def test_ed25519(self):
key1 = Ed25519Key.from_private_key_file(test_path('test_ed25519.key'))
key2 = Ed25519Key.from_private_key_file(
test_path('test_ed25519_password.key'), b'abc123'
)
self.assertNotEqual(key1.asbytes(), key2.asbytes())
def test_ed25519_public(self):
pub_bytes = base64.b64decode(PUB_ED25519.split()[1])
key1 = Ed25519Key(data=pub_bytes)
key2 = Ed25519Key(msg=Message(pub_bytes))
self.assertEqual(key1.asbytes(), key2.asbytes())
self.assertFalse(key1.can_sign())
self.assertFalse(key2.can_sign())
def test_ed25519_nonbytes_password(self):
# https://github.com/paramiko/paramiko/issues/1039
Ed25519Key.from_private_key_file(
_support("test_ed25519_password.key"),
# NOTE: not a bytes. Amusingly, the test above for same key DOES
# explicitly cast to bytes...code smell!
"abc123",
)
def test_ed25519_compare(self):
# verify that the private & public keys compare equal
key = Ed25519Key.from_private_key_file(_support("test_ed25519.key"))
self.assertEqual(key, key)
pub = Ed25519Key(data=key.asbytes())
self.assertTrue(key.can_sign())
self.assertTrue(not pub.can_sign())
self.assertEqual(key, pub)
def test_ed25519(self):
key1 = Ed25519Key.from_private_key_file(_support('test_ed25519.key'))
self.assert_key_values(key1, 'ssh-ed25519', 256, PUB_ED25519,
FINGER_ED25519, FINGER_SHA256_ED25519)
key2 = Ed25519Key.from_private_key_file(
_support('test_ed25519_password.key'), b'abc123')
self.assertNotEqual(key1.asbytes(), key2.asbytes())
self.assertTrue(key1.can_sign())
self.assertTrue(key2.can_sign())
def test_sign_ed25519(self):
private = Ed25519Key.from_private_key_file(
_support("test_ed25519.key"))
msg = private.sign_ssh_data(b"ice weasels")
msg.rewind()
self.assertEqual(msg.get_text(), "ssh-ed25519")
self.assertEqual(msg.get_binary(), base64.b64decode(SIGNED_ED25519))
msg.rewind()
pub = Ed25519Key(data=base64.b64decode(PUB_ED25519.split()[1]))
self.assertTrue(pub.verify_ssh_sig(b"ice weasels", msg))
def test_verify_ed25519_invalid(self):
signature = Message()
signature.add_string("ssh-ed25519")
signature.add_string(b'bad/signature')
pub = Ed25519Key(data=base64.b64decode(PUB_ED25519.split()[1]))
self.assertFalse(pub.verify_ssh_sig(b"ice weasels", signature))
def test_certificates(self):
# NOTE: we also test 'live' use of cert auth for all key types in
# test_client.py; this and nearby cert tests are more about the gritty
# details.
# PKey.load_certificate
key_path = _support(os.path.join('cert_support', 'test_rsa.key'))
key = RSAKey.from_private_key_file(key_path)
self.assertTrue(key.public_blob is None)
cert_path = _support(
os.path.join('cert_support', 'test_rsa.key-cert.pub')
)
key.load_certificate(cert_path)
self.assertTrue(key.public_blob is not None)
self.assertEqual(key.public_blob.key_type, '*****@*****.**')
self.assertEqual(key.public_blob.comment, 'test_rsa.key.pub')
# Delve into blob contents, for test purposes
msg = Message(key.public_blob.key_blob)
self.assertEqual(msg.get_text(), '*****@*****.**')
nonce = msg.get_string()
e = msg.get_mpint()
n = msg.get_mpint()
self.assertEqual(e, key.public_numbers.e)
self.assertEqual(n, key.public_numbers.n)
# Serial number
self.assertEqual(msg.get_int64(), 1234)
# Prevented from loading certificate that doesn't match
key_path = _support(os.path.join('cert_support', 'test_ed25519.key'))
key1 = Ed25519Key.from_private_key_file(key_path)
self.assertRaises(
ValueError,
key1.load_certificate,
_support('test_rsa.key-cert.pub'),
)
def test_certificates(self):
