diff options
| author | Myles Borins <mylesborins@github.com> | 2020-10-02 17:52:19 -0400 |
|---|---|---|
| committer | Myles Borins <mylesborins@github.com> | 2020-10-07 09:59:49 -0400 |
| commit | 2e545249557c265f7d5f338cc3a382985211603c (patch) | |
| tree | a18ca49252a58cc5a80cd438a020a99bf48a8d23 /deps/npm/node_modules/sshpk/lib | |
| parent | 14699846452e627f97dedb85991eea67d932a79d (diff) | |
| download | node-new-2e545249557c265f7d5f338cc3a382985211603c.tar.gz | |
deps: update npm to 7.0.0-rc.3
PR-URL: https://github.com/nodejs/node/pull/35474
Reviewed-By: Ruy Adorno <ruyadorno@github.com>
Reviewed-By: Ujjwal Sharma <ryzokuken@disroot.org>
Reviewed-By: Ben Coe <bencoe@gmail.com>
Reviewed-By: Geoffrey Booth <webmaster@geoffreybooth.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Diffstat (limited to 'deps/npm/node_modules/sshpk/lib')
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/certificate.js | 34 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/dhe.js | 25 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/ed-compat.js | 8 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/fingerprint.js | 80 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/formats/auto.js | 19 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/formats/openssh-cert.js | 45 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/formats/pem.js | 116 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/formats/pkcs8.js | 27 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/formats/putty.js | 99 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/formats/x509-pem.js | 18 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/formats/x509.js | 33 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/identity.js | 90 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/index.js | 1 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/key.js | 41 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/private-key.js | 27 | ||||
| -rw-r--r-- | deps/npm/node_modules/sshpk/lib/utils.js | 81 |
16 files changed, 609 insertions, 135 deletions
diff --git a/deps/npm/node_modules/sshpk/lib/certificate.js b/deps/npm/node_modules/sshpk/lib/certificate.js index f08d66ac55..6932357073 100644 --- a/deps/npm/node_modules/sshpk/lib/certificate.js +++ b/deps/npm/node_modules/sshpk/lib/certificate.js @@ -120,6 +120,37 @@ Certificate.prototype.isSignedBy = function (issuerCert) { return (this.isSignedByKey(issuerCert.subjectKey)); }; +Certificate.prototype.getExtension = function (keyOrOid) { + assert.string(keyOrOid, 'keyOrOid'); + var ext = this.getExtensions().filter(function (maybeExt) { + if (maybeExt.format === 'x509') + return (maybeExt.oid === keyOrOid); + if (maybeExt.format === 'openssh') + return (maybeExt.name === keyOrOid); + return (false); + })[0]; + return (ext); +}; + +Certificate.prototype.getExtensions = function () { + var exts = []; + var x509 = this.signatures.x509; + if (x509 && x509.extras && x509.extras.exts) { + x509.extras.exts.forEach(function (ext) { + ext.format = 'x509'; + exts.push(ext); + }); + } + var openssh = this.signatures.openssh; + if (openssh && openssh.exts) { + openssh.exts.forEach(function (ext) { + ext.format = 'openssh'; + exts.push(ext); + }); + } + return (exts); +}; + Certificate.prototype.isSignedByKey = function (issuerKey) { utils.assertCompatible(issuerKey, Key, [1, 2], 'issuerKey'); @@ -370,8 +401,9 @@ Certificate.isCertificate = function (obj, ver) { /* * API versions for Certificate: * [1,0] -- initial ver + * [1,1] -- openssh format now unpacks extensions */ -Certificate.prototype._sshpkApiVersion = [1, 0]; +Certificate.prototype._sshpkApiVersion = [1, 1]; Certificate._oldVersionDetect = function (obj) { return ([1, 0]); diff --git a/deps/npm/node_modules/sshpk/lib/dhe.js b/deps/npm/node_modules/sshpk/lib/dhe.js index de0a10a72c..a3c8032cf1 100644 --- a/deps/npm/node_modules/sshpk/lib/dhe.js +++ b/deps/npm/node_modules/sshpk/lib/dhe.js @@ -11,14 +11,16 @@ var crypto = require('crypto'); var Buffer = require('safer-buffer').Buffer; var algs = require('./algs'); var utils = require('./utils'); -var nacl; +var nacl = require('tweetnacl'); var Key = require('./key'); var PrivateKey = require('./private-key'); var CRYPTO_HAVE_ECDH = (crypto.createECDH !