diff options
| -rwxr-xr-x | .travis/install.sh | 3 | ||||
| -rw-r--r-- | README.rst | 2 | ||||
| -rw-r--r-- | docs/hazmat/primitives/asymmetric/serialization.rst | 13 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/asn1.py | 5 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/cms.py | 61 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/evp.py | 7 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/nid.py | 11 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/x509.py | 4 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/x509name.py | 4 | ||||
| -rw-r--r-- | src/cryptography/hazmat/primitives/serialization.py | 47 | ||||
| -rw-r--r-- | tasks.py | 3 | ||||
| -rw-r--r-- | tests/hazmat/primitives/test_serialization.py | 140 |
12 files changed, 261 insertions, 39 deletions
diff --git a/.travis/install.sh b/.travis/install.sh index 6dd84f2c..1152556c 100755 --- a/.travis/install.sh +++ b/.travis/install.sh @@ -44,9 +44,6 @@ if [[ "$DARWIN" = true ]]; then pyenv install 3.4.2 pyenv global 3.4.2 ;; - py3pep8) - sudo apt-get install python3.3 python3.3-dev - ;; pypy) brew upgrade pyenv pyenv install pypy-2.4.0 @@ -12,7 +12,7 @@ Cryptography .. image:: https://travis-ci.org/pyca/cryptography.svg?branch=master :target: https://travis-ci.org/pyca/cryptography -.. image:: https://coveralls.io/repos/pyca/cryptography/badge.png?branch=master +.. image:: https://img.shields.io/coveralls/pyca/cryptography/master.svg :target: https://coveralls.io/r/pyca/cryptography?branch=master diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst index a9392c7b..b523c342 100644 --- a/docs/hazmat/primitives/asymmetric/serialization.rst +++ b/docs/hazmat/primitives/asymmetric/serialization.rst @@ -201,8 +201,8 @@ OpenSSH Public Key The format used by OpenSSH to store public keys, as specified in :rfc:`4253`. -Currently, only RSA public keys are supported. Any other type of key will -result in an exception being thrown. +Currently, only RSA and DSA public keys are supported. Any other type of key +will result in an exception being thrown. An example RSA key in OpenSSH format (line breaks added for formatting purposes):: @@ -215,6 +215,9 @@ purposes):: ///ImSCGHQRvhwariN2tvZ6CBNSLh3iQgeB0AkyJlng7MXB2qYq/Ci2FUOryCX 2MzHvnbv testkey@localhost +DSA keys look almost identical but begin with ``ssh-dss`` rather than +``ssh-rsa``. + .. function:: load_ssh_public_key(data, backend) .. versionadded:: 0.7 @@ -224,8 +227,10 @@ purposes):: :param bytes data: The OpenSSH encoded key data. - :param backend: An - :class:`~cryptography.hazmat.backends.interfaces.RSABackend` provider. + :param backend: A backend providing + :class:`~cryptography.hazmat.backends.interfaces.RSABackend` or + :class:`~cryptography.hazmat.backends.interfaces.DSABackend` depending + on key type. :returns: A new instance of a public key type. diff --git a/src/cryptography/hazmat/bindings/openssl/asn1.py b/src/cryptography/hazmat/bindings/openssl/asn1.py index 5b1a56f2..d8b8331e 100644 --- a/src/cryptography/hazmat/bindings/openssl/asn1.py +++ b/src/cryptography/hazmat/bindings/openssl/asn1.py @@ -99,7 +99,10 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *, ASN1_GENERALIZEDTIME **); /* ASN1 UTCTIME */ +ASN1_UTCTIME *ASN1_UTCTIME_new(void); +void ASN1_UTCTIME_free(ASN1_UTCTIME *); int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *, time_t); +ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *, time_t); /* ASN1 GENERALIZEDTIME */ int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *, const char *); @@ -124,6 +127,7 @@ int ASN1_TIME_print(BIO *, ASN1_TIME *); int ASN1_STRING_length(ASN1_STRING *); ASN1_STRING *ASN1_STRING_dup(ASN1_STRING *); int ASN1_STRING_cmp(ASN1_STRING *, ASN1_STRING *); +int ASN1_UTCTIME_print(BIO *, ASN1_UTCTIME *); ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *); int ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *, ASN1_OCTET_STRING *); @@ -137,6 +141,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *, ASN1_INTEGER *); /* These isn't a macro the arg is const on openssl 1.0.2+ */ int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *); +int ASN1_UTCTIME_check(ASN1_UTCTIME *); /* Not a macro, const on openssl 1.0 */ int ASN1_STRING_set_default_mask_asc(char *); diff --git a/src/cryptography/hazmat/bindings/openssl/cms.py b/src/cryptography/hazmat/bindings/openssl/cms.py index 7cbedf44..a43df5d9 100644 --- a/src/cryptography/hazmat/bindings/openssl/cms.py +++ b/src/cryptography/hazmat/bindings/openssl/cms.py @@ -25,6 +25,27 @@ typedef ... CMS_RevocationInfoChoice; typedef ... CMS_RecipientInfo; typedef ... CMS_ReceiptRequest; typedef ... CMS_Receipt; + +static const int CMS_TEXT; +static const int CMS_NOCERTS; +static const int CMS_NO_CONTENT_VERIFY; +static const int CMS_NO_ATTR_VERIFY; +static const int CMS_NOSIGS; +static const int CMS_NOINTERN; +static const int CMS_NO_SIGNER_CERT_VERIFY; +static const int CMS_NOVERIFY; +static const int CMS_DETACHED; +static const int CMS_BINARY; +static const int CMS_NOATTR; +static const int CMS_NOSMIMECAP; +static const int CMS_NOOLDMIMETYPE; +static const int CMS_CRLFEOL; +static const int CMS_STREAM; +static const int CMS_NOCRL; +static const int CMS_PARTIAL; +static const int CMS_REUSE_DIGEST; +static const int CMS_USE_KEYID; +static const int CMS_DEBUG_DECRYPT; """ FUNCTIONS = """ @@ -59,6 +80,26 @@ typedef void CMS_RevocationInfoChoice; typedef void CMS_RecipientInfo; typedef void CMS_ReceiptRequest; typedef void CMS_Receipt; +const long CMS_TEXT = 0; +const long CMS_NOCERTS = 0; +const long CMS_NO_CONTENT_VERIFY = 0; +const long CMS_NO_ATTR_VERIFY = 0; +const long CMS_NOSIGS = 0; +const long CMS_NOINTERN = 0; +const long CMS_NO_SIGNER_CERT_VERIFY = 0; +const long CMS_NOVERIFY = 0; +const long CMS_DETACHED = 0; +const long CMS_BINARY = 0; +const long CMS_NOATTR = 0; +const long CMS_NOSMIMECAP = 0; +const long CMS_NOOLDMIMETYPE = 0; +const long CMS_CRLFEOL = 0; +const long CMS_STREAM = 0; +const long CMS_NOCRL = 0; +const