# NOTE: we also test 'live' use of cert auth for all key types in
# test_client.py; this and nearby cert tests are more about the gritty
# details.
# PKey.load_certificate
key_path = _support(os.path.join("cert_support", "test_rsa.key"))
key = RSAKey.from_private_key_file(key_path)
self.assertTrue(key.public_blob is None)
cert_path = _support(
os.path.join("cert_support", "test_rsa.key-cert.pub"))
key.load_certificate(cert_path)
self.assertTrue(key.public_blob is not None)
self.assertEqual(key.public_blob.key_type,
"*****@*****.**")
self.assertEqual(key.public_blob.comment, "test_rsa.key.pub")
# Delve into blob contents, for test purposes
msg = Message(key.public_blob.key_blob)
self.assertEqual(msg.get_text(), "*****@*****.**")
msg.get_string()
e = msg.get_mpint()
n = msg.get_mpint()
self.assertEqual(e, key.public_numbers.e)
self.assertEqual(n, key.public_numbers.n)
# Serial number
self.assertEqual(msg.get_int64(), 1234)
# Prevented from loading certificate that doesn't match
key_path = _support(os.path.join("cert_support", "test_ed25519.key"))
key1 = Ed25519Key.from_private_key_file(key_path)
self.assertRaises(
ValueError,
key1.load_certificate,
_support("test_rsa.key-cert.pub"),
)
def test_certificates(self):
# PKey.load_certificate
key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
self.assertTrue(key.public_blob is None)
key.load_certificate(test_path('test_rsa.key-cert.pub'))
self.assertTrue(key.public_blob is not None)
self.assertEqual(key.public_blob.key_type, '*****@*****.**')
self.assertEqual(key.public_blob.comment, 'test_rsa.key.pub')
# Delve into blob contents, for test purposes
msg = Message(key.public_blob.key_blob)
self.assertEqual(msg.get_text(), '*****@*****.**')
nonce = msg.get_string()
e = msg.get_mpint()
n = msg.get_mpint()
self.assertEqual(e, key.public_numbers.e)
self.assertEqual(n, key.public_numbers.n)
# Serial number
self.assertEqual(msg.get_int64(), 1234)
# Prevented from loading certificate that doesn't match
key1 = Ed25519Key.from_private_key_file(test_path('test_ed25519.key'))
self.assertRaises(
ValueError,
key1.load_certificate,
test_path('test_rsa.key-cert.pub'),
)
def test_ed25519_compare(self):
# verify that the private & public keys compare equal
key = Ed25519Key.from_private_key_file(test_path('test_ed25519.key'))
self.assertEqual(key, key)
pub = Ed25519Key(data=key.asbytes())
self.assertTrue(key.can_sign())
self.assertTrue(not pub.can_sign())
self.assertEqual(key, pub)
def test_verify_ed25519_valid(self):
signature = Message()
signature.add_string("ssh-ed25519")
signature.add_string(base64.b64decode(SIGNED_ED25519))
signature.rewind()
pub = Ed25519Key(data=base64.b64decode(PUB_ED25519.split()[1]))
self.assertTrue(pub.verify_ssh_sig(b"ice weasels", signature))
def test_ed25519_nonbytes_password(self):
# https://github.com/paramiko/paramiko/issues/1039
key = Ed25519Key.from_private_key_file(
_support("test_ed25519_password.key"),
# NOTE: not a bytes. Amusingly, the test above for same key DOES
# explicitly cast to bytes...code smell!
"abc123",
)
def test_certs_allowed_as_key_filename_values(self):
# NOTE: giving cert path here, not key path. (Key path test is below.
# They're similar except for which path is given; the expected auth and
# server-side behavior is 100% identical.)
# NOTE: only bothered whipping up one cert per overall class/family.
for type_ in ('rsa', 'dss', 'ecdsa_256', 'ed25519'):
if type_ == 'ed25519' and not Ed25519Key.is_supported():
continue
cert_name = 'test_{}.key-cert.pub'.format(type_)
cert_path = _support(os.path.join('cert_support', cert_name))
self._test_connection(
key_filename=cert_path,
public_blob=PublicBlob.from_file(cert_path),
)
def get_private_key(self):
"""Returns the private key.
If the key doesn't exist, None is returned.
Returns:
object -- The key.
"""
if self.private_key_exists:
if platform == "linux" or platform == "linux2" or platform == "darwin":
return RSAKey.from_private_key_file(Paths.private_key_file)
elif platform == "win32":
return Ed25519Key.from_private_key_file(Paths.private_key_file)
else:
return None
def test_certs_implicitly_loaded_alongside_key_filename_keys(self):
# NOTE: a regular test_connection() w/ test_rsa.key would incidentally
# test this (because test_xxx.key-cert.pub exists) but incidental tests
# stink, so NullServer and friends were updated to allow assertions
# about the server-side key object's public blob. Thus, we can prove
# that a specific cert was found, along with regular authorization
# succeeding proving that the overall flow works.
for type_ in ('rsa', 'dss', 'ecdsa_256', 'ed25519'):
if type_ == 'ed25519' and not Ed25519Key.is_supported():
continue
key_name = 'test_{}.key'.format(type_)
key_path = _support(os.path.join('cert_support', key_name))
self._test_connection(
key_filename=key_path,
public_blob=PublicBlob.from_file(
'{}-cert.pub'.format(key_path)),
)
def shell(self, cmd: str):
if self.accessible == False:
print("No access info...")
