[project @ Arch-1:robey@lag.net--2003-public%secsh--dev--1.0--patch-12]
fix dss key signing (expanded on a patch from fred gansevles) add a demo dss key for server mode, and fix some bugs that had caused the dss signing stuff to never work before. the demo_server is a bit more verbose now, too. both key types (RSAKey & DSSKey) now have a function to return the fingerprint of the key, and both versions of read_private_key_file() now raise exceptions on failure, instead of just silently setting "valid" to false.
This commit is contained in:
Robey Pointer
parent
e7715095b6
commit
02319afd5a
|
|
@ -0,0 +1,12 @@
|
||||||
|
-----BEGIN DSA PRIVATE KEY-----
|
||||||
|
MIIBuwIBAAKBgQDngaYDZ30c6/7cJgEEbtl8FgKdwhba1Z7oOrOn4MI/6C42G1bY
|
||||||
|
wMuqZf4dBCglsdq39SHrcjbE8Vq54gPSOh3g4+uV9Rcg5IOoPLbwp2jQfF6f1FIb
|
||||||
|
sx7hrDCIqUcQccPSxetPBKmXI9RN8rZLaFuQeTnI65BKM98Ruwvq6SI2LwIVAPDP
|
||||||
|
hSeawaJI27mKqOfe5PPBSmyHAoGBAJMXxXmPD9sGaQ419DIpmZecJKBUAy9uXD8x
|
||||||
|
gbgeDpwfDaFJP8owByCKREocPFfi86LjCuQkyUKOfjYMN6iHIf1oEZjB8uJAatUr
|
||||||
|
FzI0ArXtUqOhwTLwTyFuUojE5own2WYsOAGByvgfyWjsGhvckYNhI4ODpNdPlxQ8
|
||||||
|
ZamaPGPsAoGARmR7CCPjodxASvRbIyzaVpZoJ/Z6x7dAumV+ysrV1BVYd0lYukmn
|
||||||
|
jO1kKBWApqpH1ve9XDQYN8zgxM4b16L21kpoWQnZtXrY3GZ4/it9kUgyB7+NwacI
|
||||||
|
BlXa8cMDL7Q/69o0d54U0X/NeX5QxuYR6OMJlrkQB7oiW/P/1mwjQgECFGI9QPSc
|
||||||
|
h9pT9XHqn+1rZ4bK+QGA
|
||||||
|
-----END DSA PRIVATE KEY-----
|
||||||
|
|
@ -12,8 +12,12 @@ if len(l.handlers) == 0:
|
||||||
lh.setFormatter(logging.Formatter('%(levelname)-.3s [%(asctime)s] %(name)s: %(message)s', '%Y%m%d:%H%M%S'))
|
lh.setFormatter(logging.Formatter('%(levelname)-.3s [%(asctime)s] %(name)s: %(message)s', '%Y%m%d:%H%M%S'))
|
||||||
l.addHandler(lh)
|
l.addHandler(lh)
|
||||||
|
|
||||||
host_key = paramiko.RSAKey()
|
#host_key = paramiko.RSAKey()
|
||||||
host_key.read_private_key_file('demo_host_key')
|
#host_key.read_private_key_file('demo_host_key')
|
||||||
|
|
||||||
|
host_key = paramiko.DSSKey()
|
||||||
|
host_key.read_private_key_file('demo_dss_key')
|
||||||
|
print 'Read key: ' + paramiko.hexify(host_key.get_fingerprint())
|
||||||
|
|
||||||
|
|
||||||
class ServerTransport(paramiko.Transport):
|
class ServerTransport(paramiko.Transport):
|
||||||
|
|
@ -54,12 +58,15 @@ except Exception, e:
|
||||||
|
|
||||||
try:
|
try:
|
||||||
sock.listen(100)
|
sock.listen(100)
|
||||||
|
print 'Listening for connection ...'
|
||||||
client, addr = sock.accept()
|
client, addr = sock.accept()
|
||||||
except Exception, e:
|
except Exception, e:
|
||||||
print '*** Listen/accept failed: ' + str(e)
|
print '*** Listen/accept failed: ' + str(e)
|
||||||
traceback.print_exc()
|
traceback.print_exc()
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
|
print 'Got a connection!'
