Exemplo n.º 1
0
    def validate(self):
        """
        Verify that the contents of the certificate have been signed by the
        signing key in the certificate. This only does the cryptographic
        verification. Validation that the signing key is an accepted CA key
        or verifying other information such as timestamps or principals is
        not done here and is the responsibility of the application using the
        certificate.

        :return bool:
            True if the certificate data was signed by the CA in the cert.
            False if not.
        """
        if self.signature is None or self.signature_key is None:
            return False

        # The signature_key is just a string containing the binary data of
        # the key. This will create a message of that data, determine the key
        # type from the first field, and then pass the message to the
        # appropriate key class.
        ca_key_msg = Message(self.signature_key)
        ca_key_type = ca_key_msg.get_text()
        ca_key_msg.rewind()
        ca_key_class = Transport._key_info.get(ca_key_type)
        if ca_key_class == None:
            err = "Unknown signature key type"
            raise SSHException(err)
        ca_key = ca_key_class(msg=ca_key_msg)

        # Create the certificate body if it hasn't been done already.
        if self._body_bytes is None:
            self._body_bytes = self.generate_body(ca_key, self.nonce)

        return ca_key.verify_ssh_sig(self._body_bytes, Message(self.signature))
Exemplo n.º 2
0
def sign_token(key_path, fingerprint, data):
    # from agent
    pkey = get_key_from_agent(fingerprint)
    if not pkey:
        # or from file (without passphrase)
        # assuming '.pub' file extension
        if not os.path.exists(key_path[:-4]):
            raise SignatureException('WrongKeyPath')
        try:
            pkey = RSAKey.from_private_key_file(key_path[:-4])
        except PasswordRequiredException:
            raise SignatureException('EncryptedKey')

    if not pkey:
        raise SignatureException('KeyNotFound')

    try:
        # paramiko is inconsistent here in that the agent's key
        # returns Message objects for 'sign_ssh_data' whereas RSAKey
        # objects returns byte strings.
        # Workaround: cast both return values to string and build a
        # new Message object
        s = str(pkey.sign_ssh_data(data))
        m = Message(s)
        m.rewind()
        if not m.get_string() == 'ssh-rsa':
            raise SignatureException('RSAKeyRequired')
        return base64.b64encode(m.get_string())
    except Exception:
        raise SignatureException('SignatureCreateFailure')
Exemplo n.º 3
0
def sign_token(key_path, fingerprint, data):
    # from agent
    pkey = get_key_from_agent(fingerprint)
    if not pkey:
        # or from file (without passphrase)
        # assuming '.pub' file extension
        if not os.path.exists(key_path[:-4]):
            raise SignatureException('WrongKeyPath')
        try:
            pkey = RSAKey.from_private_key_file(key_path[:-4])
        except PasswordRequiredException:
            raise SignatureException('EncryptedKey')

    if not pkey:
        raise SignatureException('KeyNotFound')