return False
pkey_file = self.pkey.open()
client = SSHClient()
client.set_missing_host_key_policy(AutoAddPolicy())
client.connect(hostname=self.host,
pkey=Ed25519Key.from_private_key(
pkey_file, self.passphrase),
passphrase=self.passphrase,
username=self.user)
_, _, stderr = client.exec_command(cmd)
for line in stderr:
print(line, file=sys.stderr)
client.close()
def ping(self):
if self.accessible == False:
print("No access info...")
return False
pkey_file = self.pkey.open()
client = SSHClient()
client.set_missing_host_key_policy(AutoAddPolicy())
try:
client.connect(hostname=self.host,
pkey=Ed25519Key.from_private_key(
pkey_file, self.passphrase),
passphrase=self.passphrase,
username=self.user)
print(f"{self.name} is started.", flush=True)
client.close()
return True
except NoValidConnectionsError as e:
print(e, flush=True)
return False
def load(self):
"""Try to load the public key
We support RSA, ECDSA and Ed25519 keys and return instances of:
* paramiko.rsakey.RSAKey
* paramiko.ecdsakey.ECDSAKey
* paramiko.ed25519key.Ed25519Key (requires paramiko >= 2.2)
"""
# I don't think there is a key type independent way of doing this
public_key_blob = b64decode(self.key_base64)
if self.key_algorithm.startswith('ssh-ed25519'):
try:
return Ed25519Key(data=public_key_blob)
except NameError:
raise ValidationError('Paramiko too old to load ed25519 keys')
elif self.key_algorithm.startswith('ecdsa-'):
return ECDSAKey(data=public_key_blob)
elif self.key_algorithm.startswith('ssh-rsa'):
return RSAKey(data=public_key_blob)
raise SSHException('Key is not RSA, ECDSA or Ed25519')
def _get_server(self, platform_ssh: bool):
"""Method for getting and starting ssh server."""
if platform_ssh:
return None
try:
pkey = RSAKey.from_private_key(
StringIO(self.tunnel["privateKey"]),
password=self.tunnel.get("password"))
except SSHException:
pkey = Ed25519Key.from_private_key(
StringIO(self.tunnel["privateKey"]),
password=self.tunnel.get("password"))
server = SSHTunnelForwarder(ssh_address_or_host=(self.tunnel["host"],
self.tunnel["port"]),
ssh_username=self.tunnel["username"],
ssh_password=self.tunnel.get("password"),
ssh_pkey=pkey,
remote_bind_address=(self.host, self.port))
server.start()
return server
def test_ed25519_load_from_file_obj(self):
with open(_support("test_ed25519.key")) as pkey_fileobj:
key = Ed25519Key.from_private_key(pkey_fileobj)
self.assertEqual(key, key)
self.assertTrue(key.can_sign())
def test_ed25519(self):
key1 = Ed25519Key.from_private_key_file(_support("test_ed25519.key"))
key2 = Ed25519Key.from_private_key_file(
_support("test_ed25519_password.key"), b"abc123"
)
self.assertNotEqual(key1.asbytes(), key2.asbytes())
def test_ed25519_funky_padding_with_passphrase(self):
# Proves #1306 by just not exploding with 'Invalid key'.
Ed25519Key.from_private_key_file(
_support("test_ed25519-funky-padding_password.key"), b"asdf")
def test_ed25519_funky_padding(self):
# Proves #1306 by just not exploding with 'Invalid key'.
Ed25519Key.from_private_key_file(
_support("test_ed25519-funky-padding.key"))
def test_ed25519(self):
key1 = Ed25519Key.from_private_key_file(test_path('test_ed25519.key'))
key2 = Ed25519Key.from_private_key_file(
test_path('test_ed25519_password.key'), b'abc123')
self.assertNotEqual(key1.asbytes(), key2.asbytes())
def test_ed25519(self):
key1 = Ed25519Key.from_private_key_file(_support("test_ed25519.key"))
key2 = Ed25519Key.from_private_key_file(
_support("test_ed25519_password.key"), b"abc123"
)
self.assertNotEqual(key1.asbytes(), key2.asbytes())
def test_ed25519_nopad(self):
Ed25519Key.from_private_key_file(_support("test_ed25519_nopad.key"))
def test_ed25519_nopad(self):
key = Ed25519Key.from_private_key_file(
_support("test_ed25519_nopad.key"))
self.assert_key_values(key, 'ssh-ed25519', 256, None,
FINGER_ED25519_NOPAD,
FINGER_SHA256_ED25519_NOPAD)
def test_ed25519_nonbytes_password(self):
key = Ed25519Key.from_private_key_file(
_support('test_ed25519_password.key'), 'abc123')
self.assert_key_values(key, 'ssh-ed25519', 256, None,
FINGER_ED25519_PASS, FINGER_SHA256_ED25519_PASS)
def test_ed25519_load_from_file_obj(self):
with open(test_path('test_ed25519.key')) as pkey_fileobj:
key = Ed25519Key.from_private_key(pkey_fileobj)
self.assertEqual(key, key)
self.assertTrue(key.can_sign())