NotificationsYou must be signed in to change notification settings
Fork51
Star193

Commit44aec4a

Alex Wilson

committed

#59 want support for SPKI fingerprint format

Reviewed by: Isaac Davis <isaac.davis@joyent.com>Reviewed by: Cody Peter Mello <cody.mello@joyent.com>

1 parent385ff11 commit44aec4aCopy full SHA for 44aec4a

File tree

8 files changed

+220

-54

lines changed

README.md
bin
- sshpk-conv
lib
- fingerprint.js
- formats
  - pkcs8.js
- key.js
- private-key.js
package.json
test
- fingerprint.js

8 files changed

+220

-54

lines changed

`‎README.md`

Lines changed: 23 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -174,14 +174,17 @@ Parameters`
`174`	`174`
`175`	`175`	Same as`this.toBuffer(format).toString()`.
`176`	`176`
`177`		-###`Key#fingerprint([algorithm = 'sha256'])`
	`177`	+###`Key#fingerprint([algorithm = 'sha256'[, hashType = 'ssh']])`
`178`	`178`
`179`	`179`	Creates a new`Fingerprint` object representing this Key's fingerprint.
`180`	`180`
`181`	`181`	`Parameters`
`182`	`182`
`183`	`183`	-`algorithm` -- String name of hash algorithm to use, valid options are`md5`,
`184`	`184`	`sha1`,`sha256`,`sha384`,`sha512`
	`185`	+-`hashType` -- String name of fingerprint hash type to use, valid options are
	`186`	+`ssh` (the type of fingerprint used by OpenSSH, e.g. in
	`187`	+`ssh-keygen`),`spki` (used by HPKP, some OpenSSL applications)
`185`	`188`
`186`	`189`	###`Key#createVerify([hashAlgorithm])`
`187`	`190`
`@@ -333,17 +336,23 @@ Parameters`
`333`	`336`
`334`	`337`	`##Fingerprints`
`335`	`338`
`336`		-###`parseFingerprint(fingerprint[,algorithms])`
	`339`	+###`parseFingerprint(fingerprint[,options])`
`337`	`340`
`338`	`341`	Pre-parses a fingerprint, creating a`Fingerprint` object that can be used to
`339`	`342`	quickly locate a key by using the`Fingerprint#matches` function.
`340`	`343`
`341`	`344`	`Parameters`
`342`	`345`
`343`	`346`	-`fingerprint` -- String, the fingerprint value, in any supported format
`344`		--`algorithms` -- Optional list of strings, names of hash algorithms to limit
`345`		- support to. If`fingerprint` uses a hash algorithm not on
`346`		- this list, throws`InvalidAlgorithmError`.
	`347`	+-`options` -- Optional Object, with properties:
	`348`	+-`algorithms` -- Array of strings, names of hash algorithms to limit
	`349`	+ support to. If`fingerprint` uses a hash algorithm not on
	`350`	+ this list, throws`InvalidAlgorithmError`.
	`351`	+-`hashType` -- String, the type of hash the fingerprint uses, either`ssh`
	`352`	+ or`spki` (normally auto-detected based on the format, but
	`353`	`+ can be overridden)`
	`354`	+-`type` -- String, the entity this fingerprint identifies, either`key` or
	`355`	+`certificate`
`347`	`356`
`348`	`357`	###`Fingerprint.isFingerprint(obj)`
`349`	`358`
`@@ -364,14 +373,19 @@ Parameters`
`364`	`373`	`base64`. If this`Fingerprint` uses the`md5` algorithm, the
`365`	`374`	default format is`hex`. Otherwise, the default is`base64`.
`366`	`375`
`367`		-###`Fingerprint#matches(key)`
	`376`	+###`Fingerprint#matches(keyOrCertificate)`
`368`	`377`
`369`		-Verifies whether or not this`Fingerprint` matches a given`Key`. This function
`370`		`-uses double-hashing to avoid leaking timing information. Returns a boolean.`
	`378`	+Verifies whether or not this`Fingerprint` matches a given`Key` or
	`379`	+`Certificate`. This function uses double-hashing to avoid leaking timing
	`380`	`+information. Returns a boolean.`
	`381`	`+`
	`382`	+Note that a`Key`-type Fingerprint will always return`false` if asked to match
	`383`	+a`Certificate` and vice versa.
`371`	`384`
`372`	`385`	`Parameters`
`373`	`386`
`374`		--`key` -- a`Key` object, the key to match this fingerprint against
	`387`	+-`keyOrCertificate` -- a`Key` object or`Certificate` object, the entity to
	`388`	`+ match this fingerprint against`
`375`	`389`
`376`	`390`	`##Signatures`
`377`	`391`

