diff options
| author | Jeff Forcier <jeff@bitprophet.org> | 2023-05-08 16:31:23 -0400 |
|---|---|---|
| committer | Jeff Forcier <jeff@bitprophet.org> | 2023-05-18 13:57:19 -0400 |
| commit | ebc96706233346fcfc3071a390037cf26129727b (patch) | |
| tree | 54529257b49acfe4d7f92fd1e1b85d4f9378fc7a | |
| parent | a644dea52fce383f2fc9df916aa7d6491cd52075 (diff) | |
Migrate cert related tests to newer pkey module
- Merge them but also break them up. It's complicated.
- Move cert files into _support
- Related comments in the source as some of this is non-intuitive
| -rw-r--r-- | paramiko/rsakey.py | 3 | ||||
| -rw-r--r-- | tests/_support/dss.key-cert.pub (renamed from tests/cert_support/test_dss.key-cert.pub) | 0 | ||||
| -rw-r--r-- | tests/_support/ecdsa_256.key (renamed from tests/cert_support/test_ecdsa_256.key) | 0 | ||||
| -rw-r--r-- | tests/_support/ecdsa_256.key-cert.pub (renamed from tests/cert_support/test_ecdsa_256.key-cert.pub) | 0 | ||||
| -rw-r--r-- | tests/_support/ed25519.key-cert.pub (renamed from tests/cert_support/test_ed25519.key-cert.pub) | 0 | ||||
| -rw-r--r-- | tests/_support/rsa.key-cert.pub (renamed from tests/cert_support/test_rsa.key-cert.pub) | 0 | ||||
| -rw-r--r-- | tests/cert_support/test_dss.key | 12 | ||||
| -rw-r--r-- | tests/cert_support/test_ed25519.key | 8 | ||||
| -rw-r--r-- | tests/cert_support/test_rsa.key | 15 | ||||
| -rw-r--r-- | tests/pkey.py | 51 | ||||
| -rw-r--r-- | tests/test_client.py | 18 | ||||
| -rw-r--r-- | tests/test_pkey.py | 56 |
12 files changed, 59 insertions, 104 deletions
diff --git a/paramiko/rsakey.py b/paramiko/rsakey.py index b25768b6..c98a07a2 100644 --- a/paramiko/rsakey.py +++ b/paramiko/rsakey.py @@ -125,9 +125,12 @@ class RSAKey(PKey): sig = self.key.sign( data, padding=padding.PKCS1v15(), + # HASHES being just a map from long identifier to either SHA1 or + # SHA256 - cert'ness is not truly relevant. algorithm=self.HASHES[algorithm](), ) m = Message() + # And here again, cert'ness is irrelevant, so it is stripped out. m.add_string(algorithm.replace("-cert-v01@openssh.com", "")) m.add_string(sig) return m diff --git a/tests/cert_support/test_dss.key-cert.pub b/tests/_support/dss.key-cert.pub index 07fd5578..07fd5578 100644 --- a/tests/cert_support/test_dss.key-cert.pub +++ b/tests/_support/dss.key-cert.pub diff --git a/tests/cert_support/test_ecdsa_256.key b/tests/_support/ecdsa_256.key index 42d44734..42d44734 100644 --- a/tests/cert_support/test_ecdsa_256.key +++ b/tests/_support/ecdsa_256.key diff --git a/tests/cert_support/test_ecdsa_256.key-cert.pub b/tests/_support/ecdsa_256.key-cert.pub index f2c93ccf..f2c93ccf 100644 --- a/tests/cert_support/test_ecdsa_256.key-cert.pub +++ b/tests/_support/ecdsa_256.key-cert.pub diff --git a/tests/cert_support/test_ed25519.key-cert.pub b/tests/_support/ed25519.key-cert.pub index 4e01415a..4e01415a 100644 --- a/tests/cert_support/test_ed25519.key-cert.pub +++ b/tests/_support/ed25519.key-cert.pub diff --git a/tests/cert_support/test_rsa.key-cert.pub b/tests/_support/rsa.key-cert.pub index 7487ab66..7487ab66 