== undefined); -var ecdh, ec, jsbn; +var ecdh = require('ecc-jsbn'); +var ec = require('ecc-jsbn/lib/ec'); +var jsbn = require('jsbn').BigInteger; function DiffieHellman(key) { utils.assertCompatible(key, Key, [1, 4], 'key'); @@ -43,13 +45,6 @@ function DiffieHellman(key) { } else if (key.type === 'ecdsa') { if (!CRYPTO_HAVE_ECDH) { - if (ecdh === undefined) - ecdh = require('ecc-jsbn'); - if (ec === undefined) - ec = require('ecc-jsbn/lib/ec'); - if (jsbn === undefined) - jsbn = require('jsbn').BigInteger; - this._ecParams = new X9ECParameters(this._curve); if (this._isPriv) { @@ -76,9 +71,6 @@ function DiffieHellman(key) { this._dh.setPublicKey(key.part.Q.data); } else if (key.type === 'curve25519') { - if (nacl === undefined) - nacl = require('tweetnacl'); - if (this._isPriv) { utils.assertCompatible(key, PrivateKey, [1, 5], 'key'); this._priv = key.part.k.data; @@ -321,9 +313,6 @@ ECPrivate.prototype.deriveSharedSecret = function (pubKey) { }; function generateED25519() { - if (nacl === undefined) - nacl = require('tweetnacl'); - var pair = nacl.sign.keyPair(); var priv = Buffer.from(pair.secretKey); var pub = Buffer.from(pair.publicKey); @@ -374,12 +363,6 @@ function generateECDSA(curve) { }); return (key); } else { - if (ecdh === undefined) - ecdh = require('ecc-jsbn'); - if (ec === undefined) - ec = require('ecc-jsbn/lib/ec'); - if (jsbn === undefined) - jsbn = require('jsbn').BigInteger; var ecParams = new X9ECParameters(curve); diff --git a/deps/npm/node_modules/sshpk/lib/ed-compat.js b/deps/npm/node_modules/sshpk/lib/ed-compat.js index 129c2fc307..70732e1f70 100644 --- a/deps/npm/node_modules/sshpk/lib/ed-compat.js +++ b/deps/npm/node_modules/sshpk/lib/ed-compat.js @@ -5,7 +5,7 @@ module.exports = { Signer: Signer }; -var nacl; +var nacl = require('tweetnacl'); var stream = require('stream'); var util = require('util'); var assert = require('assert-plus'); @@ -13,9 +13,6 @@ var Buffer = require('safer-buffer').Buffer; var Signature = require('./signature'); function Verifier(key, hashAlgo) { - if (nacl === undefined) - nacl = require('tweetnacl'); - if (hashAlgo.toLowerCase() !== 'sha512') throw (new Error('ED25519 only supports the use of ' + 'SHA-512 hashes')); @@ -61,9 +58,6 @@ Verifier.prototype.verify = function (signature, fmt) { }; function Signer(key, hashAlgo) { - if (nacl === undefined) - nacl = require('tweetnacl'); - if (hashAlgo.toLowerCase() !== 'sha512') throw (new Error('ED25519 only supports the use of ' + 'SHA-512 hashes')); diff --git a/deps/npm/node_modules/sshpk/lib/fingerprint.js b/deps/npm/node_modules/sshpk/lib/fingerprint.js index 4e75e6667f..0004b376ec 100644 --- a/deps/npm/node_modules/sshpk/lib/fingerprint.js +++ b/deps/npm/node_modules/sshpk/lib/fingerprint.js @@ -1,4 +1,4 @@ -// Copyright 2015 Joyent, Inc. +// Copyright 2018 Joyent, Inc. module.exports = Fingerprint; @@ -8,6 +8,7 @@ var algs = require('./algs'); var crypto = require('crypto'); var errs = require('./errors'); var Key = require('./key'); +var PrivateKey = require('./private-key'); var Certificate = require('./certificate'); var utils = require('./utils'); @@ -26,11 +27,12 @@ function Fingerprint(opts) { this.hash = opts.hash; this.type = opts.type; + this.hashType = opts.hashType; } Fingerprint.prototype.toString = function (format) { if (format === undefined) { - if (this.algorithm === 'md5') + if (this.algorithm === 'md5' || this.hashType === 'spki') format = 'hex'; else format = 'base64'; @@ -39,8 +41,12 @@ Fingerprint.prototype.toString = function (format) { switch (format) { case 'hex': + if (this.hashType === 'spki') + return (this.hash.toString('hex')); return (addColons(this.hash.toString('hex'))); case 'base64': + if (this.hashType === 'spki') + return (this.hash.toString('base64')); return (sshBase64Format(this.algorithm, this.hash.toString('base64'))); default: @@ -50,14 +56,20 @@ Fingerprint.prototype.toString = function (format) { Fingerprint.prototype.matches = function (other) { assert.object(other, 'key or certificate'); - if (this.type === 'key') { + if (this.type === 'key' && this.hashType !== 'ssh') { + utils.assertCompatible(other, Key, [1, 7], 'key with spki'); + if (PrivateKey.isPrivateKey(other)) { + utils.assertCompatible(other, PrivateKey, [1, 6], + 'privatekey with spki support'); + } + } else if (this.type === 'key') { utils.assertCompatible(other, Key, [1, 0], 'key'); } else { utils.assertCompatible(other, Certificate, [1, 0], 'certificate'); } - var theirHash = other.hash(this.algorithm); + var theirHash = other.hash(this.algorithm, this.hashType); var theirHash2 = crypto.createHash(this.algorithm). update(theirHash).digest('base64'); @@ -68,6 +80,11 @@ Fingerprint.prototype.matches = function (other) { return (this.hash2 === theirHash2); }; +/*JSSTYLED*/ +var base64RE = /^[A-Za-z0-9+\/=]+$/; +/*JSSTYLED*/ +var hexRE = /^[a-fA-F0-9]+$/; + Fingerprint.parse = function (fp, options) { assert.string(fp, 'fingerprint'); @@ -81,13 +98,18 @@ Fingerprint.parse = function (fp, options) { options = {}; if (options.enAlgs !== undefined) enAlgs = options.enAlgs; + if (options.algorithms !== undefined) + enAlgs = options.algorithms; assert.optionalArrayOfString(enAlgs, 'algorithms'); + var hashType = 'ssh'; + if (options.hashType !== undefined) + hashType = options.hashType; + assert.string(hashType, 'options.hashType'); + var parts = fp.split(':'); if (parts.length == 2) { alg = parts[0].toLowerCase(); - /*JSSTYLED*/ - var base64RE = /^[A-Za-z0-9+\/=]+$/; if (!base64RE.test(parts[1])) throw (new FingerprintFormatError(fp)); try { @@ -99,16 +121,50 @@ Fingerprint.parse = function (fp, options) { alg = 'md5'; if (parts[0].toLowerCase() === 'md5') parts = parts.slice(1); + parts = parts.map(function (p) { + while (p.length < 2) + p = '0' + p; + if (p.length > 2) + throw (new FingerprintFormatError(fp)); + return (p); + }); parts = parts.join(''); - /*JSSTYLED*/ - var md5RE = /^[a-fA-F0-9]+$/; - if (!md5RE.test(parts)) + if (!hexRE.test(parts) || parts.length % 2 !