load_ssh_public_key(
public_key_binary, crypto_backend()
)
return public_key.verifier(
signature,
crypto_padding.PKCS1v15(),
crypto_hashes.SHA512()
)
def generate_fingerprint(public_key):
try:
pub_bytes = public_key.encode('utf-8')
# Test that the given public_key string is a proper ssh key. The
# returned object is unused since pyca/cryptography does not have a
# fingerprint method.
serialization.load_ssh_public_key(
pub_bytes, backends.default_backend())
pub_data = base64.b64decode(public_key.split(' ')[1])
digest = hashes.Hash(hashes.MD5(), backends.default_backend())
digest.update(pub_data)
md5hash = digest.finalize()
raw_fp = binascii.hexlify(md5hash)
if six.PY3:
raw_fp = raw_fp.decode('ascii')
return ':'.join(a + b for a, b in zip(raw_fp[::2], raw_fp[1::2]))
except Exception:
raise exception.InvalidKeypair(
reason=_('failed to generate fingerprint'))
def decode_token(request):
"""Validate request signature.
ValidationError rises if request is not valid.
"""
if not request.headers.get(const.JWT_TOKEN_HEADER):
return
try:
auth_schema, token = request.headers.get(
const.JWT_TOKEN_HEADER).split(' ', 1)
except ValueError:
raise api_exc.ValidationError("Token is not valid")
if auth_schema != 'Bearer':
raise api_exc.ValidationError(
"Authorization schema 'Bearer' should be used")
try:
token_data = jwt.decode(token, algorithms='RS256', verify=False)
except jwt.InvalidTokenError:
raise api_exc.ValidationError("Token is not valid")
openid = token_data.get(const.USER_OPENID)
if not openid:
raise api_exc.ValidationError("Token does not contain user's openid")
pubkeys = db.get_user_pubkeys(openid)
for pubkey in pubkeys:
try:
pubkey_string = '%s %s' % (pubkey['format'], pubkey['pubkey'])
pubkey_obj = serialization.load_ssh_public_key(
pubkey_string.encode('utf-8'),
backend=backends.default_backend()
)
pem_pubkey = pubkey_obj.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.SubjectPublicKeyInfo)
except (ValueError, IndexError, TypeError, binascii.Error):
pass
else:
try:
token_data = jwt.decode(
token, key=pem_pubkey,
options={'verify_signature': True,
'verify_exp': True,
'require_exp': True},
leeway=const.JWT_VALIDATION_LEEWAY)
# NOTE(sslipushenko) If at least one key is valid, let
# the validation pass
return token_data
except jwt.InvalidTokenError:
pass
# NOTE(sslipushenko) If all user's keys are not valid, the validation fails
raise api_exc.ValidationError("Token is not valid")
def ssh_encrypt_text(ssh_public_key, text):
"""Encrypt text with an ssh public key.
If text is a Unicode string, encode it to UTF-8.
"""
if isinstance(text, six.text_type):
text = text.encode('utf-8')
try:
pub_bytes = ssh_public_key.encode('utf-8')
pub_key = serialization.load_ssh_public_key(
pub_bytes, backends.default_backend())
return pub_key.encrypt(text, padding.PKCS1v15())
except Exception as exc:
raise exception.EncryptionFailure(reason=six.text_type(exc))
def __init__(self,
public=None,
private=None,
sep=':',
salt=None,
max_delta=60):
assert public or private, "Must provide either a public key or a private key, or both."
self.private_key = None if not private else serialization.load_der_private_key(
private, None, default_backend())
self.public_key = None if not public else serialization.load_ssh_public_key(
public, default_backend())
self.sep = sep
self.salt = salt or 'ca.clsi.cmcf'
self.max_delta = max_delta
def ssh_encrypt_text(ssh_public_key, text):
"""Encrypt text with an ssh public key.
If text is a Unicode string, encode it to UTF-8.