`‎bin/sshpk-conv`

Lines changed: 53 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`#!/usr/bin/env node`
`2`	`2`	`// -- mode: js --`
`3`	`3`	`// vim: set filetype=javascript :`
`4`		`-// Copyright2015 Joyent, Inc.All rights reserved.`
	`4`	`+// Copyright2018 Joyent, Inc.All rights reserved.`
`5`	`5`
`6`	`6`	`vardashdash=require('dashdash');`
`7`	`7`	`varsshpk=require('../lib/index');`
`@@ -47,6 +47,21 @@ var options = [`
`47`	`47`	`type:'bool',`
`48`	`48`	`help:'Print key metadata instead of converting'`
`49`	`49`	`},`
	`50`	`+{`
	`51`	`+names:['fingerprint','F'],`
	`52`	`+type:'bool',`
	`53`	`+help:'Output key fingerprint'`
	`54`	`+},`
	`55`	`+{`
	`56`	`+names:['hash','H'],`
	`57`	`+type:'string',`
	`58`	`+help:'Hash function to use for key fingeprint with -F'`
	`59`	`+},`
	`60`	`+{`
	`61`	`+names:['spki','s'],`
	`62`	`+type:'bool',`
	`63`	`+help:'With -F, generates an SPKI fingerprint instead of SSH'`
	`64`	`+},`
`50`	`65`	`{`
`51`	`66`	`names:['comment','c'],`
`52`	`67`	`type:'string',`
`@@ -75,13 +90,17 @@ if (require.main === module) {`
`75`	`90`	`varhelp=parser.help({}).trimRight();`
`76`	`91`	`console.error('sshpk-conv: converts between SSH key formats\n');`
`77`	`92`	`console.error(help);`
`78`		`-console.error('\navailable formats:');`
	`93`	`+console.error('\navailablekeyformats:');`
`79`	`94`	`console.error(' - pem, pkcs1 eg id_rsa');`
`80`	`95`	`console.error(' - ssh eg id_rsa.pub');`
`81`	`96`	`console.error(' - pkcs8 format you want for openssl');`
`82`	`97`	`console.error(' - openssh like output of ssh-keygen -o');`
`83`	`98`	`console.error(' - rfc4253 raw OpenSSH wire format');`
`84`	`99`	`console.error(' - dnssec dnssec-keygen format');`
	`100`	`+console.error('\navailable fingerprint formats:');`
	`101`	`+console.error(' - hex colon-separated hex for SSH');`
	`102`	`+console.error(' straight hex for SPKI');`
	`103`	`+console.error(' - base64 SHA256:* format from OpenSSH');`
`85`	`104`	`process.exit(1);`
`86`	`105`	`}`
`87`	`106`
`@@ -172,18 +191,7 @@ if (require.main === module) {`
`172`	`191`	`if(opts.comment)`
`173`	`192`	`key.comment=opts.comment;`
`174`	`193`
`175`		`-if(!opts.identify){`
`176`		`-fmt=undefined;`
`177`		`-if(opts.outformat)`
`178`		`-fmt=opts.outformat;`
`179`		`-outFile.write(key.toBuffer(fmt));`
`180`		`-if(fmt==='ssh'\|\|`
`181`		`-(!opts.private&&fmt===undefined))`
`182`		`-outFile.write('\n');`
`183`		`-outFile.once('drain',function(){`
`184`		`-process.exit(0);`
`185`		`-});`
`186`		`-}else{`
	`194`	`+if(opts.identify){`
`187`	`195`	`varkind='public';`
`188`	`196`	`if(sshpk.PrivateKey.isPrivateKey(key))`
`189`	`197`	`kind='private';`
`@@ -193,10 +201,38 @@ if (require.main === module) {`
`193`	`201`	`console.log('ECDSA curve: %s',key.curve);`
`194`	`202`	`if(key.comment)`
`195`	`203`	`console.log('Comment: %s',key.comment);`
`196`		`-console.log('Fingerprint:');`
`197`		`-console.log(' '+key.fingerprint().toString());`
`198`		`-console.log(' '+key.fingerprint('md5').toString());`
	`204`	`+console.log('SHA256 fingerprint: '+`
	`205`	`+key.fingerprint('sha256').toString());`
	`206`	`+console.log('MD5 fingerprint: '+`
	`207`	`+key.fingerprint('md5').toString());`
	`208`	`+console.log('SPKI-SHA256 fingerprint: '+`
	`209`	`+key.fingerprint('sha256','spki').toString());`
`199`	`210`	`process.exit(0);`
	`211`	`+return;`
`200`	`212`	`}`
	`213`	`+`
	`214`	`+if(opts.fingerprint){`
	`215`	`+varhash=opts.hash;`
	`216`	`+vartype=opts.spki ?'spki' :'ssh';`
	`217`	`+varformat=opts.outformat;`
	`218`	`+varfp=key.fingerprint(hash,type).toString(format);`
	`219`	`+outFile.write(fp);`
	`220`	`+outFile.write('\n');`
	`221`	`+outFile.once('drain',function(){`
	`222`	`+process.exit(0);`
	`223`	`+});`
	`224`	`+return;`
	`225`	`+}`
	`226`	`+`
	`227`	`+fmt=undefined;`
	`228`	`+if(opts.outformat)`
	`229`	`+fmt=opts.outformat;`
	`230`	`+outFile.write(key.toBuffer(fmt));`
	`231`	`+if(fmt==='ssh'\|\|`
	`232`	`+(!opts.private&&fmt===undefined))`
	`233`	`+outFile.write('\n');`
	`234`	`+outFile.once('drain',function(){`
	`235`	`+process.exit(0);`
	`236`	`+});`
`201`	`237`	`});`
`202`	`238`	`}`

