def __call__(self, value):
value = force_text(value)
try:
asyncssh.import_public_key(value)
except asyncssh.public_key.KeyImportError:
logger.debug(f"Import of public key failed: {value}")
raise ValidationError(self.message, code=self.code)
def setUpClass(cls):
"""Create public keys needed for test"""
super().setUpClass()
for _ in range(3):
run('ssh-keygen -t rsa -N "" -f key')
with open('key.pub', 'r') as f:
k = f.read()
cls.keylist.append(k)
cls.imported_keylist.append(import_public_key(k))
run('rm key key.pub')
def setUpClass(cls):
"""Create public keys needed for test"""
super().setUpClass()
for _ in range(3):
run('ssh-keygen -t rsa -N "" -f key')
with open('key.pub', 'r') as f:
k = f.read()
cls.keylist.append(k)
cls.imported_keylist.append(import_public_key(k))
run('rm key key.pub')
async def stats(server):
options = {
"username":
server.username,
"client_keys": [asyncssh.import_private_key(server.private_key)],
"known_hosts": [
[asyncssh.import_public_key(server.host_key)],
[],
[],
[],
[],
[],
[],
],
}
async with asyncssh.connect(f"{server.host.name}.medunigraz.at",
**options) as conn:
result = await conn.run(
f"df --output=file,size,used,avail -B1 {server.repository}",
check=True)
return result.stdout
def check_decode_errors(self):
"""Check error code paths in key decoding"""
private_errors = [
('Non-ASCII', '\xff'), ('Incomplete ASN.1', b''),
('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#1 params',
der_encode((1, b'', TaggedDERObject(0, b'')))),
('Invalid PKCS#1 EC named curve OID',
der_encode((1, b'', TaggedDERObject(0,
ObjectIdentifier('1.1'))))),
('Invalid PKCS#8',
der_encode((0, (self.privkey.pkcs8_oid, ()), der_encode(None)))),
('Invalid PKCS#8 ASN.1',
der_encode((0, (self.privkey.pkcs8_oid, None), b''))),
('Invalid PKCS#8 params',
der_encode(
(1, (self.privkey.pkcs8_oid, b''), der_encode((1, b''))))),
('Invalid PEM header', b'-----BEGIN XXX-----\n'),
('Missing PEM footer', b'-----BEGIN PRIVATE KEY-----\n'),
('Invalid PEM key type', b'-----BEGIN XXX PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END XXX PRIVATE KEY-----'),
('Invalid PEM Base64', b'-----BEGIN PRIVATE KEY-----\n'
b'X\n'
b'-----END PRIVATE KEY-----'),
('Missing PKCS#1 passphrase', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'-----END DSA PRIVATE KEY-----'),
('Incomplete PEM ASN.1', b'-----BEGIN PRIVATE KEY-----\n'
b'-----END PRIVATE KEY-----'),
('Missing PEM PKCS#8 passphrase',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#1 key', b'-----BEGIN DSA PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM PKCS#8 key', b'-----BEGIN PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END PRIVATE KEY-----'),
('Unknown format OpenSSH key',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b'XXX') +
b'-----END OPENSSH PRIVATE KEY-----'),
('Incomplete OpenSSH key',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b'openssh-key-v1\0') +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH nkeys',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String(''), String(''), String(''),
UInt32(2), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Missing OpenSSH passphrase',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('xxx'), String(''), String(''),
UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Mismatched OpenSSH check bytes',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''),
String(b''.join((UInt32(1), UInt32(2))))))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH algorithm',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''),
String(b''.join((UInt32(1), UInt32(1), String('xxx'))))))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH pad', b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''),
String(b''.join(
(UInt32(1), UInt32(1), String('ssh-dss'), 5 * MPInt(0),
String(''), b'\0')))))) +
b'-----END OPENSSH PRIVATE KEY-----')
]
decrypt_errors = [
('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#8',
der_encode((0, (self.privkey.pkcs8_oid, ()), der_encode(None)))),