|
||||||
|
|
||||||
try:
|
try:
|
||||||
event = threading.Event()
|
event = threading.Event()
|
||||||
t = ServerTransport(client)
|
t = ServerTransport(client)
|
||||||
|
|
|
||||||
29
dsskey.py
29
dsskey.py
|
|
@ -1,11 +1,12 @@
|
||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
|
|
||||||
import base64
|
import base64
|
||||||
|
from paramiko import SSHException
|
||||||
from message import Message
|
from message import Message
|
||||||
from transport import MSG_USERAUTH_REQUEST
|
from transport import MSG_USERAUTH_REQUEST
|
||||||
from util import inflate_long, deflate_long
|
from util import inflate_long, deflate_long
|
||||||
from Crypto.PublicKey import DSA
|
from Crypto.PublicKey import DSA
|
||||||
from Crypto.Hash import SHA
|
from Crypto.Hash import SHA, MD5
|
||||||
from ber import BER
|
from ber import BER
|
||||||
|
|
||||||
from util import format_binary
|
from util import format_binary
|
||||||
|
|
@ -38,6 +39,9 @@ class DSSKey(object):
|
||||||
def get_name(self):
|
def get_name(self):
|
||||||
return 'ssh-dss'
|
return 'ssh-dss'
|
||||||
|
|
||||||
|
def get_fingerprint(self):
|
||||||
|
return MD5.new(str(self)).digest()
|
||||||
|
|
||||||
def verify_ssh_sig(self, data, msg):
|
def verify_ssh_sig(self, data, msg):
|
||||||
if not self.valid:
|
if not self.valid:
|
||||||
return 0
|
return 0
|
||||||
|
|
@ -58,7 +62,7 @@ class DSSKey(object):
|
||||||
dss = DSA.construct((long(self.y), long(self.g), long(self.p), long(self.q)))
|
dss = DSA.construct((long(self.y), long(self.g), long(self.p), long(self.q)))
|
||||||
return dss.verify(sigM, (sigR, sigS))
|
return dss.verify(sigM, (sigR, sigS))
|
||||||
|
|
||||||
def sign_ssh_data(self, data):
|
def sign_ssh_data(self, randpool, data):
|
||||||
hash = SHA.new(data).digest()
|
hash = SHA.new(data).digest()
|
||||||
dss = DSA.construct((long(self.y), long(self.g), long(self.p), long(self.q), long(self.x)))
|
dss = DSA.construct((long(self.y), long(self.g), long(self.p), long(self.q), long(self.x)))
|
||||||
# generate a suitable k
|
# generate a suitable k
|
||||||
|
|
@ -74,24 +78,19 @@ class DSSKey(object):
|
||||||
return str(m)
|
return str(m)
|
||||||
|
|
||||||
def read_private_key_file(self, filename):
|
def read_private_key_file(self, filename):
|
||||||
|
"throws a file exception, or SSHException (on invalid key, or base64 decoding exception"
|
||||||
# private key file contains:
|
# private key file contains:
|
||||||
# DSAPrivateKey = { version = 0, p, q, g, y, x }
|
# DSAPrivateKey = { version = 0, p, q, g, y, x }
|
||||||
self.valid = 0
|
self.valid = 0
|
||||||
try:
|
f = open(filename, 'r')
|
||||||
f = open(filename, 'r')
|
lines = f.readlines()
|
||||||
lines = f.readlines()
|
f.close()
|
||||||
f.close()
|
|
||||||
except:
|
|
||||||
return
|
|
||||||
if lines[0].strip() != '-----BEGIN DSA PRIVATE KEY-----':
|
if lines[0].strip() != '-----BEGIN DSA PRIVATE KEY-----':
|
||||||
return
|
raise SSHException('not a valid DSA private key file')
|
||||||
try:
|
data = base64.decodestring(''.join(lines[1:-1]))
|
||||||
data = base64.decodestring(''.join(lines[1:-1]))
|
|
||||||