`‎lib/fingerprint.js`

Lines changed: 62 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Copyright2015 Joyent, Inc.`
	`1`	`+// Copyright2018 Joyent, Inc.`
`2`	`2`
`3`	`3`	`module.exports=Fingerprint;`
`4`	`4`
`@@ -8,6 +8,7 @@ var algs = require('./algs');`
`8`	`8`	`varcrypto=require('crypto');`
`9`	`9`	`varerrs=require('./errors');`
`10`	`10`	`varKey=require('./key');`
	`11`	`+varPrivateKey=require('./private-key');`
`11`	`12`	`varCertificate=require('./certificate');`
`12`	`13`	`varutils=require('./utils');`
`13`	`14`
`@@ -26,11 +27,12 @@ function Fingerprint(opts) {`
`26`	`27`
`27`	`28`	`this.hash=opts.hash;`
`28`	`29`	`this.type=opts.type;`
	`30`	`+this.hashType=opts.hashType;`
`29`	`31`	`}`
`30`	`32`
`31`	`33`	`Fingerprint.prototype.toString=function(format){`
`32`	`34`	`if(format===undefined){`
`33`		`-if(this.algorithm==='md5')`
	`35`	`+if(this.algorithm==='md5'\|\|this.hashType==='spki')`
`34`	`36`	`format='hex';`
`35`	`37`	`else`
`36`	`38`	`format='base64';`
`@@ -39,8 +41,12 @@ Fingerprint.prototype.toString = function (format) {`
`39`	`41`
`40`	`42`	`switch(format){`
`41`	`43`	`case'hex':`
	`44`	`+if(this.hashType==='spki')`
	`45`	`+return(this.hash.toString('hex'));`
`42`	`46`	`return(addColons(this.hash.toString('hex')));`
`43`	`47`	`case'base64':`
	`48`	`+if(this.hashType==='spki')`
	`49`	`+return(this.hash.toString('base64'));`
`44`	`50`	`return(sshBase64Format(this.algorithm,`
`45`	`51`	`this.hash.toString('base64')));`
`46`	`52`	`default:`
`@@ -50,14 +56,20 @@ Fingerprint.prototype.toString = function (format) {`
`50`	`56`
`51`	`57`	`Fingerprint.prototype.matches=function(other){`
`52`	`58`	`assert.object(other,'key or certificate');`
`53`		`-if(this.type==='key'){`
	`59`	`+if(this.type==='key'&&this.hashType!=='ssh'){`
	`60`	`+utils.assertCompatible(other,Key,[1,7],'key with spki');`
	`61`	`+if(PrivateKey.isPrivateKey(other)){`
	`62`	`+utils.assertCompatible(other,PrivateKey,[1,6],`
	`63`	`+'privatekey with spki support');`
	`64`	`+}`
	`65`	`+}elseif(this.type==='key'){`
`54`	`66`	`utils.assertCompatible(other,Key,[1,0],'key');`
`55`	`67`	`}else{`
`56`	`68`	`utils.assertCompatible(other,Certificate,[1,0],`
`57`	`69`	`'certificate');`
`58`	`70`	`}`
`59`	`71`
`60`		`-vartheirHash=other.hash(this.algorithm);`
	`72`	`+vartheirHash=other.hash(this.algorithm,this.hashType);`
`61`	`73`	`vartheirHash2=crypto.createHash(this.algorithm).`
`62`	`74`	`update(theirHash).digest('base64');`
`63`	`75`
`@@ -68,6 +80,11 @@ Fingerprint.prototype.matches = function (other) {`
`68`	`80`	`return(this.hash2===theirHash2);`
`69`	`81`	`};`
`70`	`82`
	`83`	`+/JSSTYLED/`
	`84`	`+varbase64RE=/^[A-Za-z0-9+\/=]+$/;`
	`85`	`+/JSSTYLED/`
	`86`	`+varhexRE=/^[a-fA-F0-9]+$/;`
	`87`	`+`
`71`	`88`	`Fingerprint.parse=function(fp,options){`
`72`	`89`	`assert.string(fp,'fingerprint');`
`73`	`90`
`@@ -81,13 +98,18 @@ Fingerprint.parse = function (fp, options) {`
