aboutsummaryrefslogtreecommitdiff
path: root/pkg/signatures/ssh/ssh.go
blob: 3588a8e70969b99243b29e35576001d9a196e995 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

package ssh

import (
	"fmt"
	"io"
	"io/ioutil"
	"encoding/pem"

	sshLib "golang.org/x/crypto/ssh"
	"git.sigsum.org/sigsum-go/pkg/types"
)

type Parser struct{}

const (
	BLOB_PREAMBLE = "SSHSIG"
	SIG_VERSION    = 0x01
	HASH_ALGO     = "sha256"
)

type sshBlob struct {
	MagicPreamble [6]byte
	SigVersion    uint32
	PublicKey     string
	Namespace     string
	Reserved      string
	HashAlgorithm string
	Signature     string
}

type sshKeypart struct {
	Type string
	Key string
}

func (p *Parser) SignatureSuffix() string {
	return ".sig"
}

func (p *Parser) PublicKey(r io.Reader) (*types.PublicKey, error) {
	b, err := ioutil.ReadAll(r)
	if err != nil {
		return nil, fmt.Errorf("ssh: read failed: %v", err)
	}
	var pub types.PublicKey
	if err := parsePub(pub[:], b); err != nil {
		return nil, fmt.Errorf("ssh: %v", err)
	}
	return &pub, nil
}

func (p *Parser) Signature(r io.Reader) (*types.Signature, error) {
	b, err := ioutil.ReadAll(r)
	if err != nil {
		return nil, fmt.Errorf("ssh: signature read failed: %v", err)
	}

	block, rest := pem.Decode(b)
	if len(rest) > 0 {
		return nil, fmt.Errorf("ssh: invalid signature rest: %v", rest)
	}
	if block == nil {
		return nil, fmt.Errorf("ssh: invalid signature PEM format")
	}
	if  block.Type != "SSH SIGNATURE" {
		return nil, fmt.Errorf("ssh: invalid signature PEM type: %v", block.Type)
	}

	var blob sshBlob
	if err := sshLib.Unmarshal(block.Bytes, &blob); err != nil {
		return nil, fmt.Errorf("ssh: invalid signature format: %v", err)
	}
	if string(blob.MagicPreamble[:]) != BLOB_PREAMBLE {
		return nil, fmt.Errorf("ssh: invalid signature magic: %s", string(blob.MagicPreamble[:]))
	}
	if blob.SigVersion != SIG_VERSION {
		return nil, fmt.Errorf("ssh: invalid signature version: %d", blob.SigVersion)
	}
	if blob.HashAlgorithm != HASH_ALGO {
		return nil, fmt.Errorf("ssh: invalid signature hash algorithm: %s", blob.HashAlgorithm)
	}

	var sshSig sshLib.Signature
	if err := sshLib.Unmarshal([]byte(blob.Signature), &sshSig); err != nil {
		return nil, fmt.Errorf("ssh: invalid signature blob: %v", err)
	}

	var sig types.Signature
	copy(sig[:], sshSig.Blob)

	return &sig, nil
}

func parsePub(dst, data []byte) error {
	pubkey, _, _, _, err := sshLib.ParseAuthorizedKey(data)
	if err != nil {
		return fmt.Errorf("ssh.ParseAuthorizedKey: %s", err)
	}

	var keyPart sshKeypart
	if err := sshLib.Unmarshal(pubkey.Marshal(), &keyPart); err != nil {
		return fmt.Errorf("ssh: invalid pubkey: %v", err)
	}

	copy(dst[:], keyPart.Key)
	return nil
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-15 02:08:41 +0000