('Invalid PEM params', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: XXX\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM cipher', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: XXX,00\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM IV', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: AES-256-CBC,XXX\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encrypted data',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encrypted header',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
(None, None))) + b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encryption algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((None, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_ES1_SHA1_DES, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_P12_RC4_40, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 salt',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_P12_RC4_40,
(b'', 0)), b''))) + b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 iteration count',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_P12_RC4_40, (b'x', 0)), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_ES2, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 KDF algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((None, None), (None, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(
((_ES2, ((_ES2_PBKDF2, None), (None, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, None),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 salt',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, (None, None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 iteration count',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, (b'', None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 PRF',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, (b'', 0, None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Unknown PEM PKCS#8 PBES2 PBKDF2 PRF',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', 0,
(ObjectIdentifier('1.1'), None))),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, (b'', 0)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid length PEM PKCS#8 PBES2 IV',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' + binascii.b2a_base64(
der_encode(((_ES2, ((_ES2_PBKDF2, (b'', 0)),
(_ES2_AES128, b''))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid OpenSSH cipher',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('xxx'), String(''), String(''),
UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH kdf', b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('xxx'),
String(''), UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH kdf data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(''), UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH salt', b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join(
(String(b''), UInt32(1)))), UInt32(1), String(''),
String('')))) + b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH encrypted data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join(
(String(16 * b'\0'), UInt32(1)))), UInt32(1), String(''),
String('')))) + b'-----END OPENSSH PRIVATE KEY-----'),
('Unexpected OpenSSH trailing data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join((String(16 * b'\0'), UInt32(1)))), UInt32(1),
String(''), String(''), String('xxx')))) +
b'-----END OPENSSH PRIVATE KEY-----')
]
public_errors = [
('Non-ASCII', '\xff'), ('Incomplete ASN.1', b''),
('Invalid ASN.1', b'\x30'), ('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#8',
der_encode(
((self.pubkey.pkcs8_oid, ()), BitString(der_encode(None))))),
('Invalid PKCS#8 ASN.1',
der_encode(((self.pubkey.pkcs8_oid, None), BitString(b'')))),
('Invalid PEM header', b'-----BEGIN XXX-----\n'),
('Missing PEM footer', b'-----BEGIN PUBLIC KEY-----\n'),
('Invalid PEM key type', b'-----BEGIN XXX PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END XXX PUBLIC KEY-----'),
('Invalid PEM Base64', b'-----BEGIN PUBLIC KEY-----\n'
b'X\n'
b'-----END PUBLIC KEY-----'),
('Incomplete PEM ASN.1', b'-----BEGIN PUBLIC KEY-----\n'
b'-----END PUBLIC KEY-----'),
('Invalid PKCS#1 key data', b'-----BEGIN DSA PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END DSA PUBLIC KEY-----'),
('Invalid PKCS#8 key data', b'-----BEGIN PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END PUBLIC KEY-----'), ('Invalid OpenSSH', b'xxx'),
('Invalid OpenSSH Base64', b'ssh-dss X'),
