You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

314 lines
7.8 KiB

  1. // Copyright 2015 Joyent, Inc.
  2. module.exports = Signature;
  3. var assert = require('assert-plus');
  4. var Buffer = require('safer-buffer').Buffer;
  5. var algs = require('./algs');
  6. var crypto = require('crypto');
  7. var errs = require('./errors');
  8. var utils = require('./utils');
  9. var asn1 = require('asn1');
  10. var SSHBuffer = require('./ssh-buffer');
  11. var InvalidAlgorithmError = errs.InvalidAlgorithmError;
  12. var SignatureParseError = errs.SignatureParseError;
  13. function Signature(opts) {
  14. assert.object(opts, 'options');
  15. assert.arrayOfObject(opts.parts, 'options.parts');
  16. assert.string(opts.type, 'options.type');
  17. var partLookup = {};
  18. for (var i = 0; i < opts.parts.length; ++i) {
  19. var part = opts.parts[i];
  20. partLookup[part.name] = part;
  21. }
  22. this.type = opts.type;
  23. this.hashAlgorithm = opts.hashAlgo;
  24. this.curve = opts.curve;
  25. this.parts = opts.parts;
  26. this.part = partLookup;
  27. }
  28. Signature.prototype.toBuffer = function (format) {
  29. if (format === undefined)
  30. format = 'asn1';
  31. assert.string(format, 'format');
  32. var buf;
  33. var stype = 'ssh-' + this.type;
  34. switch (this.type) {
  35. case 'rsa':
  36. switch (this.hashAlgorithm) {
  37. case 'sha256':
  38. stype = 'rsa-sha2-256';
  39. break;
  40. case 'sha512':
  41. stype = 'rsa-sha2-512';
  42. break;
  43. case 'sha1':
  44. case undefined:
  45. break;
  46. default:
  47. throw (new Error('SSH signature ' +
  48. 'format does not support hash ' +
  49. 'algorithm ' + this.hashAlgorithm));
  50. }
  51. if (format === 'ssh') {
  52. buf = new SSHBuffer({});
  53. buf.writeString(stype);
  54. buf.writePart(this.part.sig);
  55. return (buf.toBuffer());
  56. } else {
  57. return (this.part.sig.data);
  58. }
  59. break;
  60. case 'ed25519':
  61. if (format === 'ssh') {
  62. buf = new SSHBuffer({});
  63. buf.writeString(stype);
  64. buf.writePart(this.part.sig);
  65. return (buf.toBuffer());
  66. } else {
  67. return (this.part.sig.data);
  68. }
  69. break;
  70. case 'dsa':
  71. case 'ecdsa':
  72. var r, s;
  73. if (format === 'asn1') {
  74. var der = new asn1.BerWriter();
  75. der.startSequence();
  76. r = utils.mpNormalize(this.part.r.data);
  77. s = utils.mpNormalize(this.part.s.data);
  78. der.writeBuffer(r, asn1.Ber.Integer);
  79. der.writeBuffer(s, asn1.Ber.Integer);
  80. der.endSequence();
  81. return (der.buffer);
  82. } else if (format === 'ssh' && this.type === 'dsa') {
  83. buf = new SSHBuffer({});
  84. buf.writeString('ssh-dss');
  85. r = this.part.r.data;
  86. if (r.length > 20 && r[0] === 0x00)
  87. r = r.slice(1);
  88. s = this.part.s.data;
  89. if (s.length > 20 && s[0] === 0x00)
  90. s = s.slice(1);
  91. if ((this.hashAlgorithm &&
  92. this.hashAlgorithm !== 'sha1') ||
  93. r.length + s.length !== 40) {
  94. throw (new Error('OpenSSH only supports ' +
  95. 'DSA signatures with SHA1 hash'));
  96. }
  97. buf.writeBuffer(Buffer.concat([r, s]));
  98. return (buf.toBuffer());
  99. } else if (format === 'ssh' && this.type === 'ecdsa') {
  100. var inner = new SSHBuffer({});
  101. r = this.part.r.data;
  102. inner.writeBuffer(r);
  103. inner.writePart(this.part.s);
  104. buf = new SSHBuffer({});
  105. /* XXX: find a more proper way to do this? */
  106. var curve;
  107. if (r[0] === 0x00)
  108. r = r.slice(1);
  109. var sz = r.length * 8;
  110. if (sz === 256)
  111. curve = 'nistp256';
  112. else if (sz === 384)
  113. curve = 'nistp384';
  114. else if (sz === 528)
  115. curve = 'nistp521';
  116. buf.writeString('ecdsa-sha2-' + curve);
  117. buf.writeBuffer(inner.toBuffer());
  118. return (buf.toBuffer());
  119. }
  120. throw (new Error('Invalid signature format'));
  121. default:
  122. throw (new Error('Invalid signature data'));
  123. }
  124. };
  125. Signature.prototype.toString = function (format) {
  126. assert.optionalString(format, 'format');
  127. return (this.toBuffer(format).toString('base64'));
  128. };
  129. Signature.parse = function (data, type, format) {
  130. if (typeof (data) === 'string')
  131. data = Buffer.from(data, 'base64');
  132. assert.buffer(data, 'data');
  133. assert.string(format, 'format');
  134. assert.string(type, 'type');
  135. var opts = {};
  136. opts.type = type.toLowerCase();
  137. opts.parts = [];
  138. try {
  139. assert.ok(data.length > 0, 'signature must not be empty');
  140. switch (opts.type) {
  141. case 'rsa':
  142. return (parseOneNum(data, type, format, opts));
