Merge pull request #31 from github/full-sig-support

Support SSHSIG and SK verification

Author: vcsjones

.editorconfig

@@ -0,0 +1,8 @@
+root = true
+
+[*]
+insert_final_newline = true
+
+[*.rb]
+indent_size = 2
+indent_style = space

.github/workflows/ruby.yml

@@ -20,5 +20,5 @@ jobs:
       run: |
         gem install bundler
         bundle install --jobs 4 --retry 3
-        chmod 600 ./spec/fixtures/*
+        find ./spec/fixtures -type f -exec chmod 600 -- {} +
         bundle exec rspec

lib/ssh_data.rb

@@ -34,3 +34,4 @@ def key_parts(key)
 require "ssh_data/public_key"
 require "ssh_data/private_key"
 require "ssh_data/encoding"
+require "ssh_data/signature"

lib/ssh_data/encoding.rb

@@ -3,6 +3,19 @@ module Encoding
     # Fields in an OpenSSL private key
     # https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
     OPENSSH_PRIVATE_KEY_MAGIC = "openssh-key-v1\x00"
+
+    OPENSSH_SIGNATURE_MAGIC = "SSHSIG"
+    OPENSSH_SIGNATURE_VERSION = 0x01
+
+    OPENSSH_SIGNATURE_FIELDS = [
+      [:sigversion,     :uint32],
+      [:publickey,      :string],
+      [:namespace,      :string],
+      [:reserved,       :string],
+      [:hash_algorithm, :string],
+      [:signature,      :string],
+    ]
+
     OPENSSH_PRIVATE_KEY_FIELDS = [
       [:ciphername, :string],
       [:kdfname,    :string],
@@ -313,6 +326,21 @@ def decode_string_public_key(raw, offset=0, algo=nil)
       [key, str_read]
     end
 
+    def decode_openssh_signature(raw, offset=0)
+      total_read = 0
+
+      magic = raw.byteslice(offset, OPENSSH_SIGNATURE_MAGIC.bytesize)
+      unless magic == OPENSSH_SIGNATURE_MAGIC
+        raise DecodeError, "bad OpenSSH signature"
+      end
+
+      total_read += OPENSSH_SIGNATURE_MAGIC.bytesize
+      offset += total_read
+      data, read = decode_fields(raw, OPENSSH_SIGNATURE_FIELDS, offset)
+      total_read += read
+      [data, total_read]
+    end
+
     # Decode the fields in a certificate.
     #
     # raw    - Binary String certificate as described by RFC4253 section 6.6.
@@ -680,6 +708,32 @@ def encode_uint32(value)
       [value].pack("L>")
     end
 
+    # Read a uint8 from the provided raw data.
+    #
+    # raw    - A binary String.
+    # offset - The offset into raw at which to read (default 0).
+    #
+    # Returns an Array including the decoded uint8 as an Integer and the
+    # Integer number of bytes read.
+    def decode_uint8(raw, offset=0)
+      if raw.bytesize < offset + 1
+        raise DecodeError, "data too short"
+      end
+
+      uint8 = raw.byteslice(offset, 1).unpack("C").first
+
+      [uint8, 1]
+    end
+
+    # Encoding an integer as a uint8.
+    #
+    # value - The Integer value to encode.
+    #
+    # Returns an encoded representation of the value.
+    def encode_uint8(value)
+      [value].pack("C")
+    end
+
     extend self
   end
 end

lib/ssh_data/public_key.rb

@@ -78,6 +78,7 @@ def self.from_data(data)
 end
 
 require "ssh_data/public_key/base"
+require "ssh_data/public_key/security_key"
 require "ssh_data/public_key/rsa"
 require "ssh_data/public_key/dsa"
 require "ssh_data/public_key/ecdsa"

lib/ssh_data/public_key/security_key.rb

@@ -0,0 +1,40 @@
+module SSHData
+  module PublicKey
+    module SecurityKey
+
+      # Defaults to match OpenSSH, user presence is required by verification is not.
+      DEFAULT_SK_VERIFY_OPTS = {
+        user_presence_required: true,
+        user_verification_required: false
+      }
+
+      SK_FLAG_USER_PRESENCE     = 0b001
+      SK_FLAG_USER_VERIFICATION = 0b100
+
+      def build_signing_blob(application, signed_data, signature)
+        read = 0
+        sig_algo, raw_sig, signature_read = Encoding.decode_signature(signature)
+        read += signature_read
+        sk_flags, sk_flags_read = Encoding.decode_uint8(signature, read)
+        read += sk_flags_read
+        counter, counter_read = Encoding.decode_uint32(signature, read)
+        read += counter_read
+
+        if read != signature.bytesize
+          raise DecodeError, "unexpected trailing data"
+        end
+
+        application_hash = OpenSSL::Digest::SHA256.digest(application)
+        message_hash = OpenSSL::Digest::SHA256.digest(signed_data)
+
+        blob =
+          application_hash +
+          Encoding.encode_uint8(sk_flags) +
+          Encoding.encode_uint32(counter) +
+          message_hash
+
+        [sig_algo, raw_sig, sk_flags, blob]
+      end
+    end
+  end
+end

lib/ssh_data/public_key/skecdsa.rb

@@ -1,6 +1,7 @@
 module SSHData
   module PublicKey
     class SKECDSA < ECDSA
+      include SecurityKey
       attr_reader :application
 
