1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219
|
require 'net/ssh/transport/openssl'
require 'net/ssh/prompt'
require 'net/ssh/authentication/ed25519_loader'
module Net
module SSH
# A factory class for returning new Key classes. It is used for obtaining
# OpenSSL key instances via their SSH names, and for loading both public and
# private keys. It used used primarily by Net::SSH itself, internally, and
# will rarely (if ever) be directly used by consumers of the library.
#
# klass = Net::SSH::KeyFactory.get("rsa")
# assert klass.is_a?(OpenSSL::PKey::RSA)
#
# key = Net::SSH::KeyFactory.load_public_key("~/.ssh/id_dsa.pub")
class KeyFactory
# Specifies the mapping of SSH names to OpenSSL key classes.
MAP = {
'dh' => OpenSSL::PKey::DH,
'rsa' => OpenSSL::PKey::RSA,
'dsa' => OpenSSL::PKey::DSA,
'ecdsa' => OpenSSL::PKey::EC
}
MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
class <<self
# Fetch an OpenSSL key instance by its SSH name. It will be a new,
# empty key of the given type.
def get(name)
MAP.fetch(name).new
end
# Loads a private key from a file. It will correctly determine
# whether the file describes an RSA or DSA key, and will load it
# appropriately. The new key is returned. If the key itself is
# encrypted (requiring a passphrase to use), the user will be
# prompted to enter their password unless passphrase works.
def load_private_key(filename, passphrase=nil, ask_passphrase=true, prompt=Prompt.default)
data = File.read(File.expand_path(filename))
load_data_private_key(data, passphrase, ask_passphrase, filename, prompt)
end
# Loads a private key. It will correctly determine
# whether the file describes an RSA or DSA key, and will load it
# appropriately. The new key is returned. If the key itself is
# encrypted (requiring a passphrase to use), the user will be
# prompted to enter their password unless passphrase works.
def load_data_private_key(data, passphrase=nil, ask_passphrase=true, filename="", prompt=Prompt.default)
key_type = classify_key(data, filename)
encrypted_key = nil
tries = 0
prompter = nil
result =
begin
key_type.read(data, passphrase || 'invalid')
rescue *key_type.error_classes => e
encrypted_key = !!key_type.encrypted_key?(data, e) if encrypted_key.nil?
if encrypted_key && ask_passphrase
tries += 1
if tries <= 3
prompter ||= prompt.start(type: 'private_key', filename: filename, sha: Digest::SHA256.digest(data))
passphrase = prompter.ask("Enter passphrase for #{filename}:", false)
retry
else
raise
end
else
raise
end
end
prompter.success if prompter
result
end
# Loads a public key from a file. It will correctly determine whether
# the file describes an RSA or DSA key, and will load it
# appropriately. The new public key is returned.
def load_public_key(filename)
data = File.read(File.expand_path(filename))
load_data_public_key(data, filename)
end
# Loads a public key. It will correctly determine whether
# the file describes an RSA or DSA key, and will load it
# appropriately. The new public key is returned.
def load_data_public_key(data, filename="")
fields = data.split(/ /)
blob = nil
begin
blob = fields.shift
end while !blob.nil? && !/^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp\d+)(-cert-v01@openssh\.com)?$/.match(blob)
blob = fields.shift
raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?
blob = blob.unpack("m*").first
reader = Net::SSH::Buffer.new(blob)
reader.read_key or raise OpenSSL::PKey::PKeyError, "not a public key #{filename.inspect}"
end
private
# rubocop:disable Style/Documentation, Lint/DuplicateMethods
class KeyType
def self.read(key_data, passphrase)
raise Exception, "TODO subclasses should implement read"
end
def self.error_classes
raise Exception, "TODO subclasses should implement read"
end
def self.encrypted_key?(data, error)
raise Exception, "TODO subclasses should implement is_encrypted_key"
end
end
class OpenSSHPrivateKeyType < KeyType
def self.read(key_data, passphrase)
Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader.read(key_data, passphrase)
end
def self.error_classes
[Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError]
end
def self.encrypted_key?(key_data, decode_error)
decode_error.is_a?(Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError) && decode_error.encrypted_key?
end
end
class OpenSSLKeyTypeBase < KeyType
def self.open_ssl_class
raise Exception, "TODO: subclasses should implement"
end
def self.read(key_data, passphrase)
open_ssl_class.new(key_data, passphrase)
end
def self.encrypted_key?(key_data, error)
key_data.match(/ENCRYPTED/)
end
end
class OpenSSLPKeyType < OpenSSLKeyTypeBase
def self.read(key_data, passphrase)
open_ssl_class.read(key_data, passphrase)
end
def self.open_ssl_class
OpenSSL::PKey
end
def self.error_classes
[ArgumentError, OpenSSL::PKey::PKeyError]
end
end
class OpenSSLDSAKeyType < OpenSSLKeyTypeBase
def self.open_ssl_class
OpenSSL::PKey::DSA
end
def self.error_classes
[OpenSSL::PKey::DSAError]
end
end
class OpenSSLRSAKeyType < OpenSSLKeyTypeBase
def self.open_ssl_class
OpenSSL::PKey::RSA
end
def self.error_classes
[OpenSSL::PKey::RSAError]
end
end
class OpenSSLECKeyType < OpenSSLKeyTypeBase
def self.open_ssl_class
OpenSSL::PKey::EC
end
def self.error_classes
[OpenSSL::PKey::ECError]
end
end
# rubocop:enable Style/Documentation, Lint/DuplicateMethods
# Determine whether the file describes an RSA or DSA key, and return how load it
# appropriately.
def classify_key(data, filename)
if data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("OpenSSH keys only supported if ED25519 is available")
return OpenSSHPrivateKeyType
elsif OpenSSL::PKey.respond_to?(:read)
return OpenSSLPKeyType
elsif data.match(/-----BEGIN DSA PRIVATE KEY-----/)
return OpenSSLDSAKeyType
elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
return OpenSSLRSAKeyType
elsif data.match(/-----BEGIN EC PRIVATE KEY-----/)
return OpenSSLECKeyType
elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
else
raise OpenSSL::PKey::PKeyError, "not a private key (#{filename})"
end
end
end
end
end
end
|