== 0) throw (new FingerprintFormatError(fp)); try { hash = Buffer.from(parts, 'hex'); } catch (e) { throw (new FingerprintFormatError(fp)); } + } else { + if (hexRE.test(fp)) { + hash = Buffer.from(fp, 'hex'); + } else if (base64RE.test(fp)) { + hash = Buffer.from(fp, 'base64'); + } else { + throw (new FingerprintFormatError(fp)); + } + + switch (hash.length) { + case 32: + alg = 'sha256'; + break; + case 16: + alg = 'md5'; + break; + case 20: + alg = 'sha1'; + break; + case 64: + alg = 'sha512'; + break; + default: + throw (new FingerprintFormatError(fp)); + } + + /* Plain hex/base64: guess it's probably SPKI unless told. */ + if (options.hashType === undefined) + hashType = 'spki'; } if (alg === undefined) @@ -126,7 +182,8 @@ Fingerprint.parse = function (fp, options) { return (new Fingerprint({ algorithm: alg, hash: hash, - type: options.type || 'key' + type: options.type || 'key', + hashType: hashType })); }; @@ -152,8 +209,9 @@ Fingerprint.isFingerprint = function (obj, ver) { * API versions for Fingerprint: * [1,0] -- initial ver * [1,1] -- first tagged ver + * [1,2] -- hashType and spki support */ -Fingerprint.prototype._sshpkApiVersion = [1, 1]; +Fingerprint.prototype._sshpkApiVersion = [1, 2]; Fingerprint._oldVersionDetect = function (obj) { assert.func(obj.toString); diff --git a/deps/npm/node_modules/sshpk/lib/formats/auto.js b/deps/npm/node_modules/sshpk/lib/formats/auto.js index 56e430d5a7..f32cd9648b 100644 --- a/deps/npm/node_modules/sshpk/lib/formats/auto.js +++ b/deps/npm/node_modules/sshpk/lib/formats/auto.js @@ -1,4 +1,4 @@ -// Copyright 2015 Joyent, Inc. +// Copyright 2018 Joyent, Inc. module.exports = { read: read, @@ -15,6 +15,7 @@ var pem = require('./pem'); var ssh = require('./ssh'); var rfc4253 = require('./rfc4253'); var dnssec = require('./dnssec'); +var putty = require('./putty'); var DNSSEC_PRIVKEY_HEADER_PREFIX = 'Private-key-format: v1'; @@ -26,6 +27,8 @@ function read(buf, options) { return (ssh.read(buf, options)); if (buf.match(/^\s*ecdsa-/)) return (ssh.read(buf, options)); + if (buf.match(/^putty-user-key-file-2:/i)) + return (putty.read(buf, options)); if (findDNSSECHeader(buf)) return (dnssec.read(buf, options)); buf = Buffer.from(buf, 'binary'); @@ -35,6 +38,8 @@ function read(buf, options) { return (pem.read(buf, options)); if (findSSHHeader(buf)) return (ssh.read(buf, options)); + if (findPuTTYHeader(buf)) + return (putty.read(buf, options)); if (findDNSSECHeader(buf)) return (dnssec.read(buf, options)); } @@ -43,6 +48,18 @@ function read(buf, options) { throw (new Error('Failed to auto-detect format of key')); } +function findPuTTYHeader(buf) { + var offset = 0; + while (offset < buf.length && + (buf[offset] === 32 || buf[offset] === 10 || buf[offset] === 9)) + ++offset; + if (offset + 22 <= buf.length && + buf.slice(offset, offset + 22).toString('ascii').toLowerCase() === + 'putty-user-key-file-2:') + return (true); + return (false); +} + function findSSHHeader(buf) { var offset = 0; while (offset < buf.length && diff --git a/deps/npm/node_modules/sshpk/lib/formats/openssh-cert.js b/deps/npm/node_modules/sshpk/lib/formats/openssh-cert.js index 0b95e89049..766f3d39cb 100644 --- a/deps/npm/node_modules/sshpk/lib/formats/openssh-cert.js +++ b/deps/npm/node_modules/sshpk/lib/formats/openssh-cert.js @@ -122,8 +122,23 @@ function fromBuffer(data, algo, partial) { cert.validFrom = int64ToDate(sshbuf.readInt64()); cert.validUntil = int64ToDate(sshbuf.readInt64()); - cert.signatures.openssh.critical = sshbuf.readBuffer(); - cert.signatures.openssh.exts = sshbuf.readBuffer(); + var exts = []; + var extbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() }); + var ext; + while (!extbuf.atEnd()) { + ext = { critical: true }; + ext.name = extbuf.readString(); + ext.data = extbuf.readBuffer(); + exts.push(ext); + } + extbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() }); + while (!extbuf.atEnd()) { + ext = { critical: false }; + ext.name = extbuf.readString(); + ext.data = extbuf.readBuffer(); + exts.push(ext); + } + cert.signatures.openssh.exts = exts; /* reserved */ sshbuf.readBuffer(); @@ -278,13 +293,27 @@ function toBuffer(cert, noSig) { buf.writeInt64(dateToInt64(cert.validFrom)); buf.writeInt64(dateToInt64(cert.validUntil)); - if (sig.critical === undefined) - sig.critical = Buffer.alloc(0); - buf.writeBuffer(sig.critical); + var exts = sig.exts; + if (exts === undefined) + exts = []; - if (sig.exts === undefined) - sig.exts = Buffer.alloc(0); - buf.writeBuffer(sig.exts); + var extbuf = new SSHBuffer({}); + exts.forEach(function (ext) { + if (ext.critical !