long CMS_PARTIAL = 0; +const long CMS_REUSE_DIGEST = 0; +const long CMS_USE_KEYID = 0; +const long CMS_DEBUG_DECRYPT = 0; BIO *(*BIO_new_CMS)(BIO *, CMS_ContentInfo *) = NULL; int (*i2d_CMS_bio_stream)(BIO *, CMS_ContentInfo *, BIO *, int) = NULL; int (*PEM_write_bio_CMS_stream)(BIO *, CMS_ContentInfo *, BIO *, int) = NULL; @@ -87,5 +128,25 @@ CONDITIONAL_NAMES = { "CMS_encrypt", "CMS_decrypt", "CMS_add1_signer", + "CMS_TEXT", + "CMS_NOCERTS", + "CMS_NO_CONTENT_VERIFY", + "CMS_NO_ATTR_VERIFY", + "CMS_NOSIGS", + "CMS_NOINTERN", + "CMS_NO_SIGNER_CERT_VERIFY", + "CMS_NOVERIFY", + "CMS_DETACHED", + "CMS_BINARY", + "CMS_NOATTR", + "CMS_NOSMIMECAP", + "CMS_NOOLDMIMETYPE", + "CMS_CRLFEOL", + "CMS_STREAM", + "CMS_NOCRL", + "CMS_PARTIAL", + "CMS_REUSE_DIGEST", + "CMS_USE_KEYID", + "CMS_DEBUG_DECRYPT", ] } diff --git a/src/cryptography/hazmat/bindings/openssl/evp.py b/src/cryptography/hazmat/bindings/openssl/evp.py index 29590579..f00c2f0d 100644 --- a/src/cryptography/hazmat/bindings/openssl/evp.py +++ b/src/cryptography/hazmat/bindings/openssl/evp.py @@ -91,6 +91,12 @@ int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int, EVP_PKEY *); const EVP_MD *EVP_md5(void); +const EVP_MD *EVP_sha1(void); +const EVP_MD *EVP_ripemd160(void); +const EVP_MD *EVP_sha224(void); +const EVP_MD *EVP_sha256(void); +const EVP_MD *EVP_sha384(void); +const EVP_MD *EVP_sha512(void); int PKCS5_PBKDF2_HMAC_SHA1(const char *, int, const unsigned char *, int, int, int, unsigned char *); @@ -219,7 +225,6 @@ int (*EVP_PKEY_assign_EC_KEY)(EVP_PKEY *, EC_KEY *) = NULL; EC_KEY *(*EVP_PKEY_get1_EC_KEY)(EVP_PKEY *) = NULL; int (*EVP_PKEY_set1_EC_KEY)(EVP_PKEY *, EC_KEY *) = NULL; #endif - """ CONDITIONAL_NAMES = { diff --git a/src/cryptography/hazmat/bindings/openssl/nid.py b/src/cryptography/hazmat/bindings/openssl/nid.py index 8d83c1e1..a025d3b4 100644 --- a/src/cryptography/hazmat/bindings/openssl/nid.py +++ b/src/cryptography/hazmat/bindings/openssl/nid.py @@ -201,6 +201,17 @@ static const int NID_any_policy; static const int NID_policy_mappings; static const int NID_target_information; static const int NID_no_rev_avail; + +static const int NID_commonName; +static const int NID_countryName; +static const int NID_localityName; +static const int NID_stateOrProvinceName; +static const int NID_organizationName; +static const int NID_organizationalUnitName; +static const int NID_serialNumber; +static const int NID_surname; +static const int NID_givenName; +static const int NID_pkcs9_emailAddress; """ FUNCTIONS = """ diff --git a/src/cryptography/hazmat/bindings/openssl/x509.py b/src/cryptography/hazmat/bindings/openssl/x509.py index a6e1cb63..f51b0e59 100644 --- a/src/cryptography/hazmat/bindings/openssl/x509.py +++ b/src/cryptography/hazmat/bindings/openssl/x509.py @@ -140,6 +140,8 @@ int X509_EXTENSION_get_critical(X509_EXTENSION *); ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *); void X509_EXTENSION_free(X509_EXTENSION *); +int i2d_X509(X509 *, unsigned char **); + int