summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--README3
-rw-r--r--dev-requirements.txt3
-rw-r--r--fabfile.py28
-rw-r--r--paramiko/__init__.py5
-rw-r--r--paramiko/channel.py7
-rw-r--r--paramiko/ecdsakey.py181
-rw-r--r--paramiko/hostkeys.py4
-rw-r--r--paramiko/packet.py1
-rw-r--r--paramiko/server.py21
-rw-r--r--paramiko/transport.py12
-rw-r--r--setup.py6
-rw-r--r--sites/www/changelog.rst37
-rw-r--r--tests/test_ecdsa.key5
-rw-r--r--tests/test_ecdsa_password.key8
-rw-r--r--tests/test_pkey.py64
15 files changed, 372 insertions, 13 deletions
diff --git a/README b/README
index 1899819a..09334675 100644
--- a/README
+++ b/README
@@ -5,7 +5,7 @@ paramiko
:Paramiko: Python SSH module
:Copyright: Copyright (c) 2003-2009 Robey Pointer <robeypointer@gmail.com>
-:Copyright: Copyright (c) 2013 Jeff Forcier <jeff@bitprophet.org>
+:Copyright: Copyright (c) 2014 Jeff Forcier <jeff@bitprophet.org>
:License: LGPL
:Homepage: https://github.com/paramiko/paramiko/
:API docs: http://docs.paramiko.org
@@ -36,6 +36,7 @@ Requirements
- python 2.5 or better <http://www.python.org/>
- pycrypto 2.1 or better <https://www.dlitz.net/software/pycrypto/>
+ - ecdsa 0.9 or better <https://pypi.python.org/pypi/ecdsa>
If you have setuptools, you can build and install paramiko and all its
dependencies with this command (as root)::
diff --git a/dev-requirements.txt b/dev-requirements.txt
index 331e38c6..72172183 100644
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -1,3 +1,6 @@
+# Older junk
+tox>=1.4,<1.5
+epydoc>=3.0,<3.1
# For newer tasks like building Sphinx docs.
# NOTE: Requires Python >=2.6
invoke>=0.7.0
diff --git a/fabfile.py b/fabfile.py
index 29394f94..7883daba 100644
--- a/fabfile.py
+++ b/fabfile.py
@@ -1,8 +1,10 @@
-from fabric.api import task, sudo, env
+from fabric.api import task, sudo, env, local, hosts
from fabric.contrib.project import rsync_project
+from fabric.contrib.console import confirm
@task
+@hosts("paramiko.org")
def upload_docs():
target = "/var/www/paramiko.org"
staging = "/tmp/paramiko_docs"
@@ -11,3 +13,27 @@ def upload_docs():
sudo("rm -rf %s/*" % target)
rsync_project(local_dir='docs/', remote_dir=staging, delete=True)
sudo("cp -R %s/* %s/" % (staging, target))
+
+@task
+def build_docs():
+ local("epydoc --no-private -o docs/ paramiko")
+
+@task
+def clean():
+ local("rm -rf build dist docs")
+ local("rm -f MANIFEST *.log demos/*.log")
+ local("rm -f paramiko/*.pyc")
+ local("rm -f test.log")
+ local("rm -rf paramiko.egg-info")
+
+@task
+def test():
+ local("python ./test.py")
+
+@task
+def release():
+ confirm("Only hit Enter if you remembered to update the version!")
+ confirm("Also, did you remember to tag your release?")
+ build_docs()
+ local("python setup.py sdist register upload")
+ upload_docs()
diff --git a/paramiko/__init__.py b/paramiko/__init__.py
index 924e8bb5..c996302a 100644
--- a/paramiko/__init__.py
+++ b/paramiko/__init__.py
@@ -46,6 +46,8 @@ Paramiko is written entirely in python (no C or platform-dependent code) and is
released under the GNU Lesser General Public License (LGPL).
Website: U{https://github.com/paramiko/paramiko/}
+
+Mailing list: U{paramiko@librelist.com<mailto:paramiko@librelist.com>}
"""
import sys
@@ -55,7 +57,7 @@ if sys.version_info < (2, 5):
__author__ = "Jeff Forcier <jeff@bitprophet.org>"
-__version__ = "1.10.5"
+__version__ = "1.12.1"
__version_info__ = tuple([ int(d) for d in __version__.split(".") ])
__license__ = "GNU Lesser General Public License (LGPL)"
@@ -70,6 +72,7 @@ from ssh_exception import SSHException, PasswordRequiredException, \
from server import ServerInterface, SubsystemHandler, InteractiveQuery
from rsakey import RSAKey
from dsskey import DSSKey
+from ecdsakey import ECDSAKey
from sftp import SFTPError, BaseSFTP
from sftp_client import SFTP, SFTPClient
from sftp_server import SFTPServer
diff --git a/paramiko/channel.py b/paramiko/channel.py
index c680e44b..d1e6333c 100644
--- a/paramiko/channel.py
+++ b/paramiko/channel.py
@@ -1027,6 +1027,13 @@ class Channel (object):
ok = False
else:
ok = server.check_channel_shell_request(self)
+ elif key == 'env':
+ name = m.get_string()
+ value = m.get_string()
+ if server is None:
+ ok = False
+ else:
+ ok = server.check_channel_env_request(self, name, value)
elif key == 'exec':
cmd = m.get_string()
if server is None:
diff --git a/paramiko/ecdsakey.py b/paramiko/ecdsakey.py
new file mode 100644
index 00000000..ac840ab7
--- /dev/null
+++ b/paramiko/ecdsakey.py
@@ -0,0 +1,181 @@
+# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com>
+#
+# This file is part of paramiko.
