Add support for RSA SHA2 host and public keys

Includes a handful of refactors and new semiprivate attributes on Transport and AuthHandler for better test visibility.
author: Jeff Forcier <jeff@bitprophet.org> 2021-12-13 15:55:36 -0500
committer: Jeff Forcier <jeff@bitprophet.org> 2021-12-23 00:31:01 -0500
commit: 363a28d94cada17f012c1604a3c99c71a2bda003 (patch)
tree: 6979a1d39ced84c3b29d366a0026db5fd9a62851 /paramiko/rsakey.py
parent: dfffaeaa0170c784307d1c89dad60528a59b6ff2 (diff)
download: paramiko-363a28d94cada17f012c1604a3c99c71a2bda003.tar.gz
1 files changed, 22 insertions, 6 deletions
diff --git a/paramiko/rsakey.py b/paramiko/rsakey.py
index 292d0ccc..26c5313c 100644
--- a/paramiko/rsakey.py
+++ b/paramiko/rsakey.py
@@ -37,6 +37,15 @@ class RSAKey(PKey):
     data.
     """
 
+    HASHES = {
+        "ssh-rsa": hashes.SHA1,
+        "ssh-rsa-cert-v01@openssh.com": hashes.SHA1,
+        "rsa-sha2-256": hashes.SHA256,
+        "rsa-sha2-256-cert-v01@openssh.com": hashes.SHA256,
+        "rsa-sha2-512": hashes.SHA512,
+        "rsa-sha2-512-cert-v01@openssh.com": hashes.SHA512,
+    }
+
     def __init__(
         self,
         msg=None,
@@ -61,6 +70,8 @@ class RSAKey(PKey):
         else:
             self._check_type_and_load_cert(
                 msg=msg,
+                # NOTE: this does NOT change when using rsa2 signatures; it's
+                # purely about key loading, not exchange or verification
                 key_type="ssh-rsa",
                 cert_type="ssh-rsa-cert-v01@openssh.com",
             )
@@ -111,18 +122,20 @@ class RSAKey(PKey):
     def can_sign(self):
         return isinstance(self.key, rsa.RSAPrivateKey)
 
-    def sign_ssh_data(self, data):
+    def sign_ssh_data(self, data, algorithm="ssh-rsa"):
         sig = self.key.sign(
-            data, padding=padding.PKCS1v15(), algorithm=hashes.SHA1()
+            data,
+            padding=padding.PKCS1v15(),
+            algorithm=self.HASHES[algorithm](),
         )
-
         m = Message()
-        m.add_string("ssh-rsa")
+        m.add_string(algorithm)
         m.add_string(sig)
         return m
 
     def verify_ssh_sig(self, data, msg):
-        if msg.get_text() != "ssh-rsa":
+        sig_algorithm = msg.get_text()
+        if sig_algorithm not in self.HASHES:
             return False
         key = self.key
         if isinstance(key, rsa.RSAPrivateKey):
@@ -130,7 +143,10 @@ class RSAKey(PKey):
 
         try:
             key.verify(
-                msg.get_binary(), data, padding.PKCS1v15(), hashes.SHA1()
+                msg.get_binary(),
+                data,
+                padding.PKCS1v15(),
+                self.HASHES[sig_algorithm](),
             )
         except InvalidSignature:
             return False
author	Jeff Forcier <jeff@bitprophet.org>	2021-12-13 15:55:36 -0500
committer	Jeff Forcier <jeff@bitprophet.org>	2021-12-23 00:31:01 -0500
commit	363a28d94cada17f012c1604a3c99c71a2bda003 (patch)
tree	6979a1d39ced84c3b29d366a0026db5fd9a62851 /paramiko/rsakey.py
parent	dfffaeaa0170c784307d1c89dad60528a59b6ff2 (diff)
download	paramiko-363a28d94cada17f012c1604a3c99c71a2bda003.tar.gz