X509_REQ_set_version(X509_REQ *, long); X509_REQ *X509_REQ_new(void); void X509_REQ_free(X509_REQ *); @@ -257,6 +259,8 @@ int i2d_DSAPrivateKey(DSA *, unsigned char **); /* These aren't macros these arguments are all const X on openssl > 1.0.x */ int X509_CRL_set_lastUpdate(X509_CRL *, ASN1_TIME *); int X509_CRL_set_nextUpdate(X509_CRL *, ASN1_TIME *); +int X509_set_notBefore(X509 *, ASN1_UTCTIME *); +int X509_set_notAfter(X509 *, ASN1_UTCTIME *); /* These use STACK_OF(X509_EXTENSION) in 0.9.8e. Once we drop support for RHEL/CentOS 5 we should move these back to FUNCTIONS. */ diff --git a/src/cryptography/hazmat/bindings/openssl/x509name.py b/src/cryptography/hazmat/bindings/openssl/x509name.py index 9863c195..bda92eb7 100644 --- a/src/cryptography/hazmat/bindings/openssl/x509name.py +++ b/src/cryptography/hazmat/bindings/openssl/x509name.py @@ -20,6 +20,9 @@ typedef ... Cryptography_STACK_OF_X509_NAME; """ FUNCTIONS = """ +X509_NAME *X509_NAME_new(void); +void X509_NAME_free(X509_NAME *); + int X509_NAME_entry_count(X509_NAME *); X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *, int); ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *); @@ -37,7 +40,6 @@ int X509_NAME_get_index_by_NID(X509_NAME *, int, int); int X509_NAME_cmp(const X509_NAME *, const X509_NAME *); char *X509_NAME_oneline(X509_NAME *, char *, int); X509_NAME *X509_NAME_dup(X509_NAME *); -void X509_NAME_free(X509_NAME *); """ MACROS = """ diff --git a/src/cryptography/hazmat/primitives/serialization.py b/src/cryptography/hazmat/primitives/serialization.py index 0dbbc85c..9d384fc7 100644 --- a/src/cryptography/hazmat/primitives/serialization.py +++ b/src/cryptography/hazmat/primitives/serialization.py @@ -10,6 +10,9 @@ import warnings from cryptography import utils from cryptography.exceptions import UnsupportedAlgorithm +from cryptography.hazmat.primitives.asymmetric.dsa import ( + DSAParameterNumbers, DSAPublicNumbers +) from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers @@ -55,19 +58,23 @@ def load_ssh_public_key(data, backend): key_type = key_parts[0] key_body = key_parts[1] - if not key_type.startswith(b'ssh-'): - raise ValueError('SSH-formatted keys must begin with \'ssh-\'.') + try: + decoded_data = base64.b64decode(key_body) + except TypeError: + raise ValueError('Key is not in the proper format.') - if not key_type.startswith(b'ssh-rsa'): - raise UnsupportedAlgorithm('Only RSA keys are currently supported.') + if key_type == b'ssh-rsa': + return _load_ssh_rsa_public_key(decoded_data, backend) + elif key_type == b'ssh-dss': + return _load_ssh_dss_public_key(decoded_data, backend) + else: + raise UnsupportedAlgorithm( + 'Only RSA and DSA keys are currently supported.' + ) - return _load_ssh_rsa_public_key(key_body, backend) - -def _load_ssh_rsa_public_key(key_body, backend): - data = base64.b64decode(key_body) - - key_type, rest = _read_next_string(data) +def _load_ssh_rsa_public_key(decoded_data, backend): + key_type, rest = _read_next_string(decoded_data) e, rest = _read_next_mpint(rest) n, rest = _read_next_mpint(rest) @@ -81,6 +88,26 @@ def _load_ssh_rsa_public_key(key_body, backend): return backend.load_rsa_public_numbers(RSAPublicNumbers(e, n)) +def _load_ssh_dss_public_key(decoded_data, backend): + key_type, rest = _read_next_string(decoded_data) + p, rest = _read_next_mpint(rest) + q, rest = _read_next_mpint(rest) + g, rest = _read_next_mpint(rest) + y, rest = _read_next_mpint(rest) + + if key_type != b'ssh-dss': + raise ValueError( + 'Key header and key body contain different key type values.') + + if rest: + raise ValueError('Key body contains extra bytes.') + + parameter_numbers = DSAParameterNumbers(p, q, g) + public_numbers = DSAPublicNumbers(y, parameter_numbers) + + return backend.load_dsa_public_numbers(public_numbers) + + def _read_next_string(data): """Retrieves the next RFC 4251 string value from the data.""" str_len, = struct.unpack('>I', data[:4]) @@ -17,6 +17,9 @@ JENKINS_URL = "https://jenkins.cryptography.io/job/cryptography-wheel-builder" def wait_for_build_completed(session): + # Wait 3 seconds before actually checking if the build is complete, to + # ensure that it had time to really start. + time.sleep(3) while True: response = session.get( "{0}/lastBuild/api/json/".format(JENKINS_URL), diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py index abb55751..91db318c 100644 --- a/tests/hazmat/primitives/test_serialization.py +++ b/tests/hazmat/primitives/test_serialization.py @@ -11,11 +11,15 @@ import pytest from cryptography.exceptions import UnsupportedAlgorithm, _Reasons from cryptography.hazmat.backends.interfaces import ( - EllipticCurveBackend, PEMSerializationBackend, PKCS8SerializationBackend, - RSABackend, TraditionalOpenSSLSerializationBackend + DSABackend, EllipticCurveBackend, PEMSerializationBackend, + PKCS8SerializationBackend, RSABackend, + TraditionalOpenSSLSerializationBackend ) from cryptography.hazmat.primitives import interfaces from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.primitives.asymmetric.dsa import ( + DSAParameterNumbers, DSAPublicNumbers +) from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers from cryptography.hazmat.primitives.serialization import ( load_pem_pkcs8_private_key, load_pem_private_key, load_pem_public_key, @@ -684,15 +688,15 @@ class TestPKCS8Serialization(object): @pytest.mark.requires_backend_interface(interface=RSABackend) -class TestSSHSerialization(object): +class TestRSASSHSerialization(object): def test_load_ssh_public_key_unsupported(self, backend): - ssh_key = b'ssh-dss AAAAB3NzaC1kc3MAAACBAO7q0a7VsQZcdRTCqFentQt...' + ssh_key = b'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTY=' with pytest.raises(UnsupportedAlgorithm): load_ssh_public_key(ssh_key, backend) def test_load_ssh_public_key_bad_format(self, backend): - ssh_key = b'not-a-real-key text' + ssh_key = b'ssh-rsa not-a-real-key' with pytest.raises(ValueError): load_ssh_public_key(ssh_key, backend) @@ -703,20 +707,6 @@ class