`81`	`98`	`options={};`
`82`	`99`	`if(options.enAlgs!==undefined)`
`83`	`100`	`enAlgs=options.enAlgs;`
	`101`	`+if(options.algorithms!==undefined)`
	`102`	`+enAlgs=options.algorithms;`
`84`	`103`	`assert.optionalArrayOfString(enAlgs,'algorithms');`
`85`	`104`
	`105`	`+varhashType='ssh';`
	`106`	`+if(options.hashType!==undefined)`
	`107`	`+hashType=options.hashType;`
	`108`	`+assert.string(hashType,'options.hashType');`
	`109`	`+`
`86`	`110`	`varparts=fp.split(':');`
`87`	`111`	`if(parts.length==2){`
`88`	`112`	`alg=parts[0].toLowerCase();`
`89`		`-/JSSTYLED/`
`90`		`-varbase64RE=/^[A-Za-z0-9+\/=]+$/;`
`91`	`113`	`if(!base64RE.test(parts[1]))`
`92`	`114`	`throw(newFingerprintFormatError(fp));`
`93`	`115`	`try{`
`@@ -107,15 +129,42 @@ Fingerprint.parse = function (fp, options) {`
`107`	`129`	`return(p);`
`108`	`130`	`});`
`109`	`131`	`parts=parts.join('');`
`110`		`-/JSSTYLED/`
`111`		`-varmd5RE=/^[a-fA-F0-9]+$/;`
`112`		`-if(!md5RE.test(parts)\|\|parts.length%2!==0)`
	`132`	`+if(!hexRE.test(parts)\|\|parts.length%2!==0)`
`113`	`133`	`throw(newFingerprintFormatError(fp));`
`114`	`134`	`try{`
`115`	`135`	`hash=Buffer.from(parts,'hex');`
`116`	`136`	`}catch(e){`
`117`	`137`	`throw(newFingerprintFormatError(fp));`
`118`	`138`	`}`
	`139`	`+}else{`
	`140`	`+if(hexRE.test(fp)){`
	`141`	`+hash=Buffer.from(fp,'hex');`
	`142`	`+}elseif(base64RE.test(fp)){`
	`143`	`+hash=Buffer.from(fp,'base64');`
	`144`	`+}else{`
	`145`	`+throw(newFingerprintFormatError(fp));`
	`146`	`+}`
	`147`	`+`
	`148`	`+switch(hash.length){`
	`149`	`+case32:`
	`150`	`+alg='sha256';`
	`151`	`+break;`
	`152`	`+case16:`
	`153`	`+alg='md5';`
	`154`	`+break;`
	`155`	`+case20:`
	`156`	`+alg='sha1';`
	`157`	`+break;`
	`158`	`+case64:`
	`159`	`+alg='sha512';`
	`160`	`+break;`
	`161`	`+default:`
	`162`	`+throw(newFingerprintFormatError(fp));`
	`163`	`+}`
	`164`	`+`
	`165`	`+/* Plain hex/base64: guess it's probably SPKI unless told. */`
	`166`	`+if(options.hashType===undefined)`
	`167`	`+hashType='spki';`
`119`	`168`	`}`
`120`	`169`
`121`	`170`	`if(alg===undefined)`
`@@ -133,7 +182,8 @@ Fingerprint.parse = function (fp, options) {`
`133`	`182`	`return(newFingerprint({`
`134`	`183`	`algorithm:alg,`
`135`	`184`	`hash:hash,`
`136`		`-type:options.type\|\|'key'`
	`185`	`+type:options.type\|\|'key',`
	`186`	`+hashType:hashType`
`137`	`187`	`}));`
`138`	`188`	`};`
`139`	`189`
`@@ -159,8 +209,9 @@ Fingerprint.isFingerprint = function (obj, ver) {`
`159`	`209`	`* API versions for Fingerprint:`
`160`	`210`	`* [1,0] -- initial ver`
`161`	`211`	`* [1,1] -- first tagged ver`
	`212`	`+ * [1,2] -- hashType and spki support`
`162`	`213`	`*/`
`163`		`-Fingerprint.prototype._sshpkApiVersion=[1,1];`
	`214`	`+Fingerprint.prototype._sshpkApiVersion=[1,2];`
`164`	`215`
`165`	`216`	`Fingerprint._oldVersionDetect=function(obj){`
`166`	`217`	`assert.func(obj.toString);`

`‎lib/formats/pkcs8.js`

Lines changed: 8 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,11 @@`
`1`		`-// Copyright2015 Joyent, Inc.`
	`1`	`+// Copyright2018 Joyent, Inc.`
`2`	`2`
`3`	`3`	`module.exports={`
`4`	`4`	`read:read,`
`5`	`5`	`readPkcs8:readPkcs8,`
`6`	`6`	`write:write,`
`7`	`7`	`writePkcs8:writePkcs8,`
	`8`	`+pkcs8ToBuffer:pkcs8ToBuffer,`
`8`	`9`
`9`	`10`	`readECDSACurve:readECDSACurve,`
`10`	`11`	`writeECDSACurve:writeECDSACurve`
`@@ -412,6 +413,12 @@ function readPkcs8X25519Private(der) {`
`412`	`413`	`return(newPrivateKey(key));`
`413`	`414`	`}`
`414`	`415`
	`416`	`+functionpkcs8ToBuffer(key){`
	`417`	`+varder=newasn1.BerWriter();`
	`418`	`+writePkcs8(der,key);`
	`419`	`+return(der.buffer);`
	`420`	`+}`
	`421`	`+`
`415`	`422`	`functionwritePkcs8(der,key){`
`416`	`423`	`der.startSequence();`
`417`	`424`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit44aec4a

File tree

8 files changed

8 files changed

`‎README.md`

`‎bin/sshpk-conv`

`‎lib/fingerprint.js`

`‎lib/formats/pkcs8.js`

0 commit comments