From bc6a789041a6d9ccaabeb7841be4781008cd5772 Mon Sep 17 00:00:00 2001 From: Pierce Lopez Date: Thu, 5 Dec 2019 16:54:20 -0500 Subject: test loading ECDSA key in new openssh private-key format --- tests/test_ecdsa_384_openssh.key | 11 +++++++++++ tests/test_pkey.py | 13 +++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 tests/test_ecdsa_384_openssh.key diff --git a/tests/test_ecdsa_384_openssh.key b/tests/test_ecdsa_384_openssh.key new file mode 100644 index 00000000..8a160ce2 --- /dev/null +++ b/tests/test_ecdsa_384_openssh.key @@ -0,0 +1,11 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDwIHkBEZ +75XuqQS6/7daAIAAAAEAAAAAEAAACIAAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlz +dHAzODQAAABhBIch5LXTq/L/TWsTGG6dIktxD8DIMh7EfvoRmWsks6CuNDTvFvbQNtY4QO +1mn5OXegHbS0M5DPIS++wpKGFP3suDEH08O35vZQasLNrL0tO2jyyEnzB2ZEx3PPYci811 +ygAAAOBKGxFl+JcMHjldOdTA9iwv88gxoelCwln/NATglUuyzHMLJwx53n8NLqrnHALvbz +RHjyTmjU4dbSM9o9Vjhcvq+1aipjAQg2qx825f7T4BMoKyhLBS/qTg7RfyW/h0Sbequ1wl +PhBfwhv0LUphRFsGdnOgrXWfZqWqxOP1WhJWIh1p+ja5va/Ii/+hD6RORQjvzbHTPJA53c +OguISImkx0vdqPuFTLyclaC3eO4Px68Ki0b8cdyivExbAWLkNOtBdIAgeO7Egbruu4O5Sn +I6bn1Kc+kZlWtO02IkwSA5DaKw== +-----END OPENSSH PRIVATE KEY----- diff --git a/tests/test_pkey.py b/tests/test_pkey.py index c949a676..086319ce 100644 --- a/tests/test_pkey.py +++ b/tests/test_pkey.py @@ -40,6 +40,7 @@ PUB_ECDSA_384 = "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHA PUB_ECDSA_521 = "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACaOaFLZGuxa5AW16qj6VLypFbLrEWrt9AZUloCMefxO8bNLjK/O5g0rAVasar1TnyHE9qj4NwzANZASWjQNbc4MAG8vzqezFwLIn/kNyNTsXNfqEko9OgHZknlj2Z79dwTJcRAL4QLcT5aND0EHZLB2fAUDXiWIb2j4rg1mwPlBMiBXA==" # noqa PUB_RSA_2K_OPENSSH = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF+Dpr54DX0WdeTDpNAMdkCWEkl3OXtNgf58qlN1gX572OLBqLf0zT4bHstUEpU3piazph/rSWcUMuBoD46tZ6jiH7H9b9Pem2eYQWaELDDkM+v9BMbEy5rMbFRLol5OtEvPFqneyEAanPOgvd8t3yyhSev9QVusakzJ8j8LGgrA8huYZ+Srnw0shEWLG70KUKCh3rG0QIvA8nfhtUOisr2Gp+F0YxMGb5gwBlQYAYE5l6u1SjZ7hNjyNosjK+wRBFgFFBYVpkZKJgWoK9w4ijFyzMZTucnZMqKOKAjIJvHfKBf2/cEfYxSq1EndqTqjYsd9T7/s2vcn1OH5a0wkER" # noqa PUB_DSS_1K_OPENSSH = "ssh-dss AAAAB3NzaC1kc3MAAACBAL8XEx7F9xuwBNles+vWpNF+YcofrBhjX1r5QhpBe0eoYWLHRcroN6lxwCdGYRfgOoRjTncBiixQX/uUxAY96zDh3ir492s2BcJt4ihvNn/AY0I0OTuX/2IwGk9CGzafjaeZNVYxMa8lcVt0hSOTjkPQ7gVuk6bJzMInvie+VWKLAAAAFQDUgYdY+rhR0SkKbC09BS/SIHcB+wAAAIB44+4zpCNcd0CGvZlowH99zyPX8uxQtmTLQFuR2O8O0FgVVuCdDgD0D9W8CLOp32oatpM0jyyN89EdvSWzjHzZJ+L6H1FtZps7uhpDFWHdva1R25vyGecLMUuXjo5t/D7oCDih+HwHoSAxoi0QvsPd8/qqHQVznNJKtR6thUpXEwAAAIAG4DCBjbgTTgpBw0egRkJwBSz0oTt+1IcapNU2jA6N8urMSk9YXHEQHKN68BAF3YJ59q2Ujv3LOXmBqGd1T+kzwUszfMlgzq8MMu19Yfzse6AIK1Agn1Vj6F7YXLsXDN+T4KszX5+FJa7t/Zsp3nALWy6l0f4WKivEF5Y2QpEFcQ==" # noqa +PUB_EC_384_OPENSSH = "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIch5LXTq/L/TWsTGG6dIktxD8DIMh7EfvoRmWsks6CuNDTvFvbQNtY4QO1mn5OXegHbS0M5DPIS++wpKGFP3suDEH08O35vZQasLNrL0tO2jyyEnzB2ZEx3PPYci811yg==" # noqa FINGER_RSA = "1024 60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5" FINGER_DSS = "1024 44:78:f0:b9:a2:3c:c5:18:20:09:ff:75:5b:c1:d2:6c" @@ -49,6 +50,7 @@ FINGER_ECDSA_521 = "521 44:58:22:52:12:33:16:0e:ce:0e:be:2c:7c:7e:cc:1e" SIGNED_RSA = "20:d7:8a:31:21:cb:f7:92:12:f2:a4:89:37:f5:78:af:e6:16:b6:25:b9:97:3d:a2:cd:5f:ca:20:21:73:4c:ad:34:73:8f:20:77:28:e2:94:15:08:d8:91:40:7a:85:83:bf:18:37:95:dc:54:1a:9b:88:29:6c:73:ca:38:b4:04:f1:56:b9:f2:42:9d:52:1b:29:29:b4:4f:fd:c9:2d:af:47:d2:40:76:30:f3:63:45:0c:d9:1d:43:86:0f:1c:70:e2:93:12:34:f3:ac:c5:0a:2f:14:50:66:59:f1:88:ee:c1:4a:e9:d1:9c:4e:46:f0:0e:47:6f:38:74:f1:44:a8" # noqa FINGER_RSA_2K_OPENSSH = "2048 68:d1:72:01:bf:c0:0c:66:97:78:df:ce:75:74:46:d6" FINGER_DSS_1K_OPENSSH = "1024 cf:1d:eb:d7:61:d3:12:94:c6:c0:c6:54:35:35:b0:82" +FINGER_EC_384_OPENSSH = "384 72:14:df:c1:9a:c3:e6:0e:11:29:d6:32:18:7b:ea:9b" RSA_PRIVATE_OUT = """\ -----BEGIN RSA PRIVATE KEY----- @@ -463,6 +465,17 @@ class KeyTest(unittest.TestCase): my_rsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_rsa, my_rsa) + def test_load_openssh_format_EC_key(self): + key = ECDSAKey.from_private_key_file( + _support('test_ecdsa_384_openssh.key'), b'television' + ) + self.assertEqual('ecdsa-sha2-nistp384', key.get_name()) + self.assertEqual(PUB_EC_384_OPENSSH.split()[1], key.get_base64()) + self.assertEqual(384, key.get_bits()) + exp_fp = b(FINGER_EC_384_OPENSSH.split()[1].replace(':', '')) + my_fp = hexlify(key.get_fingerprint()) + self.assertEqual(exp_fp, my_fp) + def test_salt_size(self): # Read an existing encrypted private key file_ = _support("test_rsa_password.key") -- cgit v1.2.1 From 59c1c9e2fca05609fc88ad14e3fa752b5651ef9f Mon Sep 17 00:00:00 2001 From: Pierce Lopez Date: Thu, 5 Dec 2019 17:19:35 -0500 Subject: fix loading ECDSA keys in new openssh private key format (also Blacken new ecdsa format key test) --- paramiko/ecdsakey.py | 17 ++++++++++++++--- tests/test_pkey.py | 6 +++--- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/paramiko/ecdsakey.py b/paramiko/ecdsakey.py index 28d1222b..3d3d09be 100644 --- a/paramiko/ecdsakey.py +++ b/paramiko/ecdsakey.py @@ -292,10 +292,21 @@ class ECDSAKey(PKey): except (ValueError, AssertionError) as e: raise SSHException(str(e)) elif pkformat == self._PRIVATE_KEY_FORMAT_OPENSSH: - curve, verkey, sigkey = self._uint32_cstruct_unpack(data, "sss") try: - key = ec.derive_private_key(sigkey, curve, default_backend()) - except (AttributeError, TypeError) as e: + msg = Message(data) + curve_name = msg.get_text() + verkey = msg.get_binary() # noqa: F841 + sigkey = msg.get_mpint() + name = "ecdsa-sha2-" + curve_name + curve = self._ECDSA_CURVES.get_by_key_format_identifier(name) + if not curve: + raise SSHException("Invalid key curve identifier") + key = ec.derive_private_key( + sigkey, curve.curve_class(), default_backend() + ) + except Exception as e: + # PKey._read_private_key_openssh() should check or return + # keytype - parsing could fail for any reason due to wrong type raise SSHException(str(e)) else: self._got_bad_key_format_id(pkformat) diff --git a/tests/test_pkey.py b/tests/test_pkey.py index 086319ce..17893ca2 100644 --- a/tests/test_pkey.py +++ b/tests/test_pkey.py @@ -467,12 +467,12 @@ class KeyTest(unittest.TestCase): def test_load_openssh_format_EC_key(self): key = ECDSAKey.from_private_key_file( - _support('test_ecdsa_384_openssh.key'), b'television' + _support("test_ecdsa_384_openssh.key"), b"television" ) - self.assertEqual('ecdsa-sha2-nistp384', key.get_name()) + self.assertEqual("ecdsa-sha2-nistp384", key.get_name()) self.assertEqual(PUB_EC_384_OPENSSH.split()[1], key.get_base64()) self.assertEqual(384, key.get_bits()) - exp_fp = b(FINGER_EC_384_OPENSSH.split()[1].replace(':', '')) + exp_fp = b(FINGER_EC_384_OPENSSH.split()[1].replace(":", "")) my_fp = hexlify(key.get_fingerprint()) self.assertEqual(exp_fp, my_fp) -- cgit v1.2.1 From 96edfd86391ce93dbe5527e39d5e82c65ae9a6fc Mon Sep 17 00:00:00 2001 From: Jeff Forcier Date: Mon, 9 Dec 2019 12:58:10 -0500 Subject: Changelog closes #1565 --- sites/www/changelog.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 0d68c26b..0a131887 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,8 @@ Changelog ========= +- :bug:`1565` (via :issue:`1566`) Fix a bug in support for ECDSA keys under the + newly supported OpenSSH key format. Thanks to Pierce Lopez for the patch. - :release:`2.7.0 <2019-12-03>` - :feature:`602` (via :issue:`1343`, :issue:`1313`, :issue:`618`) Implement support for OpenSSH 6.5-style private key files (typically denoted as having -- cgit v1.2.1