('Unknown OpenSSH algorithm',
b'ssh-dss ' + binascii.b2a_base64(String('xxx'))),
('Invalid OpenSSH body',
b'ssh-dss ' + binascii.b2a_base64(String('ssh-dss'))),
('Invalid RFC4716 header', b'---- XXX ----\n'),
('Missing RFC4716 footer', b'---- BEGIN SSH2 PUBLIC KEY ----\n'),
('Invalid RFC4716 header', b'---- BEGIN SSH2 PUBLIC KEY ----\n'
b'XXX:\\\n'
b'---- END SSH2 PUBLIC KEY ----\n'),
('Invalid RFC4716 Base64', b'---- BEGIN SSH2 PUBLIC KEY ----\n'
b'X\n'
b'---- END SSH2 PUBLIC KEY ----\n')
]
for fmt, data in private_errors:
with self.subTest('Decode private (%s)' % fmt):
with self.assertRaises(KeyImportError):
import_private_key(data)
for fmt, data in decrypt_errors:
with self.subTest('Decrypt private (%s)' % fmt):
with self.assertRaises((KeyImportError, KeyEncryptionError)):
import_private_key(data, 'x')
for fmt, data in public_errors:
with self.subTest('Decode public (%s)' % fmt):
with self.assertRaises(KeyImportError):
import_public_key(data)
async def run_client(inst, cmd, sshAgent=None, scpSrcFilePath=None, dlDirPath='.',
dlFileName=None, knownHostsOnly=False ):
#logger.info( 'inst %s', inst)
sshSpecs = inst['ssh']
#logger.info( 'iid %s, ssh: %s', inst['instanceId'], inst['ssh'])
host = sshSpecs['host']
port = sshSpecs['port']
user = sshSpecs['user']
iid = inst['instanceId']
iidAbbrev = iid[0:16]
# implement pasword-passing if present in ssh args
password = sshSpecs.get('password', None )
try:
if knownHostsOnly:
known_hosts = os.path.expanduser( '~/.ssh/known_hosts' )
else:
known_hosts = None
if False: # 'returnedPubKey' in inst:
keyStr = inst['returnedPubKey']
logger.info( 'importing %s', keyStr)
key = asyncssh.import_public_key( keyStr )
logger.info( 'imported %s', key.export_public_key() )
#known_hosts = key # nope
known_hosts = asyncssh.import_known_hosts(keyStr)
logResult( 'operation', ['connect', host, port], iid )
#sshAgent = os.getenv( 'SSH_AUTH_SOCK' )
#async with asyncssh.connect(host, port=port, username=user, password=password, known_hosts=None) as conn:
async with asyncssh.connect(host, port=port, username=user,
keepalive_interval=15, keepalive_count_max=4,
known_hosts=known_hosts, agent_path=sshAgent ) as conn:
serverHostKey = conn.get_server_host_key()
#logger.info( 'got serverHostKey (%s) %s', type(serverHostKey), serverHostKey )
serverPubKey = serverHostKey.export_public_key(format_name='openssh')
#logger.info( 'serverPubKey (%s) %s', type(serverPubKey), serverPubKey )
serverPubKeyStr = str(serverPubKey,'utf8')
#logger.info( 'serverPubKeyStr %s', serverPubKeyStr )
inst['returnedPubKey'] = serverPubKeyStr
if scpSrcFilePath:
logger.info( 'uploading %s to %s', scpSrcFilePath, iidAbbrev )
await asyncssh.scp( scpSrcFilePath, conn, preserve=True, recurse=True )
#logger.info( 'uploaded %s to %s', scpSrcFilePath, iidAbbrev )
logResult( 'operation', ['upload', scpSrcFilePath], iid )
proc = None
# execute cmd on remote, if non-null cmd given
if cmd:
# substitute actual instanceId for '<<instanceId>>' in cmd
cmd = cmd.replace( '<<instanceId>>', iid )
logResult( 'operation', ['command', cmd], iid )
async with conn.create_process(cmd) as proc:
async for line in proc.stdout:
logger.info('stdout[%s] %s', iidAbbrev, line.strip() )
logResult( 'stdout', line.rstrip(), iid )
async for line in proc.stderr:
logger.info('stderr[%s] %s', iidAbbrev, line.strip() )
logResult( 'stderr', line.rstrip(), iid )
await proc.wait_closed()
logResult( 'returncode', proc.returncode, iid )
if proc.returncode is None:
logger.warning( 'returncode[%s] NONE', iidAbbrev )
#elif proc.returncode:
# logger.warning( 'returncode %s for %s', proc.returncode, iidAbbrev )
if dlFileName:
destDirPath = '%s/%s' % (dlDirPath, iid)
logger.info( 'downloading %s from %s to %s',
dlFileName, iidAbbrev, destDirPath )
await asyncssh.scp( (conn, dlFileName), destDirPath, preserve=True, recurse=True )
#logger.info( 'downloaded from %s to %s', iidAbbrev, destDirPath )
logResult( 'operation', ['download', dlFileName], iid )
if proc:
return proc.returncode
else:
return 0
except Exception as exc:
logger.warning( 'got exception (%s) %s', type(exc), exc, exc_info=False )
logResult( 'exception', {'type': type(exc).__name__, 'msg': str(exc) }, iid )
return exc
return 'did we not connect?'