== true) + return; + extbuf.writeString(ext.name); + extbuf.writeBuffer(ext.data); + }); + buf.writeBuffer(extbuf.toBuffer()); + + extbuf = new SSHBuffer({}); + exts.forEach(function (ext) { + if (ext.critical === true) + return; + extbuf.writeString(ext.name); + extbuf.writeBuffer(ext.data); + }); + buf.writeBuffer(extbuf.toBuffer()); /* reserved */ buf.writeBuffer(Buffer.alloc(0)); diff --git a/deps/npm/node_modules/sshpk/lib/formats/pem.js b/deps/npm/node_modules/sshpk/lib/formats/pem.js index 859cfa13fc..bbe78fcb56 100644 --- a/deps/npm/node_modules/sshpk/lib/formats/pem.js +++ b/deps/npm/node_modules/sshpk/lib/formats/pem.js @@ -1,4 +1,4 @@ -// Copyright 2015 Joyent, Inc. +// Copyright 2018 Joyent, Inc. module.exports = { read: read, @@ -21,6 +21,29 @@ var rfc4253 = require('./rfc4253'); var errors = require('../errors'); +var OID_PBES2 = '1.2.840.113549.1.5.13'; +var OID_PBKDF2 = '1.2.840.113549.1.5.12'; + +var OID_TO_CIPHER = { + '1.2.840.113549.3.7': '3des-cbc', + '2.16.840.1.101.3.4.1.2': 'aes128-cbc', + '2.16.840.1.101.3.4.1.42': 'aes256-cbc' +}; +var CIPHER_TO_OID = {}; +Object.keys(OID_TO_CIPHER).forEach(function (k) { + CIPHER_TO_OID[OID_TO_CIPHER[k]] = k; +}); + +var OID_TO_HASH = { + '1.2.840.113549.2.7': 'sha1', + '1.2.840.113549.2.9': 'sha256', + '1.2.840.113549.2.11': 'sha512' +}; +var HASH_TO_OID = {}; +Object.keys(OID_TO_HASH).forEach(function (k) { + HASH_TO_OID[OID_TO_HASH[k]] = k; +}); + /* * For reading we support both PKCS#1 and PKCS#8. If we find a private key, * we just take the public component of it and use that. @@ -32,14 +55,22 @@ function read(buf, options, forceType) { buf = buf.toString('ascii'); } - var lines = buf.trim().split('\n'); + var lines = buf.trim().split(/[\r\n]+/g); - var m = lines[0].match(/*JSSTYLED*/ - /[-]+[ ]*BEGIN ([A-Z0-9][A-Za-z0-9]+ )?(PUBLIC|PRIVATE) KEY[ ]*[-]+/); + var m; + var si = -1; + while (!m && si < lines.length) { + m = lines[++si].match(/*JSSTYLED*/ + /[-]+[ ]*BEGIN ([A-Z0-9][A-Za-z0-9]+ )?(PUBLIC|PRIVATE) KEY[ ]*[-]+/); + } assert.ok(m, 'invalid PEM header'); - var m2 = lines[lines.length - 1].match(/*JSSTYLED*/ - /[-]+[ ]*END ([A-Z0-9][A-Za-z0-9]+ )?(PUBLIC|PRIVATE) KEY[ ]*[-]+/); + var m2; + var ei = lines.length; + while (!m2 && ei > 0) { + m2 = lines[--ei].match(/*JSSTYLED*/ + /[-]+[ ]*END ([A-Z0-9][A-Za-z0-9]+ )?(PUBLIC|PRIVATE) KEY[ ]*[-]+/); + } assert.ok(m2, 'invalid PEM footer'); /* Begin and end banners must match key type */ @@ -53,6 +84,8 @@ function read(buf, options, forceType) { alg = m[1].trim(); } + lines = lines.slice(si, ei + 1); + var headers = {}; while (true) { lines = lines.slice(1); @@ -63,6 +96,10 @@ function read(buf, options, forceType) { headers[m[1].toLowerCase()] = m[2]; } + /* Chop off the first and last lines */ + lines = lines.slice(0, -1).join(''); + buf = Buffer.from(lines, 'base64'); + var cipher, key, iv; if (headers['proc-type']) { var parts = headers['proc-type'].split(','); @@ -85,9 +122,70 @@ function read(buf, options, forceType) { } } - /* Chop off the first and last lines */ - lines = lines.slice(0, -1).join(''); - buf = Buffer.from(lines, 'base64'); + if (alg && alg.toLowerCase() === 'encrypted') { + var eder = new asn1.BerReader(buf); + var pbesEnd; + eder.readSequence(); + + eder.readSequence(); + pbesEnd = eder.offset + eder.length; + + var method = eder.readOID(); + if (method !== OID_PBES2) { + throw (new Error('Unsupported PEM/PKCS8 encryption ' + + 'scheme: ' + method)); + } + + eder.readSequence(); /* PBES2-params */ + + eder.readSequence(); /* keyDerivationFunc */ + var kdfEnd = eder.offset + eder.length; + var kdfOid = eder.readOID(); + if (kdfOid !== OID_PBKDF2) + throw (new Error('Unsupported PBES2 KDF: ' + kdfOid)); + eder.readSequence(); + var salt = eder.readString(asn1.Ber.OctetString, true); + var iterations = eder.readInt(); + var hashAlg = 'sha1'; + if (eder.offset < kdfEnd) { + eder.readSequence(); + var hashAlgOid = eder.readOID(); + hashAlg = OID_TO_HASH[hashAlgOid]; + if (hashAlg === undefined) { + throw (new Error('Unsupported PBKDF2 hash: ' + + hashAlgOid)); + } + } + eder._offset = kdfEnd; + + eder.readSequence(); /* encryptionScheme */ + var cipherOid = eder.readOID(); + cipher = OID_TO_CIPHER[cipherOid]; + if (cipher === undefined) { + throw (new Error('Unsupported PBES2 cipher: ' + + cipherOid)); + } + iv = eder.readString(asn1.Ber.OctetString, true); + + eder._offset = pbesEnd; + buf = eder.readString(asn1.Ber.OctetString, true); + + if (typeof (options.passphrase) === 'string') { + options.passphrase = Buffer.from( + options.passphrase, 'utf-8'); + } + if (!Buffer.isBuffer(options.passphrase)) { + throw (new errors.KeyEncryptedError( + options.filename, 'PEM')); + } + + var cinfo = utils.opensshCipherInfo(cipher); + + cipher = cinfo.opensslName; + key = utils.pbkdf2(hashAlg, salt, iterations, cinfo.keySize, + options.passphrase); + alg = undefined; + } if (cipher && key && iv) { var cipherStream = crypto.createDecipheriv(cipher, key, iv); diff --git a/deps/npm/node_modules/sshpk/lib/formats/pkcs8.js