Add agent RSA-SHA2 support, also tweak changelog w/ more tickets

author: Jeff Forcier <jeff@bitprophet.org> 2021-12-23 15:13:54 -0500
committer: Jeff Forcier <jeff@bitprophet.org> 2021-12-23 15:58:54 -0500
commit: 2b66625659e66858cb5f557325c5fdd9c35fd073 (patch)
tree: 7760ef34e6a5f1727741f31ef57c524f30a3a308 /paramiko/agent.py
parent: 363a28d94cada17f012c1604a3c99c71a2bda003 (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/paramiko/agent.py b/paramiko/agent.py
index 3a02c06c..f28bf128 100644
--- a/paramiko/agent.py
+++ b/paramiko/agent.py
@@ -42,6 +42,18 @@ SSH2_AGENT_IDENTITIES_ANSWER = 12
 cSSH2_AGENTC_SIGN_REQUEST = byte_chr(13)
 SSH2_AGENT_SIGN_RESPONSE = 14
 
+SSH_AGENT_RSA_SHA2_256 = 2
+SSH_AGENT_RSA_SHA2_512 = 4
+# NOTE: RFC mildly confusing; while these flags are OR'd together, OpenSSH at
+# least really treats them like "AND"s, in the sense that if it finds the
+# SHA256 flag set it won't continue looking at the SHA512 one; it
+# short-circuits right away.
+# Thus, we never want to eg submit 6 to say "either's good".
+ALGORITHM_FLAG_MAP = {
+    "rsa-sha2-256": SSH_AGENT_RSA_SHA2_256,
+    "rsa-sha2-512": SSH_AGENT_RSA_SHA2_512,
+}
+
 
 class AgentSSH(object):
     def __init__(self):
@@ -416,7 +428,7 @@ class AgentKey(PKey):
         msg.add_byte(cSSH2_AGENTC_SIGN_REQUEST)
         msg.add_string(self.blob)
         msg.add_string(data)
-        msg.add_int(0)
+        msg.add_int(ALGORITHM_FLAG_MAP.get(algorithm, 0))
         ptype, result = self.agent._send_message(msg)
         if ptype != SSH2_AGENT_SIGN_RESPONSE:
             raise SSHException("key cannot be used for signing")
author	Jeff Forcier <jeff@bitprophet.org>	2021-12-23 15:13:54 -0500
committer	Jeff Forcier <jeff@bitprophet.org>	2021-12-23 15:58:54 -0500
commit	2b66625659e66858cb5f557325c5fdd9c35fd073 (patch)
tree	7760ef34e6a5f1727741f31ef57c524f30a3a308 /paramiko/agent.py
parent	363a28d94cada17f012c1604a3c99c71a2bda003 (diff)