100644 --- a/tests/cert_support/test_rsa.key-cert.pub +++ b/tests/_support/rsa.key-cert.pub diff --git a/tests/cert_support/test_dss.key b/tests/cert_support/test_dss.key deleted file mode 100644 index e10807f1..00000000 --- a/tests/cert_support/test_dss.key +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN DSA PRIVATE KEY----- -MIIBuwIBAAKBgQDngaYDZ30c6/7cJgEEbtl8FgKdwhba1Z7oOrOn4MI/6C42G1bY -wMuqZf4dBCglsdq39SHrcjbE8Vq54gPSOh3g4+uV9Rcg5IOoPLbwp2jQfF6f1FIb -sx7hrDCIqUcQccPSxetPBKmXI9RN8rZLaFuQeTnI65BKM98Ruwvq6SI2LwIVAPDP -hSeawaJI27mKqOfe5PPBSmyHAoGBAJMXxXmPD9sGaQ419DIpmZecJKBUAy9uXD8x -gbgeDpwfDaFJP8owByCKREocPFfi86LjCuQkyUKOfjYMN6iHIf1oEZjB8uJAatUr -FzI0ArXtUqOhwTLwTyFuUojE5own2WYsOAGByvgfyWjsGhvckYNhI4ODpNdPlxQ8 -ZamaPGPsAoGARmR7CCPjodxASvRbIyzaVpZoJ/Z6x7dAumV+ysrV1BVYd0lYukmn -jO1kKBWApqpH1ve9XDQYN8zgxM4b16L21kpoWQnZtXrY3GZ4/it9kUgyB7+NwacI -BlXa8cMDL7Q/69o0d54U0X/NeX5QxuYR6OMJlrkQB7oiW/P/1mwjQgECFGI9QPSc -h9pT9XHqn+1rZ4bK+QGA ------END DSA PRIVATE KEY----- diff --git a/tests/cert_support/test_ed25519.key b/tests/cert_support/test_ed25519.key deleted file mode 100644 index eb9f94c2..00000000 --- a/tests/cert_support/test_ed25519.key +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACB69SvZKJh/9VgSL0G27b5xVYa8nethH3IERbi0YqJDXwAAAKhjwAdrY8AH -awAAAAtzc2gtZWQyNTUxOQAAACB69SvZKJh/9VgSL0G27b5xVYa8nethH3IERbi0YqJDXw -AAAEA9tGQi2IrprbOSbDCF+RmAHd6meNSXBUQ2ekKXm4/8xnr1K9komH/1WBIvQbbtvnFV -hryd62EfcgRFuLRiokNfAAAAI2FsZXhfZ2F5bm9yQEFsZXhzLU1hY0Jvb2stQWlyLmxvY2 -FsAQI= ------END OPENSSH PRIVATE KEY----- diff --git a/tests/cert_support/test_rsa.key b/tests/cert_support/test_rsa.key deleted file mode 100644 index f50e9c53..00000000 --- a/tests/cert_support/test_rsa.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICWgIBAAKBgQDTj1bqB4WmayWNPB+8jVSYpZYk80Ujvj680pOTh2bORBjbIAyz -oWGW+GUjzKxTiiPvVmxFgx5wdsFvF03v34lEVVhMpouqPAYQ15N37K/ir5XY+9m/ -d8ufMCkjeXsQkKqFbAlQcnWMCRnOoPHS3I4vi6hmnDDeeYTSRvfLbW0fhwIBIwKB -gBIiOqZYaoqbeD9OS9z2K9KR2atlTxGxOJPXiP4ESqP3NVScWNwyZ3NXHpyrJLa0 -EbVtzsQhLn6rF+TzXnOlcipFvjsem3iYzCpuChfGQ6SovTcOjHV9z+hnpXvQ/fon -soVRZY65wKnF7IAoUwTmJS9opqgrN6kRgCd3DASAMd1bAkEA96SBVWFt/fJBNJ9H -tYnBKZGw0VeHOYmVYbvMSstssn8un+pQpUm9vlG/bp7Oxd/m+b9KWEh2xPfv6zqU -avNwHwJBANqzGZa/EpzF4J8pGti7oIAPUIDGMtfIcmqNXVMckrmzQ2vTfqtkEZsA -4rE1IERRyiJQx6EJsz21wJmGV9WJQ5kCQQDwkS0uXqVdFzgHO6S++tjmjYcxwr3g -H0CoFYSgbddOT6miqRskOQF3DZVkJT3kyuBgU2zKygz52ukQZMqxCb1fAkASvuTv -qfpH87Qq5kQhNKdbbwbmd2NxlNabazPijWuphGTdW0VfJdWfklyS2Kr+iqrs/5wV -HhathJt636Eg7oIjAkA8ht3MQ+XSl9yIJIS8gVpbPxSw5OMfw0PjVE7tBdQruiSc -nvuQES5C9BMHjF39LZiGH1iLQy7FgdHyoP+eodI7 ------END RSA PRIVATE KEY----- diff --git a/tests/pkey.py b/tests/pkey.py index 9c8fe8fc..98193165 100644 --- a/tests/pkey.py +++ b/tests/pkey.py @@ -1,7 +1,7 @@ from pytest import raises from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PrivateKey -from paramiko import PKey, UnknownKeyType, RSAKey +from paramiko import PKey, Ed25519Key, RSAKey, UnknownKeyType, Message from ._util import _support @@ -36,3 +36,52 @@ class PKey_: # a Python file is not a