diff options
author | Jeff Forcier <jeff@bitprophet.org> | 2021-12-13 15:55:36 -0500 |
---|---|---|
committer | Jeff Forcier <jeff@bitprophet.org> | 2021-12-23 00:31:01 -0500 |
commit | 363a28d94cada17f012c1604a3c99c71a2bda003 (patch) | |
tree | 6979a1d39ced84c3b29d366a0026db5fd9a62851 /paramiko/rsakey.py | |
parent | dfffaeaa0170c784307d1c89dad60528a59b6ff2 (diff) | |
download | paramiko-363a28d94cada17f012c1604a3c99c71a2bda003.tar.gz |
Add support for RSA SHA2 host and public keys
Includes a handful of refactors and new semiprivate
attributes on Transport and AuthHandler for better
test visibility.
Diffstat (limited to 'paramiko/rsakey.py')
-rw-r--r-- | paramiko/rsakey.py | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/paramiko/rsakey.py b/paramiko/rsakey.py index 292d0ccc..26c5313c 100644 --- a/paramiko/rsakey.py +++ b/paramiko/rsakey.py @@ -37,6 +37,15 @@ class RSAKey(PKey): data. """ + HASHES = { + "ssh-rsa": hashes.SHA1, + "ssh-rsa-cert-v01@openssh.com": hashes.SHA1, + "rsa-sha2-256": hashes.SHA256, + "rsa-sha2-256-cert-v01@openssh.com": hashes.SHA256, + "rsa-sha2-512": hashes.SHA512, + "rsa-sha2-512-cert-v01@openssh.com": hashes.SHA512, + } + def __init__( self, msg=None, @@ -61,6 +70,8 @@ class RSAKey(PKey): else: self._check_type_and_load_cert( msg=msg, + # NOTE: this does NOT change when using rsa2 signatures; it's + # purely about key loading, not exchange or verification key_type="ssh-rsa", cert_type="ssh-rsa-cert-v01@openssh.com", ) @@ -111,18 +122,20 @@ class RSAKey(PKey): def can_sign(self): return isinstance(self.key, rsa.RSAPrivateKey) - def sign_ssh_data(self, data): + def sign_ssh_data(self, data, algorithm="ssh-rsa"): sig = self.key.sign( - data, padding=padding.PKCS1v15(), algorithm=hashes.SHA1() + data, + padding=padding.PKCS1v15(), + algorithm=self.HASHES[algorithm](), ) - m = Message() - m.add_string("ssh-rsa") + m.add_string(algorithm) m.add_string(sig) return m def verify_ssh_sig(self, data, msg): - if msg.get_text() != "ssh-rsa": + sig_algorithm = msg.get_text() + if sig_algorithm not in self.HASHES: return False key = self.key if isinstance(key, rsa.RSAPrivateKey): @@ -130,7 +143,10 @@ class RSAKey(PKey): try: key.verify( - msg.get_binary(), data, padding.PKCS1v15(), hashes.SHA1() + msg.get_binary(), + data, + padding.PKCS1v15(), + self.HASHES[sig_algorithm](), ) except InvalidSignature: return False |