def check_decode_errors(self):
"""Check error code paths in key decoding"""
private_errors = [
('Non-ASCII', '\xff'),
('Incomplete ASN.1', b''),
('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#1 params',
der_encode((1, b'', TaggedDERObject(0, b'')))),
('Invalid PKCS#1 EC named curve OID',
der_encode((1, b'',
TaggedDERObject(0, ObjectIdentifier('1.1'))))),
('Invalid PKCS#8',
der_encode((0, (self.privkey.pkcs8_oid, ()), der_encode(None)))),
('Invalid PKCS#8 ASN.1',
der_encode((0, (self.privkey.pkcs8_oid, None), b''))),
('Invalid PKCS#8 params',
der_encode((1, (self.privkey.pkcs8_oid, b''),
der_encode((1, b''))))),
('Invalid PEM header', b'-----BEGIN XXX-----\n'),
('Missing PEM footer', b'-----BEGIN PRIVATE KEY-----\n'),
('Invalid PEM key type',
b'-----BEGIN XXX PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END XXX PRIVATE KEY-----'),
('Invalid PEM Base64',
b'-----BEGIN PRIVATE KEY-----\n'
b'X\n'
b'-----END PRIVATE KEY-----'),
('Missing PKCS#1 passphrase',
b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'-----END DSA PRIVATE KEY-----'),
('Incomplete PEM ASN.1',
b'-----BEGIN PRIVATE KEY-----\n'
b'-----END PRIVATE KEY-----'),
('Missing PEM PKCS#8 passphrase',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#1 key',
b'-----BEGIN DSA PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM PKCS#8 key',
b'-----BEGIN PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END PRIVATE KEY-----'),
('Unknown format OpenSSH key',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b'XXX') +
b'-----END OPENSSH PRIVATE KEY-----'),
('Incomplete OpenSSH key',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b'openssh-key-v1\0') +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH nkeys',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String(''), String(''), String(''),
UInt32(2), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Missing OpenSSH passphrase',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('xxx'), String(''), String(''),
UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Mismatched OpenSSH check bytes',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''), String(b''.join((UInt32(1),
UInt32(2))))))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH algorithm',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''), String(b''.join((UInt32(1), UInt32(1),
String('xxx'))))))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH pad',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('none'), String(''), String(''),
UInt32(1), String(''), String(b''.join((UInt32(1), UInt32(1),
String('ssh-dss'),
5*MPInt(0),
String(''),
b'\0')))))) +
b'-----END OPENSSH PRIVATE KEY-----')
]
decrypt_errors = [
('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#8', der_encode((0, (self.privkey.pkcs8_oid, ()),
der_encode(None)))),
('Invalid PEM params', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: XXX\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM cipher', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: XXX,00\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM IV', b'-----BEGIN DSA PRIVATE KEY-----\n'
b'Proc-Type: 4,ENCRYPTED\n'
b'DEK-Info: AES-256-CBC,XXX\n'
b'-----END DSA PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encrypted data',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encrypted header',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode((None, None))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 encryption algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((None, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_ES1_SHA1_DES, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_P12_RC4_40, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 salt',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_P12_RC4_40, (b'', 0)), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES1 PKCS#12 iteration count',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_P12_RC4_40, (b'x', 0)), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(((_ES2, None), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 KDF algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((None, None), (None, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption algorithm',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, None), (None, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, None), (_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 salt',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (None, None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 iteration count',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 PBKDF2 PRF',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', 0, None)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Unknown PEM PKCS#8 PBES2 PBKDF2 PRF',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', 0,