       OPENSSL_CURVE_NAME_FOR_CURVE = {
@@ -34,8 +35,25 @@ def rfc4253
         )
       end
 
-      def verify(signed_data, signature)
-        raise UnsupportedError, "SK-ECDSA verification is not supported."
+      def verify(signed_data, signature, **opts)
+        opts = DEFAULT_SK_VERIFY_OPTS.merge(opts)
+        unknown_opts = opts.keys - DEFAULT_SK_VERIFY_OPTS.keys
+        raise UnsupportedError, "Verification options #{unknown_opts.inspect} are not supported." unless unknown_opts.empty?
+
+        sig_algo, raw_sig, sk_flags, blob = build_signing_blob(application, signed_data, signature)
+        self.class.check_algorithm!(sig_algo, curve)
+
+        openssl_sig = self.class.openssl_signature(raw_sig)
+        digest = DIGEST_FOR_CURVE[curve]
+
+        result = openssl.verify(digest.new, openssl_sig, blob)
+
+        # We don't know that the flags are correct until after we've validated the signature
+        # which embeds the flags, so always verify the signature first.
+        return false if opts[:user_presence_required] && (sk_flags & SK_FLAG_USER_PRESENCE != SK_FLAG_USER_PRESENCE)
+        return false if opts[:user_verification_required] && (sk_flags & SK_FLAG_USER_VERIFICATION != SK_FLAG_USER_VERIFICATION)
+
+        result
       end
 
       def ==(other)

lib/ssh_data/public_key/sked25519.rb

@@ -1,13 +1,14 @@
 module SSHData
   module PublicKey
     class SKED25519 < ED25519
+      include SecurityKey
       attr_reader :application
 
       def initialize(algo:, pk:, application:)
         @application = application
         super(algo: algo, pk: pk)
       end
-      
+
       def self.algorithm_identifier
         ALGO_SKED25519
       end
@@ -23,8 +24,30 @@ def rfc4253
         )
       end
 
-      def verify(signed_data, signature)
-        raise UnsupportedError, "SK-Ed25519 verification is not supported."
+      def verify(signed_data, signature, **opts)
+        self.class.ed25519_gem_required!
+        opts = DEFAULT_SK_VERIFY_OPTS.merge(opts)
+        unknown_opts = opts.keys - DEFAULT_SK_VERIFY_OPTS.keys
+        raise UnsupportedError, "Verification options #{unknown_opts.inspect} are not supported." unless unknown_opts.empty?
+
+        sig_algo, raw_sig, sk_flags, blob = build_signing_blob(application, signed_data, signature)
+
+        if sig_algo != self.class.algorithm_identifier
+          raise DecodeError, "bad signature algorithm: #{sig_algo.inspect}"
+        end
+
+        result = begin
+            ed25519_key.verify(raw_sig, blob)
+          rescue Ed25519::VerifyError
+            false
+          end
+
+        # We don't know that the flags are correct until after we've validated the signature
+        # which embeds the flags, so always verify the signature first.
+        return false if opts[:user_presence_required] && (sk_flags & SK_FLAG_USER_PRESENCE != SK_FLAG_USER_PRESENCE)
+        return false if opts[:user_verification_required] && (sk_flags & SK_FLAG_USER_VERIFICATION != SK_FLAG_USER_VERIFICATION)
+
+        result
       end
 
       def ==(other)

