Merge pull request #72 from MathisRosenhauer/sk-keys

sk- key types

Author: ojarva

sshpubkeys/keys.py

@@ -19,6 +19,7 @@
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric.dsa import DSAParameterNumbers, DSAPublicNumbers
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
+from urllib.parse import urlparse
 
 import base64
 import binascii
@@ -204,7 +205,7 @@ def _parse_long(cls, data):
     def _split_key(self, data):
         options_raw = None
         # Terribly inefficient way to remove options, but hey, it works.
-        if not data.startswith("ssh-") and not data.startswith("ecdsa-"):
+        if not data.startswith("ssh-") and not data.startswith("ecdsa-") and not data.startswith("sk-"):
             quote_open = False
             for i, character in enumerate(data):
                 if character == '"':  # only double quotes are allowed, no need to care about single quotes
@@ -388,6 +389,32 @@ def _process_ed25516(self, data):
             raise InvalidKeyLengthError("ed25519 keys must be 256 bits (was %s bits)" % self.bits)
         return current_position
 
+    def _validate_application_string(self, application):
+        """Validates Application string.
+
+        Has to be an URL starting with "ssh:". See ssh-keygen(1)."""
+
+        try:
+            parsed_url = urlparse(application)
+        except ValueError as error:
+            raise InvalidKeyError("Application string: %s" % error)
+        if parsed_url.scheme != b"ssh":
+            raise InvalidKeyError('Application string must begin with "ssh:"')
+
+    def _process_sk_ecdsa_sha(self, data):
+        """Parses sk_ecdsa-sha public keys."""
+        current_position = self._process_ecdsa_sha(data)
+        current_position, application = self._unpack_by_int(data, current_position)
+        self._validate_application_string(application)
+        return current_position
+
+    def _process_sk_ed25519(self, data):
+        """Parses sk_ed25519 public keys."""
+        current_position = self._process_ed25516(data)
+        current_position, application = self._unpack_by_int(data, current_position)
+        self._validate_application_string(application)
+        return current_position
+
     def _process_key(self, data):
         if self.key_type == b"ssh-rsa":
             return self._process_ssh_rsa(data)
@@ -397,6 +424,10 @@ def _process_key(self, data):
             return self._process_ecdsa_sha(data)
         if self.key_type == b"ssh-ed25519":
             return self._process_ed25516(data)
+        if self.key_type.strip().startswith(b"sk-ecdsa-sha"):
+            return self._process_sk_ecdsa_sha(data)
+        if self.key_type.strip().startswith(b"sk-ssh-ed25519"):
+            return self._process_sk_ed25519(data)
         raise NotImplementedError("Invalid key type: %s" % self.key_type.decode())
 
     def parse(self, keydata=None):

tests/invalid_keys.py

@@ -82,4 +82,12 @@
         'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAYQbdtLTII+vP98NSDlK2LXxVARELRYO0NODFYQ0imYxsmBMB7BrfljFppLJyjU6cziOT6YFj6rVd8MmCogdCR32u63EV11uT6RCFfJMQJtIi+B1JJipTxLzURsiUOOgAHJc= ojarva@ojar-laptop.local',
         TooShortKeyError, "rsa_771", ["strict"]
     ],
+    [
+        'sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ+CG2daFaeUC2GMvxGe5bTXRxforrL3MNOcsxbMbQeHAAAABGludjo=',
+        InvalidKeyError, 'invalid_appid_sk-ssh-ed25519', ["loose", "strict"]
+    ],
+    [
+        'sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHIoT5FA++PiJ4g4cORu3DBK4HWBO8mMjbp1Jtp4twl4AAAAB3NzaDovL1s=',
+        InvalidKeyError, 'invalid_url_sk-ssh-ed25519', ["loose", "strict"]
+    ],
 ]

tests/valid_keys.py

@@ -218,4 +218,12 @@
     'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5x8+1ucT6+AKQIW8u5W/FOuBvWx2fCQlSLkUakry89', 256,
     'MD5:0c:4e:13:0f:f3:ab:20:58:85:2e:79:9b:0f:2b:43:c8', 'SHA256:2ao9ds3IIkmXiLPRMs/47HIkHIV/qxzEHKW8p9lhRYA', "ed25516_2",
     ["strict", "loose"]
+], [
+    'sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBGdtNJ7nNTVW3kXvrWpvTENCfetzI2yUb8m5WLB2kcOVqF+3orTmloZsQEt1K386hlaqNzm7MVB+xcAiNoqhiI4AAAAEc3NoOg==',
+    256, 'MD5:ea:34:1c:a3:8b:8e:fe:07:0c:b0:36:fa:db:ce:b4:58', 'SHA256:HGA+EGN7vROCadhXckS5/hwCluETf1cPA92A9+RTgxw',
+    'sk-ecdsa-sha2-nistp256_1', ["strict", "loose"]
+], [
+    'sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAID92A9iaZ6WS0dcc4qsxuUfMgwFuFeh48faLjYlaYXswAAAABHNzaDo=',
+    256, 'MD5:0b:87:18:2a:09:e7:a9:77:73:cd:3d:83:83:77:ea:83', 'SHA256:Uz5X82+UKm4CiOdqnfAtV/5JfnysqPHt1Is0iGnD70g',
+    'sk-ssh-ed25519_1', ["strict", "loose"]
 ]]