cthrace/open-keychain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use correct signature format identifier when creating SSH signatures for

Browse Source 
RSA with SHA256 & SHA512
This commit is contained in:
Christian Hagau
2018-04-25 00:00:00 +00:00
parent 4c251d57a1
commit 6b0ac338ca
3 changed files with 141 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/SshAuthenticationService.java
View File

@@ -194,10 +194,20 @@ public class SshAuthenticationService extends Service {
byte[] rawSignature = authResult.getSignature();
byte[] sshSignature;
try {
if (authSubKeyAlgorithm == PublicKeyAlgorithmTags.ECDSA) {
sshSignature = SshSignatureConverter.getSshSignatureEcDsa(rawSignature, authSubKeyCurveOid);
} else {
sshSignature = SshSignatureConverter.getSshSignature(rawSignature, authSubKeyAlgorithm);
switch (authSubKeyAlgorithm) {
case PublicKeyAlgorithmTags.ECDSA:
sshSignature = SshSignatureConverter.getSshSignatureEcDsa(rawSignature, authSubKeyCurveOid);
break;
case PublicKeyAlgorithmTags.RSA_SIGN:
case PublicKeyAlgorithmTags.RSA_GENERAL:
sshSignature = SshSignatureConverter.getSshSignatureRsa(rawSignature, hashAlgorithmTag);
break;
case PublicKeyAlgorithmTags.DSA:
case PublicKeyAlgorithmTags.EDDSA:
sshSignature = SshSignatureConverter.getSshSignature(rawSignature, authSubKeyAlgorithm);
break;
default:
throw new NoSuchAlgorithmException("Unknown algorithm");
}
} catch (NoSuchAlgorithmException e) {
return createExceptionErrorResult(SshAuthenticationApiError.INTERNAL_ERROR,

36
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ssh/signature/SshSignatureConverter.java
View File

@@ -20,6 +20,7 @@ package org.sufficientlysecure.keychain.ssh.signature;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.bcpg.HashAlgorithmTags;
import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
import org.bouncycastle.util.BigIntegers;
import org.sufficientlysecure.keychain.ssh.key.SshEncodedData;
@@ -31,12 +32,25 @@ import java.security.NoSuchAlgorithmException;
public class SshSignatureConverter {
private static String getSignatureType(int algorithm) throws NoSuchAlgorithmException {
switch (algorithm) {
case PublicKeyAlgorithmTags.RSA_SIGN:
case PublicKeyAlgorithmTags.RSA_GENERAL:
private static String getRsaSignatureFormatId(int hashAlgorithm) throws NoSuchAlgorithmException {
// https://tools.ietf.org/html/rfc8332
switch (hashAlgorithm) {
case HashAlgorithmTags.SHA512:
return "rsa-sha2-512";
case HashAlgorithmTags.SHA256:
return "rsa-sha2-256";
case HashAlgorithmTags.SHA1:
return "ssh-rsa";
default:
throw new NoSuchAlgorithmException("Unknown hash algorithm");
}
}
private static String getSignatureFormatId(int algorithm) throws NoSuchAlgorithmException {
switch (algorithm) {
case PublicKeyAlgorithmTags.EDDSA:
return "ssh-ed25519";
@@ -50,10 +64,6 @@ public class SshSignatureConverter {
private static byte[] getSignatureBlob(byte[] rawSignature, int algorithm) throws NoSuchAlgorithmException {
switch (algorithm) {
case PublicKeyAlgorithmTags.RSA_SIGN:
case PublicKeyAlgorithmTags.RSA_GENERAL:
return rawSignature;
case PublicKeyAlgorithmTags.EDDSA:
return rawSignature;
@@ -122,12 +132,20 @@ public class SshSignatureConverter {
public static byte[] getSshSignature(byte[] rawSignature, int algorithm) throws NoSuchAlgorithmException {
SshEncodedData signature = new SshEncodedData();
signature.putString(getSignatureType(algorithm));
signature.putString(getSignatureFormatId(algorithm));
signature.putString(getSignatureBlob(rawSignature, algorithm));
return signature.getBytes();
}
public static byte[] getSshSignatureRsa(byte[] rawSignature, int hashAlgorithm) throws NoSuchAlgorithmException {
SshEncodedData signature = new SshEncodedData();
signature.putString(getRsaSignatureFormatId(hashAlgorithm));
signature.putString(rawSignature);
return signature.getBytes();
}
public static byte[] getSshSignatureEcDsa(byte[] rawSignature, String curveOid) throws NoSuchAlgorithmException {
SshEncodedData signature = new SshEncodedData();
signature.putString("ecdsa-sha2-" + SshUtils.getCurveName(curveOid));