private key! with raises(ValueError): PKey.from_path(__file__) + + + class load_certificate: + def rsa_public_cert_blobs(self): + # Data to test signing with (arbitrary) + data = b"ice weasels" + # Load key w/o cert at first (so avoiding .from_path) + key = RSAKey.from_private_key_file(_support("rsa.key")) + assert key.public_blob is None + # Sign regular-style (using, arbitrarily, SHA2) + msg = key.sign_ssh_data(data, "rsa-sha2-256") + msg.rewind() + assert "rsa-sha2-256" == msg.get_text() + signed = msg.get_binary() # for comparison later + + # Load cert and inspect its internals + key.load_certificate(_support("rsa.key-cert.pub")) + assert key.public_blob is not None + assert key.public_blob.key_type == "ssh-rsa-cert-v01@openssh.com" + assert key.public_blob.comment == "test_rsa.key.pub" + msg = Message(key.public_blob.key_blob) + # cert type + assert msg.get_text() == "ssh-rsa-cert-v01@openssh.com" + # nonce + msg.get_string() + # public numbers + assert msg.get_mpint() == key.public_numbers.e + assert msg.get_mpint() == key.public_numbers.n + # serial number + assert msg.get_int64() == 1234 + # TODO: whoever wrote the OG tests didn't care about the remaining + # fields from + # https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys + # so neither do I, for now... + + # Sign cert-style (still SHA256 - so this actually does almost + # exactly the same thing under the hood as the previous sign) + msg = key.sign_ssh_data(data, "rsa-sha2-256-cert-v01@openssh.com") + msg.rewind() + assert "rsa-sha2-256" == msg.get_text() + assert signed == msg.get_binary() # same signature as above + msg.rewind() + assert key.verify_ssh_sig(b"ice weasels", msg) # our data verified + + def loading_cert_of_different_type_from_key_raises_ValueError(self): + edkey = Ed25519Key.from_private_key_file(_support("ed25519.key")) + err = "PublicBlob type ssh-rsa-cert-v01@openssh.com incompatible with key type ssh-ed25519" # noqa + with raises(ValueError, match=err): + edkey.load_certificate(_support("rsa.key-cert.pub")) diff --git a/tests/test_client.py b/tests/test_client.py index ea7396d9..5ce6f0a2 100644 --- a/tests/test_client.py +++ b/tests/test_client.py @@ -328,11 +328,10 @@ class SSHClientTest(ClientTest): # server-side behavior is 100% identical.) # NOTE: only bothered whipping up one cert per overall class/family. for type_ in ("rsa", "dss", "ecdsa_256", "ed25519"): - cert_name = "test_{}.key-cert.pub".format(type_) - cert_path = _support(os.path.join("cert_support", cert_name)) + key_path = _support(f"{type_}.key") self._test_connection( - key_filename=cert_path, - public_blob=PublicBlob.from_file(cert_path), + key_filename=key_path, + public_blob=PublicBlob.from_file(f"{key_path}-cert.pub"), ) @requires_sha1_signing @@ -344,13 +343,10 @@ class SSHClientTest(ClientTest): # that a specific cert was found, along with regular authorization # succeeding proving that the overall flow works. for type_ in ("rsa", "dss", "ecdsa_256", "ed25519"): - key_name = "test_{}.key".format(type_) - key_path = _support(os.path.join("cert_support", key_name)) + key_path = _support(f"{type_}.key") self._test_connection( key_filename=key_path, - public_blob=PublicBlob.from_file( - "{}-cert.pub".format(key_path) - ), + public_blob=PublicBlob.from_file(f"{key_path}-cert.pub"), ) def _cert_algo_test(self, ver, alg): @@ -359,9 +355,7 @@ class SSHClientTest(ClientTest): self._test_connection( # NOTE: SSHClient is able to take either the key or the cert & will # set up its internals as needed - key_filename=_support( - os.path.join("cert_support", "test_rsa.key-cert.pub") - ), + key_filename=_support("rsa.key-cert.pub"), server_name="SSH-2.0-OpenSSH_{}".format(ver), ) assert ( diff --git a/tests/test_pkey.py b/tests/test_pkey.py index 47e19945..9d840bb4 100644 --- a/tests/test_pkey.py +++ b/tests/test_pkey.py @@ -686,43 +686,6 @@ class KeyTest(unittest.TestCase): finally: os.remove(newfile) - def test_certificates(self): - # NOTE: we also test 'live' use of cert auth for all key types in - # test_client.py; this and nearby cert tests are more about the gritty - # details. - # PKey.load_certificate - key_path = _support(os.path.join("cert_support", "test_rsa.key")) - key = RSAKey.from_private_key_file(key_path) - self.assertTrue(key.public_blob is None) - cert_path = _support( - os.path.join("cert_support", "test_rsa.key-cert.pub") - ) - key.load_certificate(cert_path) - self.assertTrue(key.public_blob is not None) - self.assertEqual( - key.public_blob.key_type, "ssh-rsa-cert-v01@openssh.com" - ) - self.assertEqual(key.public_blob.comment, "test_rsa.key.pub") - # Delve into blob contents, for test purposes - msg = Message(key.public_blob.key_blob) - self.assertEqual(msg.get_text(), "ssh-rsa-cert-v01@openssh.com") - msg.get_string() - e = msg.get_mpint() - n = msg.get_mpint() - self.assertEqual(e, key.public_numbers.e) - self.assertEqual(n, key.public_numbers.n) - # Serial number - self.assertEqual(msg.get_int64(), 1234) - - # Prevented from loading certificate that doesn't match - key_path = _support(os.path.join("cert_support", "test_ed25519.key")) - key1 = Ed25519Key.from_private_key_file(key_path) - self.assertRaises( - ValueError, - key1.load_certificate, - _support("test_rsa.key-cert.pub"), - ) - @patch("paramiko.pkey.os") def _test_keyfile_race(self, os_, exists): # Re: CVE-2022-24302 @@ -776,22 +739,3 @@ class KeyTest(unittest.TestCase): finally: if os.path.exists(new): os.unlink(new) - - def test_sign_rsa_with_certificate(self): - data = b"ice weasels" - key_path = _support(os.path.join("cert_support", "test_rsa.key")) - key = RSAKey.from_private_key_file(key_path) - msg = key.sign_ssh_data(data, "rsa-sha2-256") - msg.rewind() - assert "rsa-sha2-256" == msg.get_text() - sign = msg.get_binary() - cert_path = _support( - os.path.join("cert_support", "test_rsa.key-cert.pub") - ) - key.load_certificate(cert_path) - msg = key.sign_ssh_data(data, "rsa-sha2-256-cert-v01@openssh.com") - msg.rewind() - assert "rsa-sha2-256" == msg.get_text() - assert sign == msg.get_binary() - msg.rewind() - assert key.verify_ssh_sig(b"ice weasels", msg) |