except:
|
|
||||||
return
|
|
||||||
keylist = BER(data).decode()
|
keylist = BER(data).decode()
|
||||||
if (type(keylist) != type([])) or (len(keylist) < 6) or (keylist[0] != 0):
|
if (type(keylist) != type([])) or (len(keylist) < 6) or (keylist[0] != 0):
|
||||||
return
|
raise SSHException('not a valid DSA private key file (bad ber encoding)')
|
||||||
self.p = keylist[1]
|
self.p = keylist[1]
|
||||||
self.q = keylist[2]
|
self.q = keylist[2]
|
||||||
self.g = keylist[3]
|
self.g = keylist[3]
|
||||||
|
|
@ -110,4 +109,4 @@ class DSSKey(object):
|
||||||
m.add_boolean(1)
|
m.add_boolean(1)
|
||||||
m.add_string('ssh-dss')
|
m.add_string('ssh-dss')
|
||||||
m.add_string(str(self))
|
m.add_string(str(self))
|
||||||
return self.sign_ssh_data(str(m))
|
return self.sign_ssh_data(randpool, str(m))
|
||||||
|
|
|
||||||
|
|
@ -138,7 +138,7 @@ class KexGex(object):
|
||||||
H = SHA.new(str(hm)).digest()
|
H = SHA.new(str(hm)).digest()
|
||||||
self.transport.set_K_H(K, H)
|
self.transport.set_K_H(K, H)
|
||||||
# sign it
|
# sign it
|
||||||
sig = self.transport.get_server_key().sign_ssh_data(H)
|
sig = self.transport.get_server_key().sign_ssh_data(self.transport.randpool, H)
|
||||||
# send reply
|
# send reply
|
||||||
m = Message()
|
m = Message()
|
||||||
m.add_byte(chr(MSG_KEXDH_GEX_REPLY))
|
m.add_byte(chr(MSG_KEXDH_GEX_REPLY))
|
||||||
|
|
|
||||||
|
|
@ -92,7 +92,7 @@ class KexGroup1(object):
|
||||||
H = SHA.new(str(hm)).digest()
|
H = SHA.new(str(hm)).digest()
|
||||||
self.transport.set_K_H(K, H)
|
self.transport.set_K_H(K, H)
|
||||||
# sign it
|
# sign it
|
||||||
sig = self.transport.get_server_key().sign_ssh_data(H)
|
sig = self.transport.get_server_key().sign_ssh_data(self.transport.randpool, H)
|
||||||
# send reply
|
# send reply
|
||||||
m = Message()
|
m = Message()
|
||||||
m.add_byte(chr(MSG_KEXDH_REPLY))
|
m.add_byte(chr(MSG_KEXDH_REPLY))
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,8 @@ from channel import Channel
|
||||||
from rsakey import RSAKey
|
from rsakey import RSAKey
|
||||||
from dsskey import DSSKey
|
from dsskey import DSSKey
|
||||||
|
|
||||||
|
from util import hexify
|
||||||
|
|
||||||
|
|
||||||
__author__ = "Robey Pointer <robey@lag.net>"
|
__author__ = "Robey Pointer <robey@lag.net>"
|
||||||
__date__ = "10 Nov 2003"
|
__date__ = "10 Nov 2003"
|
||||||
|
|
|
||||||
26
rsakey.py
26
rsakey.py
|
|
@ -31,6 +31,9 @@ class RSAKey(object):
|
||||||
def get_name(self):
|
def get_name(self):
|
||||||
return 'ssh-rsa'
|
return 'ssh-rsa'
|
||||||
|
|
||||||
|
def get_fingerprint(self):
|
||||||
|
return MD5.new(str(self)).digest()
|
||||||
|
|
||||||
def pkcs1imify(self, data):
|
def pkcs1imify(self, data):
|
||||||
"""
|
"""
|
||||||
turn a 20-byte SHA1 hash into a blob of data as large as the key's N,
|
turn a 20-byte SHA1 hash into a blob of data as large as the key's N,
|
||||||
|
|
@ -51,7 +54,7 @@ class RSAKey(object):
|
||||||
rsa = RSA.construct((long(self.n), long(self.e)))
|
rsa = RSA.construct((long(self.n), long(self.e)))
|
||||||
return rsa.verify(hash, (sig,))
|
return rsa.verify(hash, (sig,))
|
||||||
|
|