"""
if isinstance(text, six.text_type):
text = text.encode('utf-8')
try:
pub_bytes = ssh_public_key.encode('utf-8')
pub_key = serialization.load_ssh_public_key(
pub_bytes, backends.default_backend())
return pub_key.encrypt(text, padding.PKCS1v15())
except Exception as exc:
raise exception.EncryptionFailure(reason=six.text_type(exc))
def test_load_ssh_public_key_dss(self, backend):
ssh_key = (
b"ssh-dss AAAAB3NzaC1kc3MAAACBALmwUtfwdjAUjU2Dixd5DvT0NDcjjr69UD"
b"LqSD/Xt5Al7D3GXr1WOrWGpjO0NE9qzRCvMTU7zykRH6XjuNXB6Hvv48Zfm4vm"
b"nHQHFmmMg2bI75JbnOwdzWnnPZJrVU4rS23dFFPqs5ug+EbhVVrcwzxahjcSjJ"
b"7WEQSkVQWnSPbbAAAAFQDXmpD3DIkGvLSBf1GdUF4PHKtUrQAAAIB/bJFwss+2"
b"fngmfG/Li5OyL7A9iVoGdkUaFaxEUROTp7wkm2z49fXFAir+/U31v50Tu98YLf"
b"WvKlxdHcdgQYV9Ww5LIrhWwwD4UKOwC6w5S3KHVbi3pWUi7vxJFXOWfeu1mC/J"
b"TWqMKR91j+rmOtdppWIZRyIVIqLcMdGO3m+2VgAAAIANFDz5KQH5NvoljpoRQi"
b"RgyPjxWXiE7vjLElKj4v8KrpanAywBzdhIW1y/tzpGuwRwj5ihi8iNTHgSsoTa"
b"j5AG5HPomJf5vJElxpu/2O9pHA52wcNObIQ7j+JA5uWusxNIbl+pF6sSiP8abr"
b"z53N7tPF/IhHTjBHb1Ol7IFu9p9A== testkey@localhost"
)
key = load_ssh_public_key(ssh_key, backend)
assert key is not None
assert isinstance(key, dsa.DSAPublicKey)
numbers = key.public_numbers()
expected_y = int(
"d143cf92901f936fa258e9a11422460c8f8f1597884eef8cb1252a3e2ff0aae"
"96a7032c01cdd8485b5cbfb73a46bb04708f98a18bc88d4c7812b284da8f900"
"6e473e89897f9bc9125c69bbfd8ef691c0e76c1c34e6c843b8fe240e6e5aeb3"
"13486e5fa917ab1288ff1a6ebcf9dcdeed3c5fc88474e30476f53a5ec816ef6"
"9f4", 16
)
expected_p = int(
"b9b052d7f07630148d4d838b17790ef4f43437238ebebd5032ea483fd7b7902"
"5ec3dc65ebd563ab586a633b4344f6acd10af31353bcf29111fa5e3b8d5c1e8"
"7befe3c65f9b8be69c740716698c8366c8ef925b9cec1dcd69e73d926b554e2"
"b4b6ddd1453eab39ba0f846e1555adcc33c5a8637128c9ed61104a45505a748"
"f6db", 16
)
expected_q = 1230879958723280233885494314531920096931919647917
expected_g = int(
"7f6c9170b2cfb67e78267c6fcb8b93b22fb03d895a0676451a15ac44511393a"
"7bc249b6cf8f5f5c5022afefd4df5bf9d13bbdf182df5af2a5c5d1dc7604185"
"7d5b0e4b22b856c300f850a3b00bac394b728755b8b7a56522eefc491573967"
"debb5982fc94d6a8c291f758feae63ad769a5621947221522a2dc31d18ede6f"
"b656", 16
)
expected = dsa.DSAPublicNumbers(
expected_y,
dsa.DSAParameterNumbers(expected_p, expected_q, expected_g)
)
assert numbers == expected
def test_load_ssh_public_key_dss(self, backend):
ssh_key = (
b"ssh-dss AAAAB3NzaC1kc3MAAACBALmwUtfwdjAUjU2Dixd5DvT0NDcjjr69UD"
b"LqSD/Xt5Al7D3GXr1WOrWGpjO0NE9qzRCvMTU7zykRH6XjuNXB6Hvv48Zfm4vm"
b"nHQHFmmMg2bI75JbnOwdzWnnPZJrVU4rS23dFFPqs5ug+EbhVVrcwzxahjcSjJ"
b"7WEQSkVQWnSPbbAAAAFQDXmpD3DIkGvLSBf1GdUF4PHKtUrQAAAIB/bJFwss+2"
b"fngmfG/Li5OyL7A9iVoGdkUaFaxEUROTp7wkm2z49fXFAir+/U31v50Tu98YLf"
b"WvKlxdHcdgQYV9Ww5LIrhWwwD4UKOwC6w5S3KHVbi3pWUi7vxJFXOWfeu1mC/J"
b"TWqMKR91j+rmOtdppWIZRyIVIqLcMdGO3m+2VgAAAIANFDz5KQH5NvoljpoRQi"
b"RgyPjxWXiE7vjLElKj4v8KrpanAywBzdhIW1y/tzpGuwRwj5ihi8iNTHgSsoTa"
b"j5AG5HPomJf5vJElxpu/2O9pHA52wcNObIQ7j+JA5uWusxNIbl+pF6sSiP8abr"
b"z53N7tPF/IhHTjBHb1Ol7IFu9p9A== testkey@localhost"
)
key = load_ssh_public_key(ssh_key, backend)
assert key is not None
assert isinstance(key, dsa.DSAPublicKey)
numbers = key.public_numbers()
expected_y = int(
"d143cf92901f936fa258e9a11422460c8f8f1597884eef8cb1252a3e2ff0aae"
"96a7032c01cdd8485b5cbfb73a46bb04708f98a18bc88d4c7812b284da8f900"
"6e473e89897f9bc9125c69bbfd8ef691c0e76c1c34e6c843b8fe240e6e5aeb3"
"13486e5fa917ab1288ff1a6ebcf9dcdeed3c5fc88474e30476f53a5ec816ef6"
"9f4", 16
)
expected_p = int(
"b9b052d7f07630148d4d838b17790ef4f43437238ebebd5032ea483fd7b7902"
"5ec3dc65ebd563ab586a633b4344f6acd10af31353bcf29111fa5e3b8d5c1e8"
"7befe3c65f9b8be69c740716698c8366c8ef925b9cec1dcd69e73d926b554e2"
"b4b6ddd1453eab39ba0f846e1555adcc33c5a8637128c9ed61104a45505a748"
"f6db", 16
)
expected_q = 1230879958723280233885494314531920096931919647917
expected_g = int(
"7f6c9170b2cfb67e78267c6fcb8b93b22fb03d895a0676451a15ac44511393a"
"7bc249b6cf8f5f5c5022afefd4df5bf9d13bbdf182df5af2a5c5d1dc7604185"
"7d5b0e4b22b856c300f850a3b00bac394b728755b8b7a56522eefc491573967"
"debb5982fc94d6a8c291f758feae63ad769a5621947221522a2dc31d18ede6f"
"b656", 16
)
expected = dsa.DSAPublicNumbers(
expected_y,
dsa.DSAParameterNumbers(expected_p, expected_q, expected_g)
)
assert numbers == expected
def load_public_key_from_disc(openssh_file: str) -> rsa.RSAPublicKey:
"""
Loads a pem file into a RSAPublicKey Object.
:param openssh_file: The file containing the public RSA key
:return: RSAPublicKey Object.
"""
try:
with open(openssh_file, "rb") as key_file:
public_key = serialization.load_ssh_public_key(
key_file.read(), backend=default_backend())
return public_key
except:
print("Error reading the pem file.")
return None
def rsa_encrypt(data, rsa_pub_key_bytes):
"""
`rsa_pub_key_bytes` is a byte sequence with the public key
"""
if isinstance(data, text_type):
data = data.encode('utf-8')
if isinstance(rsa_pub_key_bytes, text_type):
rsa_pub_key_bytes = rsa_pub_key_bytes.encode('utf-8')
if rsa_pub_key_bytes.startswith(b'-----'):
key = serialization.load_pem_public_key(rsa_pub_key_bytes, backend=default_backend())
elif rsa_pub_key_bytes.startswith(b'ssh-rsa '):
key = serialization.load_ssh_public_key(rsa_pub_key_bytes, backend=default_backend())
else:
key = serialization.load_der_public_key(rsa_pub_key_bytes, backend=default_backend())
return key.encrypt(data, OAEP(MGF1(SHA1()), SHA1(), label=None))
def rsa_encrypt(data, rsa_pub_key_bytes):
"""
`rsa_pub_key_bytes` is a byte sequence with the public key
"""
if isinstance(data, text_type):
data = data.encode('utf-8')
if isinstance(rsa_pub_key_bytes, text_type):
rsa_pub_key_bytes = rsa_pub_key_bytes.encode('utf-8')
if rsa_pub_key_bytes.startswith(b'-----'):
key = serialization.load_pem_public_key(rsa_pub_key_bytes, backend=default_backend())
elif rsa_pub_key_bytes.startswith(b'ssh-rsa '):
key = serialization.load_ssh_public_key(rsa_pub_key_bytes, backend=default_backend())
else:
key = serialization.load_der_public_key(rsa_pub_key_bytes, backend=default_backend())
return key.encrypt(data, OAEP(MGF1(SHA1()), SHA1(), label=None))
def _load_key(key, ssh_type):
key = to_bytes(key)
if key.startswith(ssh_type):
return load_ssh_public_key(key, backend=default_backend())
if b'PUBLIC' in key:
return load_pem_public_key(key, backend=default_backend())
if b'PRIVATE' in key:
return load_pem_private_key(key, password=None, backend=default_backend())
try:
return load_pem_private_key(key, password=None, backend=default_backend())
except ValueError:
return load_pem_public_key(key, backend=default_backend())
def load_public_key(pubkey_file):
'''
Loads the public key stored in the file indicated by the pubkey_file
parameter and returns it
The `pubkey_file` parameter indicates the absolute path to the file
storing the public key.
The key returned is a RSAPublicKey instance.
'''
with open(pubkey_file, "rb") as key_file:
pubkey = serialization.load_ssh_public_key(
key_file.read(),
backend=default_backend()
)
return pubkey
def encryptMessage(self, publicKeyPem, outputPath, message):
# Load public ssh key
with open(publicKeyPem, "rb") as key_file:
public_key = serialization.load_ssh_public_key(
key_file.read(), backend=default_backend())
# Create cipher text (byte type) with public key and from variable message which is byte encoded
ciphertext = public_key.encrypt(
message.encode(),
padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA1()),
algorithm=hashes.SHA1(),
label=None))
# Write byte encoded text to file path from variable ciphertext
f = open(outputPath, "wb")
f.write(ciphertext)
f.close()
def key_from_encoding(data, password=None):
try:
cert = load_pem_x509_certificate(data, backend=default_backend())
key = cert.public_key()
return key
except ValueError:
pass
try:
key = load_pem_public_key(data, backend=default_backend())
return key
except ValueError:
pass
try:
pkey = load_pem_private_key(data,
password=password,
backend=default_backend())
key = pkey.public_key()
return key
except ValueError:
pass
try:
key = load_ssh_public_key(data, backend=default_backend())
return key
except (ValueError, UnsupportedAlgorithm):
pass
try:
cert = load_der_x509_certificate(data, backend=default_backend())
key = cert.public_key()
return key
except ValueError:
pass
try:
key = load_der_public_key(data, backend=default_backend())
return key
except ValueError:
pass
try:
pkey = load_der_private_key(data,
password=password,
backend=default_backend())
key = pkey.public_key()
return key
except ValueError:
pass
raise ValueError("Unsupported key format")
def prepare_key(self, key):
if isinstance(key, (RSAPrivateKey, RSAPublicKey)):
return key
if not isinstance(key, (bytes, str)):
raise TypeError("Expecting a PEM-formatted key.")
key = force_bytes(key)
try:
if key.startswith(b"ssh-rsa"):
key = load_ssh_public_key(key)
else:
key = load_pem_private_key(key, password=None)
except ValueError:
key = load_pem_public_key(key)
return key
def encrypt_ssh(prefix, blob, user_key):
# See: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/
user_key_value = user_key.value
if not user_key_value.startswith(prefix):
user_key_value = prefix + " " + user_key_value
if not isinstance(user_key_value, six.binary_type):
user_key_value = user_key_value.encode("utf8")
pub_key = serialization.load_ssh_public_key(user_key_value,
openssl_backend)
if not isinstance(blob, six.binary_type):
blob = blob.encode("utf8")
raw = pub_key.encrypt(
blob,
padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None))
return base64.b64encode(raw)
def test_create_keypair(self):
resp = self.app.post('/compute/v2.0/os-keypairs',
params=json.dumps(create_keypair_req(keypair1)),
status=200)
jresp = json.loads(resp.body)
fingerprint = jresp['keypair']['fingerprint']
public_key = str(jresp['keypair']['public_key'])
private_key = str(jresp['keypair']['private_key'])
self.assertEqual(jresp, create_keypair_resp(keypair1,
fingerprint=fingerprint,
public_key=public_key,
private_key=private_key))
# Encrypt a test message using the returned public key
message = b'!!! test message'
encrypted = crypto_serialization.load_ssh_public_key(
public_key,
backend=crypto_default_backend()
).encrypt(
message,
crypto_padding.OAEP(
mgf=crypto_padding.MGF1(algorithm=crypto_hashes.SHA1()),
algorithm=crypto_hashes.SHA1(),
label=None
)
)
# Decrypt the (encrypted) test message using the returned private key
decrypted = crypto_serialization.load_pem_private_key(
private_key,
password=None,
backend=crypto_default_backend()
).decrypt(
encrypted,
crypto_padding.OAEP(
mgf=crypto_padding.MGF1(algorithm=crypto_hashes.SHA1()),
algorithm=crypto_hashes.SHA1(),
label=None
)
)
# Verify the decrypted message
self.assertEqual(decrypted, message)
def __init__(self, data: _STR_TYPE):
"""
Creates a new ``PublicKey`` representing the given public bytes.
Changing the produced object will NOT change the underlying
bytes. The new object must first be exported.
:param data: The public key byte-data.
:raises ValueError: If the given key data bytes cannot be loaded,
and thus may not represent a valid private key.
"""
if isinstance(data, str):
data = data.encode()
if not isinstance(data, bytes):
raise TypeError("Value of 'data' must be bytes")
args = (data, default_backend())
# (1) Try loading public key as DER
try:
super().__init__(key=serialization.load_der_public_key(*args))
self.encoding = EncodingType.DER
return
except ValueError:
pass
# (2) Try loading public key as PEM
try:
super().__init__(key=serialization.load_pem_public_key(*args))
self.encoding = EncodingType.PEM
return
except ValueError:
pass
# (3) Try loading public key as OpenSSH
try:
super().__init__(key=serialization.load_ssh_public_key(*args))
self.encoding = EncodingType.OpenSSH
return
except (ValueError, serialization.UnsupportedAlgorithm):
pass
raise ValueError("Could not find a suitable encoding for 'data' "
"bytes, the data may not be a valid public key")
def test_load_ssh_public_key_ecdsa_nist_p384(self, backend):
_skip_curve_unsupported(backend, ec.SECP384R1())
ssh_key = (
b"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAz"
b"ODQAAABhBMzucOm9wbwg4iMr5QL0ya0XNQGXpw4wM5f12E3tWhdcrzyGHyel71t1"
b"4bvF9JZ2/WIuSxUr33XDl8jYo+lMQ5N7Vanc7f7i3AR1YydatL3wQfZStQ1I3rBa"
b"qQtRSEU8Tg== root@cloud-server-01")
key = load_ssh_public_key(ssh_key, backend)
expected_x = int(
"31541830871345183397582554827482786756220448716666815789487537666"
"592636882822352575507883817901562613492450642523901", 10)
expected_y = int(
"15111413269431823234030344298767984698884955023183354737123929430"
"995703524272335782455051101616329050844273733614670", 10)
assert key.public_numbers() == ec.EllipticCurvePublicNumbers(
expected_x, expected_y, ec.SECP384R1())
def get_signing_pubkey(client, secret_url):
"""
Gets a PEM file from the vault, and returns one of RSAPublicKey, DSAPublicKey, or
EllipticCurvePublicKey depending on the contents of the secret.
"""
try:
raw_pubkey = client.get_secret(secret_url).value
return load_ssh_public_key(str(raw_pubkey), default_backend())
except KeyVaultErrorException as err:
raise RuntimeError(
"could not get signing key public numbers from vault: {}".format(
err))
except ValueError as err:
raise RuntimeError(
"could not load public key from vault: {}".format(err))
except cryptography_exceptions.UnsupportedAlgorithm as err:
raise RuntimeError(
"key in vault is not a supported type: {}".format(err))
def prepare_key(self, key):
if isinstance(key, (Ed25519PrivateKey, Ed25519PublicKey)):
return key
if isinstance(key, (bytes, str)):
if isinstance(key, str):
key = key.encode("utf-8")
str_key = key.decode("utf-8")
if "-----BEGIN PUBLIC" in str_key:
return load_pem_public_key(key)
if "-----BEGIN PRIVATE" in str_key:
return load_pem_private_key(key, password=None)
if str_key[0:4] == "ssh-":
return load_ssh_public_key(key)
raise TypeError("Expecting a PEM-formatted or OpenSSH key.")
def test_encode_decode_rsa_related_algorithms(self, jws, payload, algo):
# PEM-formatted RSA key
with open(key_path("testkey_rsa.priv"), "rb") as rsa_priv_file:
priv_rsakey = load_pem_private_key(rsa_priv_file.read(),
password=None)
jws_message = jws.encode(payload, priv_rsakey, algorithm=algo)
with open(key_path("testkey_rsa.pub"), "rb") as rsa_pub_file:
pub_rsakey = load_ssh_public_key(rsa_pub_file.read())
jws.decode(jws_message, pub_rsakey, algorithms=[algo])
# string-formatted key
with open(key_path("testkey_rsa.priv")) as rsa_priv_file:
priv_rsakey = rsa_priv_file.read()
jws_message = jws.encode(payload, priv_rsakey, algorithm=algo)
with open(key_path("testkey_rsa.pub")) as rsa_pub_file:
pub_rsakey = rsa_pub_file.read()
jws.decode(jws_message, pub_rsakey, algorithms=[algo])
def test_load_ssh_public_key_ecdsa_nist_p256(self, backend):
_skip_curve_unsupported(backend, ec.SECP256R1())
ssh_key = (
b"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAy"
b"NTYAAABBBGG2MfkHXp0UkxUyllDzWNBAImsvt5t7pFtTXegZK2WbGxml8zMrgWi5"
b"teIg1TO03/FD9hbpBFgBeix3NrCFPls= root@cloud-server-01")
key = load_ssh_public_key(ssh_key, backend)
assert isinstance(key, ec.EllipticCurvePublicKey)
expected_x = int(
"44196257377740326295529888716212621920056478823906609851236662550"
"785814128027", 10)
expected_y = int(
"12257763433170736656417248739355923610241609728032203358057767672"
"925775019611", 10)
assert key.public_numbers() == ec.EllipticCurvePublicNumbers(
expected_x, expected_y, ec.SECP256R1())
def prepare_key(self, key):
if isinstance(key, RSAPrivateKey) or \
isinstance(key, RSAPublicKey):
return key
if isinstance(key, string_types):
key = force_bytes(key)
try:
if key.startswith(b'ssh-rsa'):
key = load_ssh_public_key(key, backend=default_backend())
else:
key = load_pem_private_key(key, password=None, backend=default_backend())
except ValueError:
key = load_pem_public_key(key, backend=default_backend())
else:
raise TypeError('Expecting a PEM-formatted key.')
return key
def _fromString_PUBLIC_OPENSSH(cls, data):
"""
Return a public key object corresponding to this OpenSSH public key
string. The format of an OpenSSH public key string is::
<key type> <base64-encoded public key blob>
@type data: L{bytes}
@param data: The key data.
@return: A new key.
@rtype: L{twisted.conch.ssh.keys.Key}
@raises BadKeyError: if the blob type is unknown.
"""
# ECDSA keys don't need base64 decoding which is required
# for RSA or DSA key.
if data.startswith(b'ecdsa-sha2'):
return cls(load_ssh_public_key(data, default_backend()))
blob = decodebytes(data.split()[1])
return cls._fromString_BLOB(blob)
def prepare_key(self, key):
if isinstance(key, RSAPrivateKey) or \
isinstance(key, RSAPublicKey):
return key
if isinstance(key, string_types):
key = force_bytes(key)
try:
if key.startswith(b'ssh-rsa'):
key = load_ssh_public_key(key, backend=default_backend())
else:
key = load_pem_private_key(key, password=None, backend=default_backend())
except ValueError:
key = load_pem_public_key(key, backend=default_backend())
else:
raise TypeError('Expecting a PEM-formatted key.')
return key
def process_ssh_line(self, data, name, idx):
"""
Processes single SSH key
:param data:
:param name:
:param idx:
:return:
"""
data = data.strip()
if 'ssh-rsa' not in data:
return
# strip ssh params / adjustments
try:
data = data[data.find('ssh-rsa'):]
except:
pass
from cryptography.hazmat.primitives.serialization import load_ssh_public_key
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
try:
key_obj = load_ssh_public_key(data, self.get_backend())
self.num_ssh += 1
if not isinstance(key_obj, RSAPublicKey):
return
self.num_rsa += 1
numbers = key_obj.public_numbers()
if self.has_fingerprint(numbers.n):
logger.warning('Fingerprint found in the SSH key %s idx %s ' % (name, idx))
js = collections.OrderedDict()
js['type'] = 'ssh-rsa'
js['fname'] = name
js['idx'] = idx
js['mod'] = numbers.n
js['ssh'] = data
print(json.dumps(js))
except Exception as e:
logger.debug('Exception in processing SSH public key %s idx %s : %s' % (name, idx, e))
self.trace_logger.log(e)
def encrypt_file(self, file_name, client_pub_key):
if not os.path.isfile(file_name):
return
#calculate the MAX_SIZE in GB
file_size = os.path.getsize(file_name) * 0.000000001
if file_size > Config.MAX_SIZE_LIMIT:
return
public_key = serialization.load_ssh_public_key(
bytes(client_pub_key, 'utf-8'),
backend=default_backend()
)
#write the AES encryption key into a seperate file
keyb64 = base64.b64encode(self.key)
ivb64 = base64.b64encode(self.iv)
t = bytes(keyb64.decode(self.encoding) + ";" + ivb64.decode(self.encoding), self.encoding)
cipher = public_key.encrypt(
t,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA1(),
label=None
)
)
cipher = base64.b64encode(cipher)
with open(file_name, 'rb') as fo:
plaintext = fo.read()
enc = self.encrypt(plaintext, self.key)
with open(file_name + ".supergirl", 'wb') as fo:
fo.write(enc)
with open(file_name + ".kryptonian", 'wb') as info:
info.write(cipher)
os.remove(file_name)
def encrypt_handshake(session_key):
# TODO: Implement this function
# Open public key file
with open("id_rsa.pem", "rb") as file:
# Loading public key
public_key = serialization.load_ssh_public_key(
file.read(),
backend=default_backend()
)
# Encrypting session key and initialization vector to send to server
encrypted = public_key.encrypt(
s_key + b"\x20" + iv,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None
)
)
return encrypted
pass
def __init__(self, setup):
self.backend = cryptography.hazmat.backends.default_backend()
self.oaep = padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA1()),
algorithm=hashes.SHA1(),
label=None
)
if setup.keydata.startswith(b'ssh-rsa'):
self.private_key = None
self.public_key = load_ssh_public_key(setup.keydata, self.backend)
else:
try:
self.private_key = load_pem_private_key(setup.keydata, password=setup.default_passphrase, backend=self.backend)
except TypeError:
if setup.default_passphrase:
# No need to interactively prompt - we failed
raise
passphrase = user_password('Enter passphrase for [%s]: ' % setup.keyfile)
self.private_key = load_pem_private_key(setup.keydata, password=passphrase, backend=self.backend)
self.public_key = self.private_key.public_key()
def MyRSAEncrypt(filepath, rsa_pub_path):
ciphertext, tag, iv, key, file_extension = MyfileEncrypt(filepath)
# Written in collaboration with @ChrisMeyer7088
with open(rsa_pub_path, 'rb') as pub_file:
pub = serialization.load_ssh_public_key(
pub_file.read(),
backend=default_backend()
)
pub_file.close()
key_encby_rsa = pub.encrypt(
key,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA1()),
algorithm=hashes.SHA1(),
label=None
)
)
return (ciphertext, tag, iv, key_encby_rsa, file_extension)
def test_encode_decode_with_rsa_sha512(self, jws, payload):
# PEM-formatted RSA key
with open('tests/keys/testkey_rsa', 'r') as rsa_priv_file:
priv_rsakey = load_pem_private_key(ensure_bytes(rsa_priv_file.read()),
password=None, backend=default_backend())
jws_message = jws.encode(payload, priv_rsakey, algorithm='RS512')
with open('tests/keys/testkey_rsa.pub', 'r') as rsa_pub_file:
pub_rsakey = load_ssh_public_key(ensure_bytes(rsa_pub_file.read()),
backend=default_backend())
jws.decode(jws_message, pub_rsakey)
# string-formatted key
with open('tests/keys/testkey_rsa', 'r') as rsa_priv_file:
priv_rsakey = rsa_priv_file.read()
jws_message = jws.encode(payload, priv_rsakey, algorithm='RS512')
with open('tests/keys/testkey_rsa.pub', 'r') as rsa_pub_file:
pub_rsakey = rsa_pub_file.read()
jws.decode(jws_message, pub_rsakey)
def __init__(self, setup):
self.backend = cryptography.hazmat.backends.default_backend()
self.oaep = padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA1()),
algorithm=hashes.SHA1(),
label=None
)
if setup.keydata.startswith(b'ssh-rsa'):
self.private_key = None
self.public_key = load_ssh_public_key(setup.keydata, self.backend)
else:
try:
self.private_key = load_pem_private_key(setup.keydata, password=setup.default_passphrase, backend=self.backend)
except TypeError:
if setup.default_passphrase:
# No need to interactively prompt - we failed
raise
passphrase = user_password('Enter passphrase for [%s]: ' % setup.keyfile)
self.private_key = load_pem_private_key(setup.keydata, password=passphrase, backend=self.backend)
self.public_key = self.private_key.public_key()
def prepare_key(self, key):
if isinstance(key, (Ed25519PrivateKey, Ed25519PublicKey)):
return key
if isinstance(key, string_types):
if isinstance(key, text_type):
key = key.encode("utf-8")
str_key = key.decode('utf-8')
if '-----BEGIN PUBLIC' in str_key:
return load_pem_public_key(key, backend=default_backend())
if '-----BEGIN PRIVATE' in str_key:
return load_pem_private_key(key,
password=None,
backend=default_backend())
if str_key[0:4] == 'ssh-':
return load_ssh_public_key(key, backend=default_backend())
raise TypeError("Expecting a PEM-formatted or OpenSSH key.")
def _from_string(self, key, passphrase=None):
key_bytes = key.encode('utf-8')
if key.startswith('ssh-rsa'):
self._public = serialization.load_ssh_public_key(
key_bytes,
backend=default_backend(),
)
elif 'PUBLIC' in key: # Is there a better test? pro detection for sure
self._public = serialization.load_pem_public_key(
key_bytes,
backend=default_backend(),
)
else:
if passphrase:
passphrase = passphrase.encode('utf-8')
self._private = serialization.load_pem_private_key(
key_bytes,
password=passphrase,
backend=default_backend(),
)
def prepare_RS_key(key):
if isinstance(key, interfaces.RSAPrivateKey) or \
isinstance(key, interfaces.RSAPublicKey):
return key
if isinstance(key, basestring):
if isinstance(key, unicode):
key = key.encode('utf-8')
try:
if key.startswith(b'ssh-rsa'):
key = load_ssh_public_key(key, backend=default_backend())
else:
key = load_pem_private_key(key, password=None, backend=default_backend())
except ValueError:
key = load_pem_public_key(key, backend=default_backend())
else:
raise TypeError('Expecting a PEM-formatted key.')
return key
def _check_privatekey():
if self.privatekey_content is None and not os.path.exists(
self.privatekey_path):
return False
try:
with open(self.path, 'rb') as public_key_fh:
publickey_content = public_key_fh.read()
self.diff_before = self.diff_after = self._get_info(
publickey_content)
if self.return_content:
self.publickey_bytes = publickey_content
if self.backend == 'cryptography':
if self.format == 'OpenSSH':
# Read and dump public key. Makes sure that the comment is stripped off.
current_publickey = crypto_serialization.load_ssh_public_key(
publickey_content, backend=default_backend())
publickey_content = current_publickey.public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH)
else:
current_publickey = crypto_serialization.load_pem_public_key(
publickey_content, backend=default_backend())
publickey_content = current_publickey.public_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.
SubjectPublicKeyInfo)
else:
publickey_content = crypto.dump_publickey(
crypto.FILETYPE_PEM,
crypto.load_publickey(crypto.FILETYPE_PEM,
publickey_content))
except Exception as dummy:
return False
try:
desired_publickey = self._create_publickey(module)
except OpenSSLBadPassphraseError as exc:
raise PublicKeyError(exc)
return publickey_content == desired_publickey
def prepare_key(self, key):
if isinstance(key, RSAPrivateKey) or isinstance(key, RSAPublicKey):
return key
if is_string_type(key):
if not isinstance(key, binary_type):
key = key.encode("utf-8")
try:
if key.startswith(b"ssh-rsa"):
key = load_ssh_public_key(key, backend=default_backend())
else:
key = load_pem_private_key(
key, password=None, backend=default_backend()
)
except ValueError:
key = load_pem_public_key(key, backend=default_backend())
else:
raise TypeError("Expecting a PEM-formatted key.")
return key
def test_encode_decode_with_rsa_sha512(self, jws, payload):
# PEM-formatted RSA key
with open("tests/keys/testkey_rsa.priv", "r") as rsa_priv_file:
priv_rsakey = load_pem_private_key(
force_bytes(rsa_priv_file.read()),
password=None,
)
jws_message = jws.encode(payload, priv_rsakey, algorithm="RS512")
with open("tests/keys/testkey_rsa.pub", "r") as rsa_pub_file:
pub_rsakey = load_ssh_public_key(force_bytes(rsa_pub_file.read()))
jws.decode(jws_message, pub_rsakey, algorithms=["RS512"])
# string-formatted key
with open("tests/keys/testkey_rsa.priv", "r") as rsa_priv_file:
priv_rsakey = rsa_priv_file.read()
jws_message = jws.encode(payload, priv_rsakey, algorithm="RS512")
with open("tests/keys/testkey_rsa.pub", "r") as rsa_pub_file:
pub_rsakey = rsa_pub_file.read()
jws.decode(jws_message, pub_rsakey, algorithms=["RS512"])
def test_load_ssh_public_key_ecdsa_nist_p384(self, backend):
_skip_curve_unsupported(backend, ec.SECP384R1())
ssh_key = (
b"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAz"
b"ODQAAABhBMzucOm9wbwg4iMr5QL0ya0XNQGXpw4wM5f12E3tWhdcrzyGHyel71t1"
b"4bvF9JZ2/WIuSxUr33XDl8jYo+lMQ5N7Vanc7f7i3AR1YydatL3wQfZStQ1I3rBa"
b"qQtRSEU8Tg== root@cloud-server-01"
)
key = load_ssh_public_key(ssh_key, backend)
expected_x = int(
"31541830871345183397582554827482786756220448716666815789487537666"
"592636882822352575507883817901562613492450642523901", 10
)
expected_y = int(
"15111413269431823234030344298767984698884955023183354737123929430"
"995703524272335782455051101616329050844273733614670", 10
)
assert key.public_numbers() == ec.EllipticCurvePublicNumbers(
expected_x, expected_y, ec.SECP384R1()
)