TestSSHSerialization(object): with pytest.raises(ValueError): load_ssh_public_key(ssh_key, backend) - def test_load_ssh_public_key_rsa_key_types_dont_match(self, backend): - ssh_key = ( - b"ssh-bad AAAAB3NzaC1yc2EAAAADAQABAAABAQDDu/XRP1kyK6Cgt36gts9XAk" - b"FiiuJLW6RU0j3KKVZSs1I7Z3UmU9/9aVh/rZV43WQG8jaR6kkcP4stOR0DEtll" - b"PDA7ZRBnrfiHpSQYQ874AZaAoIjgkv7DBfsE6gcDQLub0PFjWyrYQUJhtOLQEK" - b"vY/G0vt2iRL3juawWmCFdTK3W3XvwAdgGk71i6lHt+deOPNEPN2H58E4odrZ2f" - b"sxn/adpDqfb2sM0kPwQs0aWvrrKGvUaustkivQE4XWiSFnB0oJB/lKK/CKVKuy" - b"///ImSCGHQRvhwariN2tvZ6CBNSLh3iQgeB0AkyJlng7MXB2qYq/Ci2FUOryCX" - b"2MzHvnbv testkey@localhost extra" - ) - - with pytest.raises(ValueError): - load_ssh_public_key(ssh_key, backend) - def test_load_ssh_public_key_rsa_extra_string_after_comment(self, backend): ssh_key = ( b"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDu/XRP1kyK6Cgt36gts9XAk" @@ -796,3 +786,115 @@ class TestSSHSerialization(object): expected = RSAPublicNumbers(expected_e, expected_n) assert numbers == expected + + +@pytest.mark.requires_backend_interface(interface=DSABackend) +class TestDSSSSHSerialization(object): + def test_load_ssh_public_key_dss_too_short(self, backend): + ssh_key = b'ssh-dss' + + with pytest.raises(ValueError): + load_ssh_public_key(ssh_key, backend) + + def test_load_ssh_public_key_dss_extra_string_after_comment(self, backend): + ssh_key = ( + b"ssh-dss AAAAB3NzaC1kc3MAAACBALmwUtfwdjAUjU2Dixd5DvT0NDcjjr69UD" + b"LqSD/Xt5Al7D3GXr1WOrWGpjO0NE9qzRCvMTU7zykRH6XjuNXB6Hvv48Zfm4vm" + b"nHQHFmmMg2bI75JbnOwdzWnnPZJrVU4rS23dFFPqs5ug+EbhVVrcwzxahjcSjJ" + b"7WEQSkVQWnSPbbAAAAFQDXmpD3DIkGvLSBf1GdUF4PHKtUrQAAAIB/bJFwss+2" + b"fngmfG/Li5OyL7A9iVoGdkUaFaxEUROTp7wkm2z49fXFAir+/U31v50Tu98YLf" + b"WvKlxdHcdgQYV9Ww5LIrhWwwD4UKOwC6w5S3KHVbi3pWUi7vxJFXOWfeu1mC/J" + b"TWqMKR91j+rmOtdppWIZRyIVIqLcMdGO3m+2VgAAAIANFDz5KQH5NvoljpoRQi" + b"RgyPjxWXiE7vjLElKj4v8KrpanAywBzdhIW1y/tzpGuwRwj5ihi8iNTHgSsoTa" + b"j5AG5HPomJf5vJElxpu/2O9pHA52wcNObIQ7j+JA5uWusxNIbl+pF6sSiP8abr" + b"z53N7tPF/IhHTjBHb1Ol7IFu9p9A== testkey@localhost extra" + ) + + with pytest.raises(ValueError): + load_ssh_public_key(ssh_key, backend) + + def test_load_ssh_public_key_dss_extra_data_after_modulo(self, backend): + ssh_key = ( + b"ssh-dss AAAAB3NzaC1kc3MAAACBALmwUtfwdjAUjU2Dixd5DvT0NDcjjr69UD" + b"LqSD/Xt5Al7D3GXr1WOrWGpjO0NE9qzRCvMTU7zykRH6XjuNXB6Hvv48Zfm4vm" + b"nHQHFmmMg2bI75JbnOwdzWnnPZJrVU4rS23dFFPqs5ug+EbhVVrcwzxahjcSjJ" + b"7WEQSkVQWnSPbbAAAAFQDXmpD3DIkGvLSBf1GdUF4PHKtUrQAAAIB/bJFwss+2" + b"fngmfG/Li5OyL7A9iVoGdkUaFaxEUROTp7wkm2z49fXFAir+/U31v50Tu98YLf" + b"WvKlxdHcdgQYV9Ww5LIrhWwwD4UKOwC6w5S3KHVbi3pWUi7vxJFXOWfeu1mC/J" + b"TWqMKR91j+rmOtdppWIZRyIVIqLcMdGO3m+2VgAAAIANFDz5KQH5NvoljpoRQi" + b"RgyPjxWXiE7vjLElKj4v8KrpanAywBzdhIW1y/tzpGuwRwj5ihi8iNTHgSsoTa" + b"j5AG5HPomJf5vJElxpu/2O9pHA52wcNObIQ7j+JA5uWusxNIbl+pF6sSiP8abr" + b"z53N7tPF/IhHTjBHb1Ol7IFu9p9AAwMD== testkey@localhost" + ) + + with pytest.raises(ValueError): + load_ssh_public_key(ssh_key, backend) + + def