||||||
def sign_ssh_data(self, data):
|
def sign_ssh_data(self, randpool, data):
|
||||||
hash = SHA.new(data).digest()
|
hash = SHA.new(data).digest()
|
||||||
rsa = RSA.construct((long(self.n), long(self.e), long(self.d)))
|
rsa = RSA.construct((long(self.n), long(self.e), long(self.d)))
|
||||||
sig = deflate_long(rsa.sign(self.pkcs1imify(hash), '')[0], 0)
|
sig = deflate_long(rsa.sign(self.pkcs1imify(hash), '')[0], 0)
|
||||||
|
|
@ -61,24 +64,19 @@ class RSAKey(object):
|
||||||
return str(m)
|
return str(m)
|
||||||
|
|
||||||
def read_private_key_file(self, filename):
|
def read_private_key_file(self, filename):
|
||||||
|
"throws a file exception, or SSHException (on invalid key), or base64 decoding exception"
|
||||||
# private key file contains:
|
# private key file contains:
|
||||||
# RSAPrivateKey = { version = 0, n, e, d, p, q, d mod p-1, d mod q-1, q**-1 mod p }
|
# RSAPrivateKey = { version = 0, n, e, d, p, q, d mod p-1, d mod q-1, q**-1 mod p }
|
||||||
self.valid = 0
|
self.valid = 0
|
||||||
try:
|
f = open(filename, 'r')
|
||||||
f = open(filename, 'r')
|
lines = f.readlines()
|
||||||
lines = f.readlines()
|
f.close()
|
||||||
f.close()
|
|
||||||
except:
|
|
||||||
return
|
|
||||||
if lines[0].strip() != '-----BEGIN RSA PRIVATE KEY-----':
|
if lines[0].strip() != '-----BEGIN RSA PRIVATE KEY-----':
|
||||||
return
|
raise SSHException('not a valid DSA private key file')
|
||||||
try:
|
data = base64.decodestring(''.join(lines[1:-1]))
|
||||||
data = base64.decodestring(''.join(lines[1:-1]))
|
|
||||||
except:
|
|
||||||
return
|
|
||||||
keylist = BER(data).decode()
|
keylist = BER(data).decode()
|
||||||
if (type(keylist) != type([])) or (len(keylist) < 4) or (keylist[0] != 0):
|
if (type(keylist) != type([])) or (len(keylist) < 4) or (keylist[0] != 0):
|
||||||
return
|
raise SSHException('not a valid DSA private key file (bad ber encoding)')
|
||||||
self.n = keylist[1]
|
self.n = keylist[1]
|
||||||
self.e = keylist[2]
|
self.e = keylist[2]
|
||||||
self.d = keylist[3]
|
self.d = keylist[3]
|
||||||
|
|
@ -98,5 +96,5 @@ class RSAKey(object):
|
||||||
m.add_boolean(1)
|
m.add_boolean(1)
|
||||||
m.add_string('ssh-rsa')
|
m.add_string('ssh-rsa')
|
||||||
m.add_string(str(self))
|
m.add_string(str(self))
|
||||||
return self.sign_ssh_data(str(m))
|
return self.sign_ssh_data(randpool, str(m))
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -532,7 +532,7 @@ class BaseTransport(threading.Thread):
|
||||||
m.add_byte(chr(MSG_KEXINIT))
|
m.add_byte(chr(MSG_KEXINIT))
|
||||||
m.add_bytes(randpool.get_bytes(16))
|
m.add_bytes(randpool.get_bytes(16))
|
||||||
m.add(','.join(self.preferred_kex))
|
m.add(','.join(self.preferred_kex))
|
||||||
m.add(','.join(self.available_server_keys))
|
m.add(','.join(available_server_keys))
|
||||||
m.add(','.join(self.preferred_ciphers))
|
m.add(','.join(self.preferred_ciphers))
|
||||||
m.add(','.join(self.preferred_ciphers))
|
m.add(','.join(self.preferred_ciphers))
|
||||||
m.add(','.join(self.preferred_macs))
|
m.add(','.join(self.preferred_macs))
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue