def test_key(self): """Check key import and export""" for keytype in self.keytypes: with self.subTest(keytype=keytype): self.make_keypair('priv', 'pub', keytype) self.make_keypair('privca', 'pubca', keytype) run('chmod 600 priv privca') if self.base_format == 'openssh': run('cp -p pub sshpub') else: run('ssh-keygen -i -f pub -m %s > sshpub' % self.base_format) self.privkey = read_private_key('priv') self.pubkey = read_public_key('pub') self.privca = read_private_key('privca') self.pubca = read_public_key('pubca') self.check_encode_errors() self.check_decode_errors() self.check_sshkey_base_errors() self.check_sign_and_verify() if 'pkcs1' in self.private_formats: self.check_pkcs1_private() if 'pkcs1' in self.public_formats: self.check_pkcs1_public() if 'pkcs8' in self.private_formats: self.check_pkcs8_private() if 'pkcs8' in self.public_formats: self.check_pkcs8_public() if 'openssh' in self.private_formats: # pragma: no branch self.check_openssh_private() if 'openssh' in self.public_formats: # pragma: no branch self.check_openssh_public() if 'rfc4716' in self.public_formats: # pragma: no branch self.check_rfc4716_public() for cert_type in (CERT_TYPE_USER, CERT_TYPE_HOST): for version in self.cert_versions: for fmt in ('openssh', 'rfc4716'): with self.subTest(cert_type=cert_type, version=version, fmt=fmt): self.check_certificate(cert_type, version, fmt) self.check_certificate_errors(cert_type)
def test_key(self): """Check key import and export""" for keytype in self.keytypes: with self.subTest(keytype=keytype): self.make_keypair('priv', 'pub', keytype) self.make_keypair('privca', 'pubca', keytype) run('chmod 600 priv privca') if self.base_format == 'openssh': run('cp -p pub sshpub') else: run('ssh-keygen -i -f pub -m %s > sshpub' % self.base_format) self.privkey = read_private_key('priv') self.pubkey = read_public_key('pub') self.privca = read_private_key('privca') self.pubca = read_public_key('pubca') self.check_encode_errors() self.check_decode_errors() self.check_sshkey_base_errors() self.check_sign_and_verify() if 'pkcs1' in self.private_formats: self.check_pkcs1_private() if 'pkcs1' in self.public_formats and _pkcs1_public_supported: self.check_pkcs1_public() if 'pkcs8' in self.private_formats: self.check_pkcs8_private() if 'pkcs8' in self.public_formats: self.check_pkcs8_public() if 'openssh' in self.private_formats: # pragma: no branch self.check_openssh_private() if 'openssh' in self.public_formats: # pragma: no branch self.check_openssh_public() if 'rfc4716' in self.public_formats: # pragma: no branch self.check_rfc4716_public() for cert_type in (CERT_TYPE_USER, CERT_TYPE_HOST): for fmt in ('openssh', 'rfc4716'): with self.subTest(cert_type=cert_type, fmt=fmt): self.check_certificate(cert_type, fmt) self.check_certificate_errors(cert_type)
def export_pkcs1_public(self, fmt): """Check export of a PKCS#1 public key""" self.privkey.write_public_key('pubout', 'pkcs1-%s' % fmt) if self.keyclass == 'dsa': # OpenSSL no longer has support for PKCS#1 DSA, so we can # only test against ourselves. read_public_key('pubout').write_public_key('new', 'pkcs1-%s' % fmt) else: run('openssl %s -RSAPublicKey_in -in pubout -inform %s -out new ' '-outform pem' % (self.keyclass, fmt)) self.check_public()
def check_sign_and_verify(self): """Check key signing and verification""" with self.subTest('Sign/verify test'): pubkey = read_public_key('pub') data = os.urandom(8) sig = self.privkey.sign(data) with self.subTest('Good signature'): self.assertTrue(pubkey.verify(data, sig)) badsig = bytearray(sig) badsig[-1] ^= 0xff badsig = bytes(badsig) with self.subTest('Bad signature'): self.assertFalse(pubkey.verify(data, badsig)) with self.subTest('Empty signature'): self.assertFalse( pubkey.verify(data, String(pubkey.algorithm) + String(b''))) badalg = String('xxx') with self.subTest('Bad algorithm'): self.assertFalse(pubkey.verify(data, badalg)) with self.subTest('Sign with public key'): with self.assertRaises(ValueError): pubkey.sign(data)
def check_sign_and_verify(self): """Check key signing and verification""" with self.subTest('Sign/verify test'): pubkey = read_public_key('pub') data = os.urandom(8) sig = self.privkey.sign(data) with self.subTest('Good signature'): self.assertTrue(pubkey.verify(data, sig)) badsig = bytearray(sig) badsig[-1] ^= 0xff badsig = bytes(badsig) with self.subTest('Bad signature'): self.assertFalse(pubkey.verify(data, badsig)) with self.subTest('Empty signature'): self.assertFalse(pubkey.verify(data, String(pubkey.algorithm) + String(b''))) badalg = String('xxx') with self.subTest('Bad algorithm'): self.assertFalse(pubkey.verify(data, badalg)) with self.subTest('Sign with public key'): with self.assertRaises(ValueError): pubkey.sign(data)
def begin_auth(self, username): """Handle client authentication request""" if self._set_keys: self._conn.set_authorized_keys('authorized_keys') else: self._client_key = asyncssh.read_public_key('ckey.pub') return True
def check_public(self): """Check for a public key match""" newkey = read_public_key('new') self.assertEqual(newkey, self.pubkey) self.assertEqual(hash(newkey), hash(self.pubkey)) run('cat new new > list') keylist = read_public_key_list('list') self.assertEqual(keylist[0], newkey) self.assertEqual(keylist[1], newkey)
def asyncSetUpClass(cls): """Set up keys and an SSH server for the tests to use""" run('ssh-keygen -q -b 2048 -t rsa -N "" -f ckey') output = run('ssh-agent -a agent') cls._agent_pid = int(output.splitlines()[2].split()[3][:-1]) os.environ['SSH_AUTH_SOCK'] = 'agent' run('ssh-add ckey') cls._public_key = asyncssh.read_public_key('ckey.pub')
def generate_user_cert(role, hostname, username, cfg): """Generate a Signed user cert""" user_key = asyncssh.read_public_key(get_user_pubkey(username)) if cfg.get('require_host', True): principal = '%s@%s' % (role, hostname) comment = '%s-%s@%s' % (role, username, hostname) else: principal = role comment = '%s-%s' % (role, username) valid_before = cfg.get('valid_before', '2h') cert = ca.generate_user_certificate(user_key, username, principals=[principal], valid_before=valid_before, serial=int(time.time()), comment=comment, **permissions) return cert
def generate_user_cert(role, hostname, username): """Generate a Signed user cert KeyID: username Serial: Current Unix Time Principals: role@hostname or role """ try: cfg = config['roles'][role] except KeyError: raise CertError(101, "Invalid role") if hostname and not hostname.isalnum(): raise CertError(104, "Invalid hostname") if cfg.get('require_host', True) and not hostname: raise CertError(102, "Require hostname") if username not in cfg['users']: raise CertError(103, "Permission denied") user_key = asyncssh.read_public_key(get_user_pubkey(username)) if cfg.get('require_host', True): principal = '%s@%s' % (role, hostname) comment = '%s-%s@%s' % (role, username, hostname) else: principal = role comment = '%s-%s' % (role, username) valid_before = cfg.get('valid_before', '2h') cert = ca.generate_user_certificate(user_key, username, principals=[principal], valid_before=valid_before, serial=int(time.time()), comment=comment, **permissions) return cert
def check_public(self): newkey = read_public_key('new') self.assertEqual(newkey.encode_ssh_public(), self.sshpub)