summaryrefslogtreecommitdiff
path: root/paramiko/agent.py
diff options
context:
space:
mode:
authorJeff Forcier <jeff@bitprophet.org>2021-12-23 15:13:54 -0500
committerJeff Forcier <jeff@bitprophet.org>2021-12-23 15:58:54 -0500
commit2b66625659e66858cb5f557325c5fdd9c35fd073 (patch)
tree7760ef34e6a5f1727741f31ef57c524f30a3a308 /paramiko/agent.py
parent363a28d94cada17f012c1604a3c99c71a2bda003 (diff)
downloadparamiko-2b66625659e66858cb5f557325c5fdd9c35fd073.tar.gz
Add agent RSA-SHA2 support, also tweak changelog w/ more ticketsrfc8832-sha2-key-algo
Diffstat (limited to 'paramiko/agent.py')
-rw-r--r--paramiko/agent.py14
1 files changed, 13 insertions, 1 deletions
diff --git a/paramiko/agent.py b/paramiko/agent.py
index 3a02c06c..f28bf128 100644
--- a/paramiko/agent.py
+++ b/paramiko/agent.py
@@ -42,6 +42,18 @@ SSH2_AGENT_IDENTITIES_ANSWER = 12
cSSH2_AGENTC_SIGN_REQUEST = byte_chr(13)
SSH2_AGENT_SIGN_RESPONSE = 14
+SSH_AGENT_RSA_SHA2_256 = 2
+SSH_AGENT_RSA_SHA2_512 = 4
+# NOTE: RFC mildly confusing; while these flags are OR'd together, OpenSSH at
+# least really treats them like "AND"s, in the sense that if it finds the
+# SHA256 flag set it won't continue looking at the SHA512 one; it
+# short-circuits right away.
+# Thus, we never want to eg submit 6 to say "either's good".
+ALGORITHM_FLAG_MAP = {
+ "rsa-sha2-256": SSH_AGENT_RSA_SHA2_256,
+ "rsa-sha2-512": SSH_AGENT_RSA_SHA2_512,
+}
+
class AgentSSH(object):
def __init__(self):
@@ -416,7 +428,7 @@ class AgentKey(PKey):
msg.add_byte(cSSH2_AGENTC_SIGN_REQUEST)
msg.add_string(self.blob)
msg.add_string(data)
- msg.add_int(0)
+ msg.add_int(ALGORITHM_FLAG_MAP.get(algorithm, 0))
ptype, result = self.agent._send_message(msg)
if ptype != SSH2_AGENT_SIGN_RESPONSE:
raise SSHException("key cannot be used for signing")