def import_private_key(filename):
"""
Attempts to import a private key from file
Prompts for a password if needed
"""
sshkey = None
basename = os.path.basename(filename)
filename = os.path.expanduser(filename)
if not os.path.exists(filename):
log.error("No such key file {}".format(filename))
raise FileNotFoundError
with open(filename) as file:
data = file.read()
try:
sshkey = asyncssh.import_private_key(data)
except asyncssh.KeyImportError:
while True:
passphrase = getpass.getpass(
"Enter passphrase for key {} : ".format(basename))
if not passphrase:
log.info("Ignoring key {}".format(filename))
break
try:
sshkey = asyncssh.import_private_key(data, passphrase)
break
except asyncssh.KeyImportError:
log.error("Wrong passphrase")
return sshkey
def import_private_key(filename):
"""
Attempts to import a private key from file
Prompts for a password if needed
"""
sshkey = None
basename = os.path.basename(filename)
if not os.path.exists(filename):
print("No such key file {}".format(filename))
return
with open(filename) as file:
data = file.read()
try:
sshkey = asyncssh.import_private_key(data)
except asyncssh.KeyImportError:
while True:
passphrase = getpass("Enter passphrase for key {} : ".format(basename))
if not passphrase:
print("Ignoring key {}".format(filename))
break
try:
sshkey = asyncssh.import_private_key(data, passphrase)
break
except asyncssh.KeyImportError:
print("Wrong passphrase")
except Exception as e:
import traceback
traceback.print_exc()
return sshkey
def __call__(self, value):
value = force_text(value)
try:
asyncssh.import_private_key(value)
except asyncssh.public_key.KeyImportError:
logger.debug(f"Import of private key failed: {value}")
raise ValidationError(self.message, code=self.code)
def decorator(ctx, identity_file, batch_size, *args, **kwargs):
private_key = asyncssh.import_private_key(identity_file.read())
batch_size = batch_size if batch_size > 0 else None
identity_file.close()
ctx.obj["private_key"] = private_key
ctx.obj["batch_size"] = batch_size
ctx.obj["event_loop"] = asyncio.get_event_loop()
return func(*args, **kwargs)
def decorator(ctx, identity_file, batch_size, *args, **kwargs):
private_key = asyncssh.import_private_key(identity_file.read())
batch_size = batch_size if batch_size > 0 else None
identity_file.close()
ctx.obj["private_key"] = private_key
ctx.obj["batch_size"] = batch_size
ctx.obj["event_loop"] = asyncio.get_event_loop()
return func(*args, **kwargs)
def checkPassphrase(cls,filepath,passphrase):
try:
with open(filepath,"r") as f:
data = f.read()
key = asyncssh.import_private_key(data,passphrase)
except:
pass
else:
return True
return False
def initialize(self, *args, **kwargs):
self.load_config_file(self.config_file)
self.init_logging()
if self.host_key_path is None:
# We'll generate a temporary key in-memory key for this run only
self.ssh_host_key = asyncssh.generate_private_key('ssh-rsa')
self.log.warn('No --host-key-path provided, generating an ephemeral host key')
else:
with open(self.host_key_path) as f:
self.ssh_host_key = asyncssh.import_private_key(f.read())
self.log.info(f'Loaded host key from {self.host_key_path}')
def import_private_key(filename):
"""
This functions attempts to import a private key from its filename. It will
prompt for a password if needed.
Parameters:
filename: the local path to the private key
Returns:
a (asyncssh) SSHKey_ object if successful, or None
.. _SSHKey: http://asyncssh.readthedocs.io/en/latest/api.html#sshkey
"""
sshkey = None
path = Path(filename)
basename = path.name
if not path.exists():
# print("No such key file {}".format(filename))
return None
with path.open() as file:
data = file.read()
try:
sshkey = asyncssh.import_private_key(data)
except asyncssh.KeyImportError:
while True:
passphrase = getpass(
"Enter passphrase for key {} : ".format(basename))
if not passphrase:
print("Ignoring key {}".format(filename))
break
try:
sshkey = asyncssh.import_private_key(data, passphrase)
break
except asyncssh.KeyImportError:
print("Wrong passphrase")
except Exception: # pylint: disable=w0703
import traceback
traceback.print_exc()
return sshkey
def make_servers(self):
# This method is used by api_hour command line to bind each server on each socket
# Please don't touch if you don't understand how it works
ssh_server = SSHServerConnection(server_factory=InternalSSHServer, loop=self.loop,
server_host_keys=[import_private_key(self.config['servers']['ssh']['private_key'].encode('utf-8'),
self.config['servers']['ssh']['passphrase'])])
ssh_server.ah_container = self
return [self.servers['http'].make_handler(logger=self.worker.log,
debug=self.worker.cfg.debug,
keep_alive=self.worker.cfg.keepalive,
access_log=self.worker.log.access_log,
access_log_format=self.worker.cfg.access_log_format),
lambda: ssh_server]
def _get_key(self, args):
"""Sets either random or user-provided ssh-rsa key.
args:
args (dict): Dict that should contain 'key_file' key.
"""
if args.key_file is None:
key = asyncssh.generate_private_key('ssh-rsa',
'RandomKey',
key_size=1024)
else:
with open(args.key_file, 'rb') as f:
key = asyncssh.import_private_key(f.read())
self.ssh_key = key
def checkKeyfile(cls,filepath):
haspass = False
valid = False
try:
with open(filepath,"r") as f:
data = f.read()
key = asyncssh.import_private_key(data)
except asyncssh.public_key.KeyImportError as e:
if "Passphrase must be specified to import" in str(e):
valid = True
haspass = True
except:
pass
else:
valid = True
return valid,haspass
def make_servers(self):
# This method is used by api_hour command line
# to bind each server on each socket
# Please don't touch if you don't understand how it works
ssh_server = SSHServerConnection(
server_factory=InternalSSHServer, loop=self.loop,
server_host_keys=[import_private_key(
self.config['servers']['ssh']['private_key'].encode('utf-8'),
self.config['servers']['ssh']['passphrase'])])
ssh_server.ah_container = self
return [self.servers['http'].make_handler(
logger=self.worker.log,
debug=self.worker.cfg.debug,
keep_alive=self.worker.cfg.keepalive,
access_log=self.worker.log.access_log,
access_log_format=self.worker.cfg.access_log_format),
lambda: ssh_server]
async def deployed(
environment: Environment,
system: System,
force_rebuilt: Optional[Set[Any]],
build_args: BuildArgs,
) -> AsyncIterator[Setting]:
"""Yields a Setting (handle to populated environment).
This might require a few steps:
1. create a Packer image (if it's missing or forced)
2. `terraform apply`
3. connecting (SSH) to the deployed machines
4. performing additional setup (depending on the system)
The "if forced" bit is a little tricky. We keep a (mutable) set of the
configurations that have been rebuilt, since we want to rebuild at most once
per execution. If that argument is None, we don't force rebuilding.
"""
Halo(f"[infrastructure] {environment}").stop_and_persist(symbol="•")
with packer_and_tf(environment, system, force_rebuilt, build_args) as data:
ssh_key = asyncssh.import_private_key(data["private_key"])
# The "stack" bit is so that we can have an async context manager that,
# on exit, closes all of our SSH connections.
async with contextlib.AsyncExitStack() as stack:
conn_ctxs = {}
for key, hostname in system.setting.to_machine_spec(data).items():
conn_ctxs[key] = stack.enter_async_context(
_connect_ssh(
Hostname(hostname),
known_hosts=None,
client_keys=[ssh_key],
username="******",
))
with Halo("[infrastructure] connecting (SSH) to all machines"
) as spinner:
conns = await gather_dict(conn_ctxs)
spinner.succeed("[infrastructure] connected (SSH)")
setting = system.setting.from_dict(conns)
await setting.additional_setup()
yield setting
print()
def get_remote_ssh_connection(config: SharedConfig,
loop=None) -> SSHClientConnection:
loop = loop or asyncio.get_event_loop()
if config.cert_path.endswith("pem"):
c = open(
os.path.abspath(
os.path.expanduser(config.cert_path)
),
"r").read()
cert = import_private_key(c)
else:
cert = ()
return connect(host=config.remote_host,
port=config.remote_port,
username=config.remote_user,
password=config.remote_password,
client_keys=cert,
loop=loop)
async def stats(server):
options = {
"username":
server.username,
"client_keys": [asyncssh.import_private_key(server.private_key)],
"known_hosts": [
[asyncssh.import_public_key(server.host_key)],
[],
[],
[],
[],
[],
[],
],
}
async with asyncssh.connect(f"{server.host.name}.medunigraz.at",
**options) as conn:
result = await conn.run(
f"df --output=file,size,used,avail -B1 {server.repository}",
check=True)
return result.stdout
async def dispatch_ssh_key(host_port, logintype, username, password_key, public_key):
host, port = host_port.split(":")
options = None
if logintype == "password":
options = asyncssh.SSHClientConnectionOptions(
known_hosts=None, username=username, password=password_key
)
elif logintype == "privatekey":
options = asyncssh.SSHClientConnectionOptions(
known_hosts=None,
client_username=username,
client_keys=[asyncssh.import_private_key(password_key)],
)
async with asyncssh.connect(host, int(port), options=options) as ssh_connection:
async with ssh_connection.start_sftp_client() as sftp_connection:
is_file_present = await sftp_connection.exists(".ssh/authorized_keys")
file_pointer = None
if is_file_present:
file_pointer = await sftp_connection.open(".ssh/authorized_keys", "a")
else:
file_pointer = await sftp_connection.open(".ssh/authorized_keys", "w")
await file_pointer.write(public_key)
await file_pointer.close()
def create(cls, username: str, password: str, private_key: Optional[str] = None) -> SSHConfig:
if private_key is not None:
private_key = asyncssh.import_private_key(private_key, passphrase=password)
return cls(username=username, password=password, private_key=private_key)
def check_decode_errors(self):
"""Check error code paths in key decoding"""
private_errors = [
('Non-ASCII', '\xff'), ('Incomplete ASN.1', b''),
('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#1 params',
der_encode((1, b'', TaggedDERObject(0, b'')))),
('Invalid PKCS#1 EC named curve OID',
der_encode((1, b'', TaggedDERObject(0,
ObjectIdentifier('1.1'))))),
('Invalid PKCS#8',
der_encode((0, (self.privkey.pkcs8_oid, ()), der_encode(None)))),
('Invalid PKCS#8 ASN.1',
der_encode((0, (self.privkey.pkcs8_oid, None), b''))),
('Invalid PKCS#8 params',
der_encode(
(1, (self.privkey.pkcs8_oid, b''), der_encode((1, b''))))),
('Invalid PEM header', b'-----BEGIN XXX-----\n'),
('Missing PEM footer', b'-----BEGIN PRIVATE KEY-----\n'),
('Invalid PEM key type', b'-----BEGIN XXX PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END XXX PRIVATE KEY-----'),
('Invalid PEM Base64', b'-----BEGIN PRIVATE KEY-----\n'
b'X\n'
b'-----END PRIVATE KEY-----'),
('Missing PKCS#1 passphrase', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'-----END DSA PRIVATE KEY-----'),
('Incomplete PEM ASN.1', b'-----BEGIN PRIVATE KEY-----\n'
b'-----END PRIVATE KEY-----'),
('Missing PEM PKCS#8 passphrase',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#1 key', b'-----BEGIN DSA PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM PKCS#8 key', b'-----BEGIN PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END PRIVATE KEY-----'),
('Unknown format OpenSSH key',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b'XXX') +
b'-----END OPENSSH PRIVATE KEY-----'),
('Incomplete OpenSSH key',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b'openssh-key-v1\0') +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH nkeys',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String(''), String(''), String(''),
UInt32(2), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Missing OpenSSH passphrase',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('xxx'), String(''), String(''),
UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Mismatched OpenSSH check bytes',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''),
String(b''.join((UInt32(1), UInt32(2))))))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH algorithm',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''),
String(b''.join((UInt32(1), UInt32(1), String('xxx'))))))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH pad', b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''),
String(b''.join(
(UInt32(1), UInt32(1), String('ssh-dss'), 5 * MPInt(0),
String(''), b'\0')))))) +
b'-----END OPENSSH PRIVATE KEY-----')
]
decrypt_errors = [
('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#8',
der_encode((0, (self.privkey.pkcs8_oid, ()), der_encode(None)))),
('Invalid PEM params', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: XXX\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM cipher', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: XXX,00\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM IV', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: AES-256-CBC,XXX\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encrypted data',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encrypted header',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
(None, None))) + b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encryption algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((None, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_ES1_SHA1_DES, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_P12_RC4_40, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 salt',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_P12_RC4_40,
(b'', 0)), b''))) + b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 iteration count',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_P12_RC4_40, (b'x', 0)), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_ES2, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 KDF algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((None, None), (None, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(
((_ES2, ((_ES2_PBKDF2, None), (None, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, None),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 salt',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, (None, None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 iteration count',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, (b'', None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 PRF',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, (b'', 0, None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Unknown PEM PKCS#8 PBES2 PBKDF2 PRF',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', 0,
(ObjectIdentifier('1.1'), None))),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, (b'', 0)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid length PEM PKCS#8 PBES2 IV',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, (b'', 0)),
(_ES2_AES128, b''))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid OpenSSH cipher',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('xxx'), String(''), String(''),
UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH kdf', b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('xxx'),
String(''), UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH kdf data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(''), UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH salt', b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join(
(String(b''), UInt32(1)))), UInt32(1), String(''),
String('')))) + b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH encrypted data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join(
(String(16 * b'\0'), UInt32(1)))), UInt32(1), String(''),
String('')))) + b'-----END OPENSSH PRIVATE KEY-----'),
('Unexpected OpenSSH trailing data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join((String(16 * b'\0'), UInt32(1)))), UInt32(1),
String(''), String(''), String('xxx')))) +
b'-----END OPENSSH PRIVATE KEY-----')
]
public_errors = [
('Non-ASCII', '\xff'), ('Incomplete ASN.1', b''),
('Invalid ASN.1', b'\x30'), ('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#8',
der_encode(
((self.pubkey.pkcs8_oid, ()), BitString(der_encode(None))))),
('Invalid PKCS#8 ASN.1',
der_encode(((self.pubkey.pkcs8_oid, None), BitString(b'')))),
('Invalid PEM header', b'-----BEGIN XXX-----\n'),
('Missing PEM footer', b'-----BEGIN PUBLIC KEY-----\n'),
('Invalid PEM key type', b'-----BEGIN XXX PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END XXX PUBLIC KEY-----'),
('Invalid PEM Base64', b'-----BEGIN PUBLIC KEY-----\n'
b'X\n'
b'-----END PUBLIC KEY-----'),
('Incomplete PEM ASN.1', b'-----BEGIN PUBLIC KEY-----\n'
b'-----END PUBLIC KEY-----'),
('Invalid PKCS#1 key data', b'-----BEGIN DSA PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END DSA PUBLIC KEY-----'),
('Invalid PKCS#8 key data', b'-----BEGIN PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END PUBLIC KEY-----'), ('Invalid OpenSSH', b'xxx'),
('Invalid OpenSSH Base64', b'ssh-dss X'),
('Unknown OpenSSH algorithm',
b'ssh-dss ' + binascii.b2a_base64(String('xxx'))),
('Invalid OpenSSH body',
b'ssh-dss ' + binascii.b2a_base64(String('ssh-dss'))),
('Invalid RFC4716 header', b'---- XXX ----\n'),
('Missing RFC4716 footer', b'---- BEGIN SSH2 PUBLIC KEY ----\n'),
('Invalid RFC4716 header', b'---- BEGIN SSH2 PUBLIC KEY ----\n'
b'XXX:\\\n'
b'---- END SSH2 PUBLIC KEY ----\n'),
('Invalid RFC4716 Base64', b'---- BEGIN SSH2 PUBLIC KEY ----\n'
b'X\n'
b'---- END SSH2 PUBLIC KEY ----\n')
]
for fmt, data in private_errors:
with self.subTest('Decode private (%s)' % fmt):
with self.assertRaises(KeyImportError):
import_private_key(data)
for fmt, data in decrypt_errors:
with self.subTest('Decrypt private (%s)' % fmt):
with self.assertRaises((KeyImportError, KeyEncryptionError)):
import_private_key(data, 'x')
for fmt, data in public_errors:
with self.subTest('Decode public (%s)' % fmt):
with self.assertRaises(KeyImportError):
import_public_key(data)
def check_decode_errors(self):
"""Check error code paths in key decoding"""
private_errors = [
('Non-ASCII', '\xff'),
('Incomplete ASN.1', b''),
('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#1 params',
der_encode((1, b'', TaggedDERObject(0, b'')))),
('Invalid PKCS#1 EC named curve OID',
der_encode((1, b'',
TaggedDERObject(0, ObjectIdentifier('1.1'))))),
('Invalid PKCS#8',
der_encode((0, (self.privkey.pkcs8_oid, ()), der_encode(None)))),
('Invalid PKCS#8 ASN.1',
der_encode((0, (self.privkey.pkcs8_oid, None), b''))),
('Invalid PKCS#8 params',
der_encode((1, (self.privkey.pkcs8_oid, b''),
der_encode((1, b''))))),
('Invalid PEM header', b'-----BEGIN XXX-----\n'),
('Missing PEM footer', b'-----BEGIN PRIVATE KEY-----\n'),
('Invalid PEM key type',
b'-----BEGIN XXX PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END XXX PRIVATE KEY-----'),
('Invalid PEM Base64',
b'-----BEGIN PRIVATE KEY-----\n'
b'X\n'
b'-----END PRIVATE KEY-----'),
('Missing PKCS#1 passphrase',
b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'-----END DSA PRIVATE KEY-----'),
('Incomplete PEM ASN.1',
b'-----BEGIN PRIVATE KEY-----\n'
b'-----END PRIVATE KEY-----'),
('Missing PEM PKCS#8 passphrase',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#1 key',
b'-----BEGIN DSA PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM PKCS#8 key',
b'-----BEGIN PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END PRIVATE KEY-----'),
('Unknown format OpenSSH key',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b'XXX') +
b'-----END OPENSSH PRIVATE KEY-----'),
('Incomplete OpenSSH key',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b'openssh-key-v1\0') +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH nkeys',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String(''), String(''), String(''),
UInt32(2), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Missing OpenSSH passphrase',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('xxx'), String(''), String(''),
UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Mismatched OpenSSH check bytes',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''), String(b''.join((UInt32(1),
UInt32(2))))))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH algorithm',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''), String(b''.join((UInt32(1), UInt32(1),
String('xxx'))))))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH pad',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''), String(b''.join((UInt32(1), UInt32(1),
String('ssh-dss'),
5*MPInt(0),
String(''),
b'\0')))))) +
b'-----END OPENSSH PRIVATE KEY-----')
]
decrypt_errors = [
('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#8', der_encode((0, (self.privkey.pkcs8_oid, ()),
der_encode(None)))),
('Invalid PEM params', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: XXX\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM cipher', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: XXX,00\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM IV', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: AES-256-CBC,XXX\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encrypted data',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encrypted header',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode((None, None))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encryption algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((None, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_ES1_SHA1_DES, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_P12_RC4_40, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 salt',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_P12_RC4_40, (b'', 0)), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 iteration count',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_P12_RC4_40, (b'x', 0)), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_ES2, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 KDF algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((None, None), (None, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, None), (None, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, None), (_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 salt',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (None, None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 iteration count',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 PRF',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', 0, None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Unknown PEM PKCS#8 PBES2 PBKDF2 PRF',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', 0,
(ObjectIdentifier('1.1'), None))),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', 0)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid length PEM PKCS#8 PBES2 IV',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', 0)),
(_ES2_AES128, b''))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid OpenSSH cipher',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('xxx'), String(''), String(''),
UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH kdf',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('xxx'),
String(''), UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH kdf data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(''), UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH salt',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join((String(b''), UInt32(1)))), UInt32(1),
String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH encrypted data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join((String(16*b'\0'), UInt32(1)))), UInt32(1),
String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Unexpected OpenSSH trailing data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join((String(16*b'\0'), UInt32(1)))), UInt32(1),
String(''), String(''), String('xxx')))) +
b'-----END OPENSSH PRIVATE KEY-----')
]
public_errors = [
('Non-ASCII', '\xff'),
('Incomplete ASN.1', b''),
('Invalid ASN.1', b'\x30'),
('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#8', der_encode(((self.pubkey.pkcs8_oid, ()),
BitString(der_encode(None))))),
('Invalid PKCS#8 ASN.1', der_encode(((self.pubkey.pkcs8_oid,
None), BitString(b'')))),
('Invalid PEM header', b'-----BEGIN XXX-----\n'),
('Missing PEM footer', b'-----BEGIN PUBLIC KEY-----\n'),
('Invalid PEM key type',
b'-----BEGIN XXX PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END XXX PUBLIC KEY-----'),
('Invalid PEM Base64',
b'-----BEGIN PUBLIC KEY-----\n'
b'X\n'
b'-----END PUBLIC KEY-----'),
('Incomplete PEM ASN.1',
b'-----BEGIN PUBLIC KEY-----\n'
b'-----END PUBLIC KEY-----'),
('Invalid PKCS#1 key data',
b'-----BEGIN DSA PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END DSA PUBLIC KEY-----'),
('Invalid PKCS#8 key data',
b'-----BEGIN PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END PUBLIC KEY-----'),
('Invalid OpenSSH', b'xxx'),
('Invalid OpenSSH Base64', b'ssh-dss X'),
('Unknown OpenSSH algorithm',
b'ssh-dss ' + binascii.b2a_base64(String('xxx'))),
('Invalid OpenSSH body',
b'ssh-dss ' + binascii.b2a_base64(String('ssh-dss'))),
('Invalid RFC4716 header', b'---- XXX ----\n'),
('Missing RFC4716 footer', b'---- BEGIN SSH2 PUBLIC KEY ----\n'),
('Invalid RFC4716 header',
b'---- BEGIN SSH2 PUBLIC KEY ----\n'
b'XXX:\\\n'
b'---- END SSH2 PUBLIC KEY ----\n'),
('Invalid RFC4716 Base64',
b'---- BEGIN SSH2 PUBLIC KEY ----\n'
b'X\n'
b'---- END SSH2 PUBLIC KEY ----\n')
]
for fmt, data in private_errors:
with self.subTest('Decode private (%s)' % fmt):
with self.assertRaises(KeyImportError):
import_private_key(data)
for fmt, data in decrypt_errors:
with self.subTest('Decrypt private (%s)' % fmt):
with self.assertRaises((KeyImportError, KeyEncryptionError)):
import_private_key(data, 'x')
for fmt, data in public_errors:
with self.subTest('Decode public (%s)' % fmt):
with self.assertRaises(KeyImportError):
import_public_key(data)