(ObjectIdentifier('1.1'), None))),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid PEM PKCS#8 PBES2 encryption parameters',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', 0)),
(_ES2_AES128, None))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid length PEM PKCS#8 PBES2 IV',
b'-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +
binascii.b2a_base64(der_encode(
((_ES2, ((_ES2_PBKDF2, (b'', 0)),
(_ES2_AES128, b''))), b''))) +
b'-----END ENCRYPTED PRIVATE KEY-----'),
('Invalid OpenSSH cipher',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('xxx'), String(''), String(''),
UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH kdf',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('xxx'),
String(''), UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH kdf data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(''), UInt32(1), String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH salt',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join((String(b''), UInt32(1)))), UInt32(1),
String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Invalid OpenSSH encrypted data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join((String(16*b'\0'), UInt32(1)))), UInt32(1),
String(''), String('')))) +
b'-----END OPENSSH PRIVATE KEY-----'),
('Unexpected OpenSSH trailing data',
b'-----BEGIN OPENSSH PRIVATE KEY-----\n' +
binascii.b2a_base64(b''.join(
(b'openssh-key-v1\0', String('aes256-cbc'), String('bcrypt'),
String(b''.join((String(16*b'\0'), UInt32(1)))), UInt32(1),
String(''), String(''), String('xxx')))) +
b'-----END OPENSSH PRIVATE KEY-----')
]
public_errors = [
('Non-ASCII', '\xff'),
('Incomplete ASN.1', b''),
('Invalid ASN.1', b'\x30'),
('Invalid PKCS#1', der_encode(None)),
('Invalid PKCS#8', der_encode(((self.pubkey.pkcs8_oid, ()),
BitString(der_encode(None))))),
('Invalid PKCS#8 ASN.1', der_encode(((self.pubkey.pkcs8_oid,
None), BitString(b'')))),
('Invalid PEM header', b'-----BEGIN XXX-----\n'),
('Missing PEM footer', b'-----BEGIN PUBLIC KEY-----\n'),
('Invalid PEM key type',
b'-----BEGIN XXX PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END XXX PUBLIC KEY-----'),
('Invalid PEM Base64',
b'-----BEGIN PUBLIC KEY-----\n'
b'X\n'
b'-----END PUBLIC KEY-----'),
('Incomplete PEM ASN.1',
b'-----BEGIN PUBLIC KEY-----\n'
b'-----END PUBLIC KEY-----'),
('Invalid PKCS#1 key data',
b'-----BEGIN DSA PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END DSA PUBLIC KEY-----'),
('Invalid PKCS#8 key data',
b'-----BEGIN PUBLIC KEY-----\n' +
binascii.b2a_base64(der_encode(None)) +
b'-----END PUBLIC KEY-----'),
('Invalid OpenSSH', b'xxx'),
('Invalid OpenSSH Base64', b'ssh-dss X'),
('Unknown OpenSSH algorithm',
b'ssh-dss ' + binascii.b2a_base64(String('xxx'))),
('Invalid OpenSSH body',
b'ssh-dss ' + binascii.b2a_base64(String('ssh-dss'))),
('Invalid RFC4716 header', b'---- XXX ----\n'),
('Missing RFC4716 footer', b'---- BEGIN SSH2 PUBLIC KEY ----\n'),
('Invalid RFC4716 header',
b'---- BEGIN SSH2 PUBLIC KEY ----\n'
b'XXX:\\\n'
b'---- END SSH2 PUBLIC KEY ----\n'),
('Invalid RFC4716 Base64',
b'---- BEGIN SSH2 PUBLIC KEY ----\n'
b'X\n'
b'---- END SSH2 PUBLIC KEY ----\n')
]
for fmt, data in private_errors:
with self.subTest('Decode private (%s)' % fmt):
with self.assertRaises(KeyImportError):
import_private_key(data)
for fmt, data in decrypt_errors:
with self.subTest('Decrypt private (%s)' % fmt):
with self.assertRaises((KeyImportError, KeyEncryptionError)):
import_private_key(data, 'x')
for fmt, data in public_errors:
with self.subTest('Decode public (%s)' % fmt):
with self.assertRaises(KeyImportError):
import_public_key(data)
