Handle EdDSA & DSA SSH signatures separately in SshSignatureConverter
This commit is contained in:
Christian Hagau
@@ -195,16 +195,18 @@ public class SshAuthenticationService extends Service {
|
|||||||
byte[] sshSignature;
|
byte[] sshSignature;
|
||||||
try {
|
try {
|
||||||
switch (authSubKeyAlgorithm) {
|
switch (authSubKeyAlgorithm) {
|
||||||
case PublicKeyAlgorithmTags.ECDSA:
|
case PublicKeyAlgorithmTags.EDDSA:
|
||||||
sshSignature = SshSignatureConverter.getSshSignatureEcDsa(rawSignature, authSubKeyCurveOid);
|
sshSignature = SshSignatureConverter.getSshSignatureEdDsa(rawSignature);
|
||||||
break;
|
break;
|
||||||
case PublicKeyAlgorithmTags.RSA_SIGN:
|
case PublicKeyAlgorithmTags.RSA_SIGN:
|
||||||
case PublicKeyAlgorithmTags.RSA_GENERAL:
|
case PublicKeyAlgorithmTags.RSA_GENERAL:
|
||||||
sshSignature = SshSignatureConverter.getSshSignatureRsa(rawSignature, hashAlgorithmTag);
|
sshSignature = SshSignatureConverter.getSshSignatureRsa(rawSignature, hashAlgorithmTag);
|
||||||
break;
|
break;
|
||||||
|
case PublicKeyAlgorithmTags.ECDSA:
|
||||||
|
sshSignature = SshSignatureConverter.getSshSignatureEcDsa(rawSignature, authSubKeyCurveOid);
|
||||||
|
break;
|
||||||
case PublicKeyAlgorithmTags.DSA:
|
case PublicKeyAlgorithmTags.DSA:
|
||||||
case PublicKeyAlgorithmTags.EDDSA:
|
sshSignature = SshSignatureConverter.getSshSignatureDsa(rawSignature);
|
||||||
sshSignature = SshSignatureConverter.getSshSignature(rawSignature, authSubKeyAlgorithm);
|
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
throw new NoSuchAlgorithmException("Unknown algorithm");
|
throw new NoSuchAlgorithmException("Unknown algorithm");
|
||||||
|
|||||||
@@ -21,7 +21,6 @@ import org.bouncycastle.asn1.ASN1Integer;
|
|||||||
import org.bouncycastle.asn1.ASN1Primitive;
|
import org.bouncycastle.asn1.ASN1Primitive;
|
||||||
import org.bouncycastle.asn1.ASN1Sequence;
|
import org.bouncycastle.asn1.ASN1Sequence;
|
||||||
import org.bouncycastle.bcpg.HashAlgorithmTags;
|
import org.bouncycastle.bcpg.HashAlgorithmTags;
|
||||||
import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
|
|
||||||
import org.bouncycastle.util.BigIntegers;
|
import org.bouncycastle.util.BigIntegers;
|
||||||
import org.sufficientlysecure.keychain.ssh.key.SshEncodedData;
|
import org.sufficientlysecure.keychain.ssh.key.SshEncodedData;
|
||||||
import org.sufficientlysecure.keychain.ssh.utils.SshUtils;
|
import org.sufficientlysecure.keychain.ssh.utils.SshUtils;
|
||||||
@@ -49,32 +48,6 @@ public class SshSignatureConverter {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static String getSignatureFormatId(int algorithm) throws NoSuchAlgorithmException {
|
|
||||||
switch (algorithm) {
|
|
||||||
case PublicKeyAlgorithmTags.EDDSA:
|
|
||||||
return "ssh-ed25519";
|
|
||||||
|
|
||||||
case PublicKeyAlgorithmTags.DSA:
|
|
||||||
return "ssh-dss";
|
|
||||||
|
|
||||||
default:
|
|
||||||
throw new NoSuchAlgorithmException("Unknown algorithm");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private static byte[] getSignatureBlob(byte[] rawSignature, int algorithm) throws NoSuchAlgorithmException {
|
|
||||||
switch (algorithm) {
|
|
||||||
case PublicKeyAlgorithmTags.EDDSA:
|
|
||||||
return rawSignature;
|
|
||||||
|
|
||||||
case PublicKeyAlgorithmTags.DSA:
|
|
||||||
return getDsaSignatureBlob(rawSignature);
|
|
||||||
|
|
||||||
default:
|
|
||||||
throw new NoSuchAlgorithmException("Unknown algorithm");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private static byte[] getEcDsaSignatureBlob(byte[] rawSignature) {
|
private static byte[] getEcDsaSignatureBlob(byte[] rawSignature) {
|
||||||
BigInteger r = getR(rawSignature);
|
BigInteger r = getR(rawSignature);
|
||||||
BigInteger s = getS(rawSignature);
|
BigInteger s = getS(rawSignature);
|
||||||
@@ -130,10 +103,18 @@ public class SshSignatureConverter {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static byte[] getSshSignature(byte[] rawSignature, int algorithm) throws NoSuchAlgorithmException {
|
public static byte[] getSshSignatureEdDsa(byte[] rawSignature) {
|
||||||
SshEncodedData signature = new SshEncodedData();
|
SshEncodedData signature = new SshEncodedData();
|
||||||
signature.putString(getSignatureFormatId(algorithm));
|
signature.putString("ssh-ed25519");
|
||||||
signature.putString(getSignatureBlob(rawSignature, algorithm));
|
signature.putString(rawSignature);
|
||||||
|
|
||||||
|
return signature.getBytes();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static byte[] getSshSignatureDsa(byte[] rawSignature) {
|
||||||
|
SshEncodedData signature = new SshEncodedData();
|
||||||
|
signature.putString("ssh-dss");
|
||||||
|
signature.putString(getDsaSignatureBlob(rawSignature));
|
||||||
|
|
||||||
return signature.getBytes();
|
return signature.getBytes();
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -242,14 +242,14 @@ public class SshSignatureConverterTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testEdDsa() throws Exception {
|
public void testEdDsa() throws Exception {
|
||||||
byte[] out = SshSignatureConverter.getSshSignature(RAW_EDDSA_SIGNATURE, PublicKeyAlgorithmTags.EDDSA);
|
byte[] out = SshSignatureConverter.getSshSignatureEdDsa(RAW_EDDSA_SIGNATURE);
|
||||||
|
|
||||||
Assert.assertArrayEquals(SSH_EDDSA_SIGNATURE, out);
|
Assert.assertArrayEquals(SSH_EDDSA_SIGNATURE, out);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testDsa() throws Exception {
|
public void testDsa() throws Exception {
|
||||||
byte[] out = SshSignatureConverter.getSshSignature(RAW_DSA_SIGNATURE, PublicKeyAlgorithmTags.DSA);
|
byte[] out = SshSignatureConverter.getSshSignatureDsa(RAW_DSA_SIGNATURE);
|
||||||
|
|
||||||
Assert.assertArrayEquals(SSH_DSA_SIGNATURE, out);
|
Assert.assertArrayEquals(SSH_DSA_SIGNATURE, out);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user