b/deps/npm/node_modules/sshpk/lib/formats/pkcs8.js index aa27427c17..2ca3ca7a26 100644 --- a/deps/npm/node_modules/sshpk/lib/formats/pkcs8.js +++ b/deps/npm/node_modules/sshpk/lib/formats/pkcs8.js @@ -1,10 +1,11 @@ -// Copyright 2015 Joyent, Inc. +// Copyright 2018 Joyent, Inc. module.exports = { read: read, readPkcs8: readPkcs8, write: write, writePkcs8: writePkcs8, + pkcs8ToBuffer: pkcs8ToBuffer, readECDSACurve: readECDSACurve, writeECDSACurve: writeECDSACurve @@ -300,10 +301,22 @@ function readPkcs8ECDSAPrivate(der) { assert.equal(version[0], 1, 'unknown version of ECDSA key'); var d = der.readString(asn1.Ber.OctetString, true); - der.readSequence(0xa1); + var Q; - var Q = der.readString(asn1.Ber.BitString, true); - Q = utils.ecNormalize(Q); + if (der.peek() == 0xa0) { + der.readSequence(0xa0); + der._offset += der.length; + } + if (der.peek() == 0xa1) { + der.readSequence(0xa1); + Q = der.readString(asn1.Ber.BitString, true); + Q = utils.ecNormalize(Q); + } + + if (Q === undefined) { + var pub = utils.publicFromPrivateECDSA(curveName, d); + Q = pub.part.Q.data; + } var key = { type: 'ecdsa', @@ -412,6 +425,12 @@ function readPkcs8X25519Private(der) { return (new PrivateKey(key)); } +function pkcs8ToBuffer(key) { + var der = new asn1.BerWriter(); + writePkcs8(der, key); + return (der.buffer); +} + function writePkcs8(der, key) { der.startSequence(); diff --git a/deps/npm/node_modules/sshpk/lib/formats/putty.js b/deps/npm/node_modules/sshpk/lib/formats/putty.js new file mode 100644 index 0000000000..344419f980 --- /dev/null +++ b/deps/npm/node_modules/sshpk/lib/formats/putty.js @@ -0,0 +1,99 @@ +// Copyright 2018 Joyent, Inc. + +module.exports = { + read: read, + write: write +}; + +var assert = require('assert-plus'); +var Buffer = require('safer-buffer').Buffer; +var rfc4253 = require('./rfc4253'); +var Key = require('../key'); + +var errors = require('../errors'); + +function read(buf, options) { + var lines = buf.toString('ascii').split(/[\r\n]+/); + var found = false; + var parts; + var si = 0; + while (si < lines.length) { + parts = splitHeader(lines[si++]); + if (parts && + parts[0].toLowerCase() === 'putty-user-key-file-2') { + found = true; + break; + } + } + if (!found) { + throw (new Error('No PuTTY format first line found')); + } + var alg = parts[1]; + + parts = splitHeader(lines[si++]); + assert.equal(parts[0].toLowerCase(), 'encryption'); + + parts = splitHeader(lines[si++]); + assert.equal(parts[0].toLowerCase(), 'comment'); + var comment = parts[1]; + + parts = splitHeader(lines[si++]); + assert.equal(parts[0].toLowerCase(), 'public-lines'); + var publicLines = parseInt(parts[1], 10); + if (!isFinite(publicLines) || publicLines < 0 || + publicLines > lines.length) { + throw (new Error('Invalid public-lines count')); + } + + var publicBuf = Buffer.from( + lines.slice(si, si + publicLines).join(''), 'base64'); + var keyType = rfc4253.algToKeyType(alg); + var key = rfc4253.read(publicBuf); + if (key.type !== keyType) { + throw (new Error('Outer key algorithm mismatch')); + } + key.comment = comment; + return (key); +} + +function splitHeader(line) { + var idx = line.indexOf(':'); + if (idx === -1) + return (null); + var header = line.slice(0, idx); + ++idx; + while (line[idx] === ' ') + ++idx; + var rest = line.slice(idx); + return ([header, rest]); +} + +function write(key, options) { + assert.object(key); + if (!Key.isKey(key)) + throw (new Error('Must be a public key')); + + var alg = rfc4253.keyTypeToAlg(key); + var buf = rfc4253.write(key); + var comment = key.comment || ''; + + var b64 = buf.toString('base64'); + var lines = wrap(b64, 64); + + lines.unshift('Public-Lines: ' + lines.length); + lines.unshift('Comment: ' + comment); + lines.unshift('Encryption: none'); + lines.unshift('PuTTY-User-Key-File-2: ' + alg); + + return (Buffer.from(lines.join('\n') + '\n')); +} + +function wrap(txt, len) { + var lines = []; + var pos = 0; + while (pos < txt.length) { + lines.push(txt.slice(pos, pos + 64)); + pos += 64; + } + return (lines); +} diff --git a/deps/npm/node_modules/sshpk/lib/formats/x509-pem.js b/deps/npm/node_modules/sshpk/lib/formats/x509-pem.js index 56d78eb583..3155ef0b3a 100644 --- a/deps/npm/node_modules/sshpk/lib/formats/x509-pem.js +++ b/deps/npm/node_modules/sshpk/lib/formats/x509-pem.js @@ -29,14 +29,24 @@ function read(buf, options) { var lines = buf.trim().split(/[\r\n]+/g); - var m = lines[0].match(/*JSSTYLED*/ - /[-]+[ ]*BEGIN CERTIFICATE[ ]*[-]+/); + var m; + var si = -1; + while (!m && si < lines.length) { + m = lines[++si].match(/*JSSTYLED*/ + /[-]+[ ]*BEGIN CERTIFICATE[ ]*[-]+/); + } assert.ok(m, 'invalid PEM header'); - var m2 = lines[lines.length - 1].match(/*JSSTYLED*/ - /[-]+[ ]*END CERTIFICATE[ ]*[-]+/); + var m2; + var ei = lines.length; + while (!m2 && ei > 0) { + m2 = lines[--ei].match(/*JSSTYLED*/ + /[-]+[ ]*END CERTIFICATE[ ]*[-]+/); + } assert.ok(m2, 'invalid PEM footer'); + lines = lines.slice(si, ei + 1); + var headers = {}; while (true) { lines = lines.slice(1); diff --git a/deps/npm/node_modules/sshpk/lib/formats/x509.js b/deps/npm/node_modules/sshpk/lib/formats/x509.js index 219953c4e0..0144c44491 100644 --- a/deps/npm/node_modules/sshpk/lib/formats/x509.js +++ b/deps/npm/node_modules/sshpk/lib/formats/x509.js @@ -203,6 +203,14 @@ function readDate(der) { } } +function writeDate(der, date) { + if (date.getUTCFullYear() >= 2050 || date.getUTCFullYear() < 1950) { + der.writeString(dateToGTime(date), asn1.Ber.GeneralizedTime); + } else { + der.writeString(dateToUTCTime(date), asn1.Ber.UTCTime); + } +} + /* RFC5280, section 4.2.1.6 (GeneralName type) */ var ALTNAME = { OtherName: Local(0), @@ -242,7 +250,8 @@ function readExtension(cert, buf, der) { var extId = der.readOID(); var id; var sig = cert.signatures.x509; - sig.extras.exts = []; + if (!sig.extras.exts) + sig.extras.exts = []; var critical; if (der.peek() === asn1.Ber.Boolean) @@ -414,9 +423,11 @@ function gTimeToDate(t) { return (d); } -function zeroPad(n) { +function zeroPad(n, m) { + if (m === undefined) + m = 2; var s = '' + n; - while (s.length < 2) + while (s.length < m) s = '0' + s; return (s); } @@ -433,6 +444,18 @@ function dateToUTCTime(d) { return (s); } +function dateToGTime(d) { + var s = ''; + s += zeroPad(d.getUTCFullYear(), 4); + s += zeroPad(d.getUTCMonth() + 1); + s += zeroPad(d.getUTCDate()); + s += zeroPad(d.getUTCHours()); + s += zeroPad(d.getUTCMinutes()); + s += zeroPad(d.getUTCSeconds()); + s += 'Z'; + return (s); +} + function sign(cert, key) { if (cert.signatures.x509 === undefined) cert.signatures.x509 = {}; @@ -531,8 +554,8 @@ function writeTBSCert(cert, der) { cert.issuer.toAsn1(der); der.startSequence(); - der.writeString(dateToUTCTime(cert.validFrom), asn1.Ber.UTCTime); - der.writeString(dateToUTCTime(cert.validUntil), asn1.Ber.UTCTime); + writeDate(der, cert.validFrom); + writeDate(der, cert.validUntil); der.endSequence(); var subject = cert.subjects[0]; diff --git a/deps/npm/node_modules/sshpk/lib/identity.js b/deps/npm/node_modules/sshpk/lib/identity.js index 495b83a6cf..7d75b6671b 100644 --- a/deps/npm/node_modules/sshpk/lib/identity.js +++ b/deps/npm/node_modules/sshpk/lib/identity.js @@ -24,9 +24,21 @@ oids.l = '2.5.4.7'; oids.s = '2.5.4.8'; oids.c = '2.5.4.6'; oids.sn = '2.5.4.4'; +oids.postalCode = '2.5.4.17'; +oids.serialNumber = '2.5.4.5'; +oids.street = '2.5.4.9'; +oids.x500UniqueIdentifier = '2.5.4.45'; +oids.role = '2.5.4.72'; +oids.telephoneNumber = '2.5.4.20'; +oids.description = '2.5.4.13'; oids.dc = '0.9.2342.19200300.100.1.25'; oids.uid = '0.9.2342.19200300.100.1.1'; oids.mail = '0.9.2342.19200300.100.1.3'; +oids.title = '2.5.4.12'; +oids.gn = '2.5.4.42'; +oids.initials = '2.5.4.43'; +oids.pseudonym = '2.5.4.65'; +oids.emailAddress = '1.2.840.113549.1.9.1'; var unoids = {}; Object.keys(oids).forEach(function (k) { @@ -113,10 +125,39 @@ function Identity(opts) { Identity.prototype.toString = function () { return (this.components.map(function (c) { - return (c.name.toUpperCase() + '=' + c.value); + var n = c.name.toUpperCase(); + /*JSSTYLED*/ + n = n.replace(/=/g, '\\='); + var v = c.value; + /*JSSTYLED*/ + v = v.replace(/,/g, '\\,'); + return (n + '=' + v); }).join(', ')); }; +Identity.prototype.get = function (name, asArray) { + assert.string(name, 'name'); + var arr = this.componentLookup[name]; + if (arr === undefined || arr.length === 0) + return (undefined); + if (!asArray && arr.length > 1) + throw (new Error('Multiple values for attribute ' + name)); + if (!asArray) + return (arr[0].value); + return (arr.map(function (c) { + return (c.value); + })); +}; + +Identity.prototype.toArray = function (idx) { + return (this.components.map(function (c) { + return ({ + name: c.name, + value: c.value + }); + })); +}; + /* * These are from X.680 -- PrintableString allowed chars are in section 37.4 * table 8. Spec for IA5Strings is "1,6 + SPACE + DEL" where 1 refers to @@ -224,17 +265,60 @@ Identity.forEmail = function (email) { Identity.parseDN = function (dn) { assert.string(dn, 'dn'); - var parts = dn.split(','); + var parts = ['']; + var idx = 0; + var rem = dn; + while (rem.length > 0) { + var m; + /*JSSTYLED*/ + if ((m = /^,/.exec(rem)) !== null) { + parts[++idx] = ''; + rem = rem.slice(m[0].length); + /*JSSTYLED*/ + } else if ((m = /^\\,/.exec(rem)) !== null) { + parts[idx] += ','; + rem = rem.slice(m[0].length); + /*JSSTYLED*/ + } else if ((m = /^\\./.exec(rem)) !== null) { + parts[idx] += m[0]; + rem = rem.slice(m[0].length); + /*JSSTYLED*/ + } else if ((m = /^[^\\,]+/.exec(rem)) !== null) { + parts[idx] += m[0]; + rem = rem.slice(m[0].length); + } else { + throw (new Error('Failed to parse DN')); + } + } var cmps = parts.map(function (c) { c = c.trim(); var eqPos = c.indexOf('='); - var name = c.slice(0, eqPos).toLowerCase(); + while (eqPos > 0 && c.charAt(eqPos - 1) === '\\') + eqPos = c.indexOf('=', eqPos + 1); + if (eqPos === -1) { + throw (new Error('Failed to parse DN')); + } + /*JSSTYLED*/ + var name = c.slice(0, eqPos).toLowerCase().replace(/\\=/g, '='); var value = c.slice(eqPos + 1); return ({ name: name, value: value }); }); return (new Identity({ components: cmps })); }; +Identity.fromArray = function (components) { + assert.arrayOfObject(components, 'components'); + components.forEach(function (cmp) { + assert.object(cmp, 'component'); + assert.string(cmp.name, 'component.name'); + if (!Buffer.isBuffer(cmp.value) && + !(typeof (cmp.value) === 'string')) { + throw (new Error('Invalid component value')); + } + }); + return (new Identity({ components: components })); +}; + Identity.parseAsn1 = function (der, top) { var components = []; der.readSequence(top); diff --git a/deps/npm/node_modules/sshpk/lib/index.js b/deps/npm/node_modules/sshpk/lib/index.js index cb8cd1a1b8..f76db7918d 100644 --- a/deps/npm/node_modules/sshpk/lib/index.js +++ b/deps/npm/node_modules/sshpk/lib/index.js @@ -28,6 +28,7 @@ module.exports = { identityForHost: Identity.forHost, identityForUser: Identity.forUser, identityForEmail: Identity.forEmail, + identityFromArray: Identity.fromArray, /* errors */ FingerprintFormatError: errs.FingerprintFormatError, diff --git a/deps/npm/node_modules/sshpk/lib/key.js b/deps/npm/node_modules/sshpk/lib/key.js index f8ef22dc71..706f83400d 100644 --- a/deps/npm/node_modules/sshpk/lib/key.js +++ b/deps/npm/node_modules/sshpk/lib/key.js @@ -1,4 +1,4 @@ -// Copyright 2017 Joyent, Inc. +// Copyright 2018 Joyent, Inc. module.exports = Key; @@ -32,6 +32,8 @@ formats['ssh'] = require('./formats/ssh'); formats['ssh-private'] = require('./formats/ssh-private'); formats['openssh'] = formats['ssh-private']; formats['dnssec'] = require('./formats/dnssec'); +formats['putty'] = require('./formats/putty'); +formats['ppk'] = formats['putty']; function Key(opts) { assert.object(opts, 'options'); @@ -98,28 +100,44 @@ Key.prototype.toString = function (format, options) { return (this.toBuffer(format, options).toString()); }; -Key.prototype.hash = function (algo) { +Key.prototype.hash = function (algo, type) { assert.string(algo, 'algorithm'); + assert.optionalString(type, 'type'); + if (type === undefined) + type = 'ssh'; algo = algo.toLowerCase(); if (algs.hashAlgs[algo] === undefined) throw (new InvalidAlgorithmError(algo)); - if (this._hashCache[algo]) - return (this._hashCache[algo]); - var hash = crypto.createHash(algo). - update(this.toBuffer('rfc4253')).digest(); - this._hashCache[algo] = hash; + var cacheKey = algo + '||' + type; + if (this._hashCache[cacheKey]) + return (this._hashCache[cacheKey]); + + var buf; + if (type === 'ssh') { + buf = this.toBuffer('rfc4253'); + } else if (type === 'spki') { + buf = formats.pkcs8.pkcs8ToBuffer(this); + } else { + throw (new Error('Hash type ' + type + ' not supported')); + } + var hash = crypto.createHash(algo).update(buf).digest(); + this._hashCache[cacheKey] = hash; return (hash); }; -Key.prototype.fingerprint = function (algo) { +Key.prototype.fingerprint = function (algo, type) { if (algo === undefined) algo = 'sha256'; + if (type === undefined) + type = 'ssh'; assert.string(algo, 'algorithm'); + assert.string(type, 'type'); var opts = { type: 'key', - hash: this.hash(algo), - algorithm: algo + hash: this.hash(algo, type), + algorithm: algo, + hashType: type }; return (new Fingerprint(opts)); }; @@ -257,8 +275,9 @@ Key.isKey = function (obj, ver) { * [1,4] -- added ed support, createDH * [1,5] -- first explicitly tagged version * [1,6] -- changed ed25519 part names + * [1,7] -- spki hash types */ -Key.prototype._sshpkApiVersion = [1, 6]; +Key.prototype._sshpkApiVersion = [1, 7]; Key._oldVersionDetect = function (obj) { assert.func(obj.toBuffer); diff --git a/deps/npm/node_modules/sshpk/lib/private-key.js b/deps/npm/node_modules/sshpk/lib/private-key.js index 77f667cd2a..560083801e 100644 --- a/deps/npm/node_modules/sshpk/lib/private-key.js +++ b/deps/npm/node_modules/sshpk/lib/private-key.js @@ -14,14 +14,8 @@ var utils = require('./utils'); var dhe = require('./dhe'); var generateECDSA = dhe.generateECDSA; var generateED25519 = dhe.generateED25519; -var edCompat; -var nacl; - -try { - edCompat = require('./ed-compat'); -} catch (e) { - /* Just continue through, and bail out if we try to use it. */ -} +var edCompat = require('./ed-compat'); +var nacl = require('tweetnacl'); var Key = require('./key'); @@ -60,8 +54,12 @@ PrivateKey.prototype.toBuffer = function (format, options) { return (formats[format].write(this, options)); }; -PrivateKey.prototype.hash = function (algo) { - return (this.toPublic().hash(algo)); +PrivateKey.prototype.hash = function (algo, type) { + return (this.toPublic().hash(algo, type)); +}; + +PrivateKey.prototype.fingerprint = function (algo, type) { + return (this.toPublic().fingerprint(algo, type)); }; PrivateKey.prototype.toPublic = function () { @@ -90,9 +88,6 @@ PrivateKey.prototype.derive = function (newType) { var priv, pub, pair; if (this.type === 'ed25519' && newType === 'curve25519') { - if (nacl === undefined) - nacl = require('tweetnacl'); - priv = this.part.k.data; if (priv[0] === 0x00) priv = priv.slice(1); @@ -108,9 +103,6 @@ PrivateKey.prototype.derive = function (newType) { ] })); } else if (this.type === 'curve25519' && newType === 'ed25519') { - if (nacl === undefined) - nacl = require('tweetnacl'); - priv = this.part.k.data; if (priv[0] === 0x00) priv = priv.slice(1); @@ -237,8 +229,9 @@ PrivateKey.generate = function (type, options) { * [1,3] -- added derive, ed, createDH * [1,4] -- first tagged version * [1,5] -- changed ed25519 part names and format + * [1,6] -- type arguments for hash() and fingerprint() */ -PrivateKey.prototype._sshpkApiVersion = [1, 5]; +PrivateKey.prototype._sshpkApiVersion = [1, 6]; PrivateKey._oldVersionDetect = function (obj) { assert.func(obj.toPublic); diff --git a/deps/npm/node_modules/sshpk/lib/utils.js b/deps/npm/node_modules/sshpk/lib/utils.js index 4dcaf9c7a9..6b83a322d1 100644 --- a/deps/npm/node_modules/sshpk/lib/utils.js +++ b/deps/npm/node_modules/sshpk/lib/utils.js @@ -17,7 +17,8 @@ module.exports = { publicFromPrivateECDSA: publicFromPrivateECDSA, zeroPadToLength: zeroPadToLength, writeBitString: writeBitString, - readBitString: readBitString + readBitString: readBitString, + pbkdf2: pbkdf2 }; var assert = require('assert-plus'); @@ -28,8 +29,9 @@ var crypto = require('crypto'); var algs = require('./algs'); var asn1 = require('asn1'); -var ec, jsbn; -var nacl; +var ec = require('ecc-jsbn/lib/ec'); +var jsbn = require('jsbn').BigInteger; +var nacl = require('tweetnacl'); var MAX_CLASS_DEPTH = 3; @@ -86,8 +88,9 @@ function assertCompatible(obj, klass, needVer, name) { } var CIPHER_LEN = { - 'des-ede3-cbc': { key: 7, iv: 8 }, - 'aes-128-cbc': { key: 16, iv: 16 } + 'des-ede3-cbc': { key: 24, iv: 8 }, + 'aes-128-cbc': { key: 16, iv: 16 }, + 'aes-256-cbc': { key: 32, iv: 16 } }; var PKCS5_SALT_LEN = 8; @@ -122,6 +125,40 @@ function opensslKeyDeriv(cipher, salt, passphrase, count) { }); } +/* See: RFC2898 */ +function pbkdf2(hashAlg, salt, iterations, size, passphrase) { + var hkey = Buffer.alloc(salt.length + 4); + salt.copy(hkey); + + var gen = 0, ts = []; + var i = 1; + while (gen < size) { + var t = T(i++); + gen += t.length; + ts.push(t); + } + return (Buffer.concat(ts).slice(0, size)); + + function T(I) { + hkey.writeUInt32BE(I, hkey.length - 4); + + var hmac = crypto.createHmac(hashAlg, passphrase); + hmac.update(hkey); + + var Ti = hmac.digest(); + var Uc = Ti; + var c = 1; + while (c++ < iterations) { + hmac = crypto.createHmac(hashAlg, passphrase); + hmac.update(Uc); + Uc = hmac.digest(); + for (var x = 0; x < Ti.length; ++x) + Ti[x] ^= Uc[x]; + } + return (Ti); + } +} + /* Count leading zero bits on a buffer */ function countZeros(buf) { var o = 0, obit = 8; @@ -256,15 +293,9 @@ function calculateDSAPublic(g, p, x) { assert.buffer(g); assert.buffer(p); assert.buffer(x); - try { - var bigInt = require('jsbn').BigInteger; - } catch (e) { - throw (new Error('To load a PKCS#8 format DSA private key, ' + - 'the node jsbn library is required.')); - } - g = new bigInt(g); - p = new bigInt(p); - x = new bigInt(x); + g = new jsbn(g); + p = new jsbn(p); + x = new jsbn(x); var y = g.modPow(x, p); var ybuf = bigintToMpBuf(y); return (ybuf); @@ -273,9 +304,6 @@ function calculateDSAPublic(g, p, x) { function calculateED25519Public(k) { assert.buffer(k); - if (nacl === undefined) - nacl = require('tweetnacl'); - var kp = nacl.sign.keyPair.fromSeed(new Uint8Array(k)); return (Buffer.from(kp.publicKey)); } @@ -283,9 +311,6 @@ function calculateED25519Public(k) { function calculateX25519Public(k) { assert.buffer(k); - if (nacl === undefined) - nacl = require('tweetnacl'); - var kp = nacl.box.keyPair.fromSeed(new Uint8Array(k)); return (Buffer.from(kp.publicKey)); } @@ -293,18 +318,12 @@ function calculateX25519Public(k) { function addRSAMissing(key) { assert.object(key); assertCompatible(key, PrivateKey, [1, 1]); - try { - var bigInt = require('jsbn').BigInteger; - } catch (e) { - throw (new Error('To write a PEM private key from ' + - 'this source, the node jsbn lib is required.')); - } - var d = new bigInt(key.part.d.data); + var d = new jsbn(key.part.d.data); var buf; if (!key.part.dmodp) { - var p = new bigInt(key.part.p.data); + var p = new jsbn(key.part.p.data); var dmodp = d.mod(p.subtract(1)); buf = bigintToMpBuf(dmodp); @@ -312,7 +331,7 @@ function addRSAMissing(key) { key.parts.push(key.part.dmodp); } if (!key.part.dmodq) { - var q = new bigInt(key.part.q.data); + var q = new jsbn(key.part.q.data); var dmodq = d.mod(q.subtract(1)); buf = bigintToMpBuf(dmodq); @@ -324,10 +343,6 @@ function addRSAMissing(key) { function publicFromPrivateECDSA(curveName, priv) { assert.string(curveName, 'curveName'); assert.buffer(priv); - if (ec === undefined) - ec = require('ecc-jsbn/lib/ec'); - if (jsbn === undefined) - jsbn = require('jsbn').BigInteger; var params = algs.curves[curveName]; var p = new jsbn(params.p); var a = new jsbn(params.a); |