test_load_ssh_public_key_dss_different_string(self, backend): + ssh_key = ( + # "AAAAB3NzA" the final A is capitalized here to cause the string + # ssh-dss inside the base64 encoded blob to be incorrect. It should + # be a lower case 'a'. + b"ssh-dss AAAAB3NzAC1kc3MAAACBALmwUtfwdjAUjU2Dixd5DvT0NDcjjr69UD" + b"LqSD/Xt5Al7D3GXr1WOrWGpjO0NE9qzRCvMTU7zykRH6XjuNXB6Hvv48Zfm4vm" + b"nHQHFmmMg2bI75JbnOwdzWnnPZJrVU4rS23dFFPqs5ug+EbhVVrcwzxahjcSjJ" + b"7WEQSkVQWnSPbbAAAAFQDXmpD3DIkGvLSBf1GdUF4PHKtUrQAAAIB/bJFwss+2" + b"fngmfG/Li5OyL7A9iVoGdkUaFaxEUROTp7wkm2z49fXFAir+/U31v50Tu98YLf" + b"WvKlxdHcdgQYV9Ww5LIrhWwwD4UKOwC6w5S3KHVbi3pWUi7vxJFXOWfeu1mC/J" + b"TWqMKR91j+rmOtdppWIZRyIVIqLcMdGO3m+2VgAAAIANFDz5KQH5NvoljpoRQi" + b"RgyPjxWXiE7vjLElKj4v8KrpanAywBzdhIW1y/tzpGuwRwj5ihi8iNTHgSsoTa" + b"j5AG5HPomJf5vJElxpu/2O9pHA52wcNObIQ7j+JA5uWusxNIbl+pF6sSiP8abr" + b"z53N7tPF/IhHTjBHb1Ol7IFu9p9A== testkey@localhost" + ) + with pytest.raises(ValueError): + load_ssh_public_key(ssh_key, backend) + + def test_load_ssh_public_key_dss(self, backend): + ssh_key = ( + b"ssh-dss AAAAB3NzaC1kc3MAAACBALmwUtfwdjAUjU2Dixd5DvT0NDcjjr69UD" + b"LqSD/Xt5Al7D3GXr1WOrWGpjO0NE9qzRCvMTU7zykRH6XjuNXB6Hvv48Zfm4vm" + b"nHQHFmmMg2bI75JbnOwdzWnnPZJrVU4rS23dFFPqs5ug+EbhVVrcwzxahjcSjJ" + b"7WEQSkVQWnSPbbAAAAFQDXmpD3DIkGvLSBf1GdUF4PHKtUrQAAAIB/bJFwss+2" + b"fngmfG/Li5OyL7A9iVoGdkUaFaxEUROTp7wkm2z49fXFAir+/U31v50Tu98YLf" + b"WvKlxdHcdgQYV9Ww5LIrhWwwD4UKOwC6w5S3KHVbi3pWUi7vxJFXOWfeu1mC/J" + b"TWqMKR91j+rmOtdppWIZRyIVIqLcMdGO3m+2VgAAAIANFDz5KQH5NvoljpoRQi" + b"RgyPjxWXiE7vjLElKj4v8KrpanAywBzdhIW1y/tzpGuwRwj5ihi8iNTHgSsoTa" + b"j5AG5HPomJf5vJElxpu/2O9pHA52wcNObIQ7j+JA5uWusxNIbl+pF6sSiP8abr" + b"z53N7tPF/IhHTjBHb1Ol7IFu9p9A== testkey@localhost" + ) + + key = load_ssh_public_key(ssh_key, backend) + + assert key is not None + assert isinstance(key, interfaces.DSAPublicKey) + + numbers = key.public_numbers() + + expected_y = int( + "d143cf92901f936fa258e9a11422460c8f8f1597884eef8cb1252a3e2ff0aae" + "96a7032c01cdd8485b5cbfb73a46bb04708f98a18bc88d4c7812b284da8f900" + "6e473e89897f9bc9125c69bbfd8ef691c0e76c1c34e6c843b8fe240e6e5aeb3" + "13486e5fa917ab1288ff1a6ebcf9dcdeed3c5fc88474e30476f53a5ec816ef6" + "9f4", 16 + ) + expected_p = int( + "b9b052d7f07630148d4d838b17790ef4f43437238ebebd5032ea483fd7b7902" + "5ec3dc65ebd563ab586a633b4344f6acd10af31353bcf29111fa5e3b8d5c1e8" + "7befe3c65f9b8be69c740716698c8366c8ef925b9cec1dcd69e73d926b554e2" + "b4b6ddd1453eab39ba0f846e1555adcc33c5a8637128c9ed61104a45505a748" + "f6db", 16 + ) + expected_q = 1230879958723280233885494314531920096931919647917 + expected_g = int( + "7f6c9170b2cfb67e78267c6fcb8b93b22fb03d895a0676451a15ac44511393a" + "7bc249b6cf8f5f5c5022afefd4df5bf9d13bbdf182df5af2a5c5d1dc7604185" + "7d5b0e4b22b856c300f850a3b00bac394b728755b8b7a56522eefc491573967" + "debb5982fc94d6a8c291f758feae63ad769a5621947221522a2dc31d18ede6f" + "b656", 16 + ) + expected = DSAPublicNumbers( + expected_y, + DSAParameterNumbers(expected_p, expected_q, expected_g) + ) + + assert numbers == expected |