  143. case 'ed25519':
  144. return (parseOneNum(data, type, format, opts));
  145. case 'dsa':
  146. case 'ecdsa':
  147. if (format === 'asn1')
  148. return (parseDSAasn1(data, type, format, opts));
  149. else if (opts.type === 'dsa')
  150. return (parseDSA(data, type, format, opts));
  151. else
  152. return (parseECDSA(data, type, format, opts));
  153. default:
  154. throw (new InvalidAlgorithmError(type));
  155. }
  156. } catch (e) {
  157. if (e instanceof InvalidAlgorithmError)
  158. throw (e);
  159. throw (new SignatureParseError(type, format, e));
  160. }
  161. };
  162. function parseOneNum(data, type, format, opts) {
  163. if (format === 'ssh') {
  164. try {
  165. var buf = new SSHBuffer({buffer: data});
  166. var head = buf.readString();
  167. } catch (e) {
  168. /* fall through */
  169. }
  170. if (buf !== undefined) {
  171. var msg = 'SSH signature does not match expected ' +
  172. 'type (expected ' + type + ', got ' + head + ')';
  173. switch (head) {
  174. case 'ssh-rsa':
  175. assert.strictEqual(type, 'rsa', msg);
  176. opts.hashAlgo = 'sha1';
  177. break;
  178. case 'rsa-sha2-256':
  179. assert.strictEqual(type, 'rsa', msg);
  180. opts.hashAlgo = 'sha256';
  181. break;
  182. case 'rsa-sha2-512':
  183. assert.strictEqual(type, 'rsa', msg);
  184. opts.hashAlgo = 'sha512';
  185. break;
  186. case 'ssh-ed25519':
  187. assert.strictEqual(type, 'ed25519', msg);
  188. opts.hashAlgo = 'sha512';
  189. break;
  190. default:
  191. throw (new Error('Unknown SSH signature ' +
  192. 'type: ' + head));
  193. }
  194. var sig = buf.readPart();
  195. assert.ok(buf.atEnd(), 'extra trailing bytes');
  196. sig.name = 'sig';
  197. opts.parts.push(sig);
  198. return (new Signature(opts));
  199. }
  200. }
  201. opts.parts.push({name: 'sig', data: data});
  202. return (new Signature(opts));
  203. }
  204. function parseDSAasn1(data, type, format, opts) {
  205. var der = new asn1.BerReader(data);
  206. der.readSequence();
  207. var r = der.readString(asn1.Ber.Integer, true);
  208. var s = der.readString(asn1.Ber.Integer, true);
  209. opts.parts.push({name: 'r', data: utils.mpNormalize(r)});
  210. opts.parts.push({name: 's', data: utils.mpNormalize(s)});
  211. return (new Signature(opts));
  212. }
  213. function parseDSA(data, type, format, opts) {
  214. if (data.length != 40) {
  215. var buf = new SSHBuffer({buffer: data});
  216. var d = buf.readBuffer();
  217. if (d.toString('ascii') === 'ssh-dss')
  218. d = buf.readBuffer();
  219. assert.ok(buf.atEnd(), 'extra trailing bytes');
  220. assert.strictEqual(d.length, 40, 'invalid inner length');
  221. data = d;
  222. }
  223. opts.parts.push({name: 'r', data: data.slice(0, 20)});
  224. opts.parts.push({name: 's', data: data.slice(20, 40)});
  225. return (new Signature(opts));
  226. }
  227. function parseECDSA(data, type, format, opts) {
  228. var buf = new SSHBuffer({buffer: data});
  229. var r, s;
  230. var inner = buf.readBuffer();
  231. var stype = inner.toString('ascii');
  232. if (stype.slice(0, 6) === 'ecdsa-') {
  233. var parts = stype.split('-');
  234. assert.strictEqual(parts[0], 'ecdsa');
  235. assert.strictEqual(parts[1], 'sha2');
  236. opts.curve = parts[2];
  237. switch (opts.curve) {
  238. case 'nistp256':
  239. opts.hashAlgo = 'sha256';
  240. break;
  241. case 'nistp384':
  242. opts.hashAlgo = 'sha384';
  243. break;
  244. case 'nistp521':
  245. opts.hashAlgo = 'sha512';
  246. break;
  247. default:
  248. throw (new Error('Unsupported ECDSA curve: ' +
  249. opts.curve));
  250. }
  251. inner = buf.readBuffer();
  252. assert.ok(buf.atEnd(), 'extra trailing bytes on outer');
  253. buf = new SSHBuffer({buffer: inner});
  254. r = buf.readPart();
  255. } else {
  256. r = {data: inner};
  257. }
  258. s = buf.readPart();
  259. assert.ok(buf.atEnd(), 'extra trailing bytes');
  260. r.name = 'r';
  261. s.name = 's';
  262. opts.parts.push(r);
  263. opts.parts.push(s);
  264. return (new Signature(opts));
  265. }
  266. Signature.isSignature = function (obj, ver) {
  267. return (utils.isCompatible(obj, Signature, ver));
  268. };
  269. /*
  270. * API versions for Signature:
  271. * [1,0] -- initial ver
  272. * [2,0] -- support for rsa in full ssh format, compat with sshpk-agent
  273. * hashAlgorithm property
  274. * [2,1] -- first tagged version
  275. */
  276. Signature.prototype._sshpkApiVersion = [2, 1];
  277. Signature._oldVersionDetect = function (obj) {
  278. assert.func(obj.toBuffer);
  279. if (obj.hasOwnProperty('hashAlgorithm'))
  280. return ([2, 0]);
  281. return ([1, 0]);
  282. };