    try:
        # paramiko is inconsistent here in that the agent's key
        # returns Message objects for 'sign_ssh_data' whereas RSAKey
        # objects returns byte strings.
        # Workaround: cast both return values to string and build a
        # new Message object
        s = str(pkey.sign_ssh_data(data))
        m = Message(s)
        m.rewind()
        if not m.get_string() == 'ssh-rsa':
            raise SignatureException('RSAKeyRequired')
        return base64.b64encode(m.get_string())
    except Exception:
        raise SignatureException('SignatureCreateFailure')
Exemplo n.º 4
0
def _parse_ecdsa_key(msg):
    # See comment for _parse_rsa_key
    key_msg = Message()
    curve = msg.get_text()
    key_msg.add_string('ecdsa-sha2-{}'.format(curve))
    key_msg.add_string(curve)
    key_msg.add_string(msg.get_binary())
    key_msg.rewind()
    return ECDSAKey(msg=key_msg)
Exemplo n.º 5
0
 def test_4_misc(self):
     msg = Message(self.__d)
     self.assertEquals(msg.get_int(), 5)
     self.assertEquals(msg.get_mpint(), 0x1122334455L)
     self.assertEquals(msg.get_so_far(), self.__d[:13])
     self.assertEquals(msg.get_remainder(), self.__d[13:])
     msg.rewind()
     self.assertEquals(msg.get_int(), 5)
     self.assertEquals(msg.get_so_far(), self.__d[:4])
     self.assertEquals(msg.get_remainder(), self.__d[4:])
Exemplo n.º 6
0
def _parse_dsa_key(msg):
    # See comment for _parse_rsa_key
    key_msg = Message()
    key_msg.add_string('ssh-dss')
    key_msg.add_mpint(msg.get_mpint())
    key_msg.add_mpint(msg.get_mpint())
    key_msg.add_mpint(msg.get_mpint())
    key_msg.add_mpint(msg.get_mpint())
    key_msg.rewind()
    return DSSKey(msg=key_msg)
Exemplo n.º 7
0
 def test_4_misc(self):
     msg = Message(self.__d)
     self.assertEquals(msg.get_int(), 5)
     self.assertEquals(msg.get_mpint(), 0x1122334455)
     self.assertEquals(msg.get_so_far(), self.__d[:13])
     self.assertEquals(msg.get_remainder(), self.__d[13:])
     msg.rewind()
     self.assertEquals(msg.get_int(), 5)
     self.assertEquals(msg.get_so_far(), self.__d[:4])
     self.assertEquals(msg.get_remainder(), self.__d[4:])
Exemplo n.º 8
0
 def test_4_misc(self):
     msg = Message(self.__d)
     self.assertEqual(msg.get_adaptive_int(), 5)
     self.assertEqual(msg.get_adaptive_int(), 0x1122334455)
     self.assertEqual(msg.get_adaptive_int(), 0xf00000000000000000)
     self.assertEqual(msg.get_so_far(), self.__d[:29])
     self.assertEqual(msg.get_remainder(), self.__d[29:])
     msg.rewind()
     self.assertEqual(msg.get_adaptive_int(), 5)
     self.assertEqual(msg.get_so_far(), self.__d[:4])
     self.assertEqual(msg.get_remainder(), self.__d[4:])
Exemplo n.º 9
0
def _parse_rsa_key(msg):
    # This method avoids having to keep track of how paramiko handles keys
    # or having to go into the cryptography.hazmat modules. It takes the
    # parts of the key from the certificate then puts them in a Message that
    # resembles a normally encoded keyh. That Message is then handed to the
    # key constructor which should be able to handle the parsing.
    key_msg = Message()
    key_msg.add_string('ssh-rsa')
    key_msg.add_mpint(msg.get_mpint())
    key_msg.add_mpint(msg.get_mpint())
    key_msg.rewind()
    return RSAKey(msg=key_msg)
Exemplo n.º 10
0
 def _request_auth(self):
     #if MSG_SERVICE_REQUEST already sent, do not send again
     if hasattr(self.transport, '_SERVICE_REQUEST_SENT'):
         #triger userauth manually
         m = Message()
         m.add_string('ssh-userauth')
         m.rewind()
         self._parse_service_accept(m)
         return
     m = Message()
     m.add_byte(chr(MSG_SERVICE_REQUEST))
     m.add_string('ssh-userauth')
     self.transport._send_message(m)
     self.transport._SERVICE_REQUEST_SENT = True
Exemplo n.º 11
0
 def __init__(self, session: 'ssh_proxy_server.session.Session', m: Message) -> None:
     self.session = session
     self.client_version = session.transport.remote_version
     self.cookie = m.get_bytes(16)  # cookie (random bytes)
     self.kex_algorithms = m.get_list()  # kex_algorithms
     self.server_host_key_algorithms = m.get_list()
     self.encryption_algorithms_client_to_server = m.get_list()
     self.encryption_algorithms_server_to_client = m.get_list()
     self.mac_algorithms_client_to_server = m.get_list()
     self.mac_algorithms_server_to_client = m.get_list()
     self.compression_algorithms_client_to_server = m.get_list()
     self.compression_algorithms_server_to_client = m.get_list()
     self.languages_client_to_server = m.get_list()
     self.languages_server_to_client = m.get_list()
     self.first_kex_packet_follows = m.get_boolean()
     m.rewind()