lib/ssh_data/signature.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+module SSHData
+  class Signature
+    PEM_TYPE = "SSH SIGNATURE"
+    SIGNATURE_PREAMBLE = "SSHSIG"
+    MIN_SUPPORTED_VERSION = 1
+    MAX_SUPPORTED_VERSION = 1
+
+    # Spec: no SHA1 or SHA384. In practice, OpenSSH is always going to use SHA512.
+    # Note the actual signing / verify primitive may use a different hash algorithm.
+    # https://github.com/openssh/openssh-portable/blob/b7ffbb17e37f59249c31f1ff59d6c5d80888f689/PROTOCOL.sshsig#L67
+    SUPPORTED_HASH_ALGORITHMS = {
+      "sha256" => OpenSSL::Digest::SHA256,
+      "sha512" => OpenSSL::Digest::SHA512,
+    }
+
+    PERMITTED_RSA_SIGNATURE_ALGORITHMS = [
+      PublicKey::ALGO_RSA_SHA2_256,
+      PublicKey::ALGO_RSA_SHA2_512,
+    ]
+
+    attr_reader :sigversion, :namespace, :signature, :reserved, :hash_algorithm
+
+    # Parses a PEM armored SSH signature.
+    # pem - A PEM encoded SSH signature.
+    #
+    # Returns a Signature instance.
+    def self.parse_pem(pem)
+      pem_type = Encoding.pem_type(pem)
+
+      if pem_type != PEM_TYPE
+        raise DecodeError, "Mismatched PEM type. Expecting '#{PEM_TYPE}', actually '#{pem_type}'."
+      end
+
+      blob = Encoding.decode_pem(pem, pem_type)
+      self.parse_blob(blob)
+    end
+
+    def self.parse_blob(blob)
+      data, read = Encoding.decode_openssh_signature(blob)
+
+      if read != blob.bytesize
+        raise DecodeError, "unexpected trailing data"
+      end
+
+      new(**data)
+    end
+
+    def initialize(sigversion:, publickey:, namespace:, reserved:, hash_algorithm:, signature:)
+      if sigversion > MAX_SUPPORTED_VERSION || sigversion < MIN_SUPPORTED_VERSION
+        raise UnsupportedError, "Signature version is not supported"
+      end
+
+      unless SUPPORTED_HASH_ALGORITHMS.has_key?(hash_algorithm)
+        raise UnsupportedError, "Hash algorithm #{hash_algorithm} is not supported."
+      end
+
+      # Spec: empty namespaces are not permitted.
+      # https://github.com/openssh/openssh-portable/blob/b7ffbb17e37f59249c31f1ff59d6c5d80888f689/PROTOCOL.sshsig#L57
+      raise UnsupportedError, "A namespace is required." if namespace.empty?
+
+      # Spec: ignore 'reserved', don't need to validate that it is empty.
+
+      @sigversion = sigversion
+      @publickey = publickey
+      @namespace = namespace
+      @reserved = reserved
+      @hash_algorithm = hash_algorithm
+      @signature = signature
+    end
+
+    def verify(signed_data, **opts)
+      signing_key = public_key
+
+      # Unwrap the signing key if this signature was created from a certificate.
+      key = signing_key.is_a?(Certificate) ? signing_key.public_key : signing_key
+
+      digest_algorithm = SUPPORTED_HASH_ALGORITHMS[@hash_algorithm]
+
+      if key.is_a?(PublicKey::RSA)
+        sig_algo, * = Encoding.decode_signature(@signature)
+
+        # Spec: If the signature is an RSA signature, the legacy 'ssh-rsa'
+        # identifer is not permitted.
+        # https://github.com/openssh/openssh-portable/blob/b7ffbb17e37f59249c31f1ff59d6c5d80888f689/PROTOCOL.sshsig#L72
+        unless PERMITTED_RSA_SIGNATURE_ALGORITHMS.include?(sig_algo)
+          raise UnsupportedError, "RSA signature #{sig_algo} is not supported."
+        end
+      end
+
+      message_digest = digest_algorithm.digest(signed_data)
+      blob =
+        SIGNATURE_PREAMBLE +
+        Encoding.encode_string(@namespace) +
+        Encoding.encode_string(@reserved || "") +
+        Encoding.encode_string(@hash_algorithm) +
+        Encoding.encode_string(message_digest)
+
+      if key.class.include?(::SSHData::PublicKey::SecurityKey)
+        key.verify(blob, @signature, **opts)
+      else
+        key.verify(blob, @signature)
+      end
+    end
+
+    # Gets the public key from the signature.
+    # If the signature was created from a certificate, this will be an
+    # SSHData::Certificate. Otherwise, this will be a PublicKey algorithm.
+    def public_key
+      public_key_algorithm, _ = Encoding.decode_string(@publickey)
+
+      if PublicKey::ALGOS.include?(public_key_algorithm)
+        PublicKey.parse_rfc4253(@publickey)
+      elsif Certificate::ALGOS.include?(public_key_algorithm)
+        Certificate.parse_rfc4253(@publickey)
+      else
+        raise UnsupportedError, "Public key algorithm #{public_key_algorithm} is not supported."
+      end
+    end
+  end
+end

spec/certificate_spec.rb

@@ -281,6 +281,22 @@
     SSHData::PublicKey::RSA                 # ca key type
   ]
 
+  test_cases << [
+    :rsa_leaf_for_skecdsa_ca,               # name
+    "rsa_leaf_for_skecdsa_ca-cert.pub",     # fixture
+    SSHData::Certificate::ALGO_RSA,         # algo
+    SSHData::PublicKey::RSA,                # public key type
+    SSHData::PublicKey::SKECDSA             # ca key type
+  ]
+
+  test_cases << [
+    :rsa_leaf_for_sked25519_ca,             # name
+    "rsa_leaf_for_sked25519_ca-cert.pub",   # fixture
+    SSHData::Certificate::ALGO_RSA,         # algo
+    SSHData::PublicKey::RSA,                # public key type
+    SSHData::PublicKey::SKED25519           # ca key type
+  ]
+
   test_cases.each do |name, fixture_name, algo, public_key_class, ca_key_class|
     describe(name) do
       let(:openssh) { fixture(fixture_name).strip }