+#
+# Paramiko is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free
+# Software Foundation; either version 2.1 of the License, or (at your option)
+# any later version.
+#
+# Paramiko is distrubuted in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with Paramiko; if not, write to the Free Software Foundation, Inc.,
+# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+
+"""
+L{ECDSAKey}
+"""
+
+import binascii
+from ecdsa import SigningKey, VerifyingKey, der, curves
+from ecdsa.util import number_to_string, sigencode_string, sigencode_strings, sigdecode_strings
+from Crypto.Hash import SHA256, MD5
+from Crypto.Cipher import DES3
+
+from paramiko.common import *
+from paramiko import util
+from paramiko.message import Message
+from paramiko.ber import BER, BERException
+from paramiko.pkey import PKey
+from paramiko.ssh_exception import SSHException
+
+
+class ECDSAKey (PKey):
+ """
+ Representation of an ECDSA key which can be used to sign and verify SSH2
+ data.
+ """
+
+ def __init__(self, msg=None, data=None, filename=None, password=None, vals=None, file_obj=None):
+ self.verifying_key = None
+ self.signing_key = None
+ if file_obj is not None:
+ self._from_private_key(file_obj, password)
+ return
+ if filename is not None:
+ self._from_private_key_file(filename, password)
+ return
+ if (msg is None) and (data is not None):
+ msg = Message(data)
+ if vals is not None:
+ self.verifying_key, self.signing_key = vals
+ else:
+ if msg is None:
+ raise SSHException('Key object may not be empty')
+ if msg.get_string() != 'ecdsa-sha2-nistp256':
+ raise SSHException('Invalid key')
+ curvename = msg.get_string()
+ if curvename != 'nistp256':
+ raise SSHException("Can't handle curve of type %s" % curvename)
+
+ pointinfo = msg.get_string()
+ if pointinfo[0] != "\x04":
+ raise SSHException('Point compression is being used: %s'%
+ binascii.hexlify(pointinfo))
+ self.verifying_key = VerifyingKey.from_string(pointinfo[1:],
+ curve=curves.NIST256p)
+ self.size = 256
+
+ def __str__(self):
+ key = self.verifying_key
+ m = Message()
+ m.add_string('ecdsa-sha2-nistp256')
+ m.add_string('nistp256')
+
+ point_str = "\x04" + key.to_string()
+
+ m.add_string(point_str)
+ return str(m)
+
+ def __hash__(self):
+ h = hash(self.get_name())
+ h = h * 37 + hash(self.verifying_key.pubkey.point.x())
+ h = h * 37 + hash(self.verifying_key.pubkey.point.y())
+ return hash(h)
+
+ def get_name(self):
+ return 'ecdsa-sha2-nistp256'
+
+ def get_bits(self):
+ return self.size
+
+ def can_sign(self):
+ return self.signing_key is not None
+
+ def sign_ssh_data(self, rpool, data):
+ digest = SHA256.new(data).digest()
+ sig = self.signing_key.sign_digest(digest, entropy=rpool.read,
+ sigencode=self._sigencode)
+ m = Message()
+ m.add_string('ecdsa-sha2-nistp256')
+ m.add_string(sig)
+ return m
+
+ def verify_ssh_sig(self, data, msg):
+ if msg.get_string() != 'ecdsa-sha2-nistp256':
+ return False
+ sig = msg.get_string()
+
+ # verify the signature by SHA'ing the data and encrypting it
+ # using the public key.
+ hash_obj = SHA256.new(data).digest()
+ return self.verifying_key.verify_digest(sig, hash_obj,
+ sigdecode=self._sigdecode)
+
+ def write_private_key_file(self, filename, password=None):
+ key = self.signing_key or self.verifying_key
+ self._write_private_key_file('EC', filename, key.to_der(), password)
+
+ def write_private_key(self, file_obj, password=None):
+ key = self.signing_key or self.verifying_key
+ self._write_private_key('EC', file_obj, key.to_der(), password)
+
+ def generate(bits, progress_func=None):
+ """
+ Generate a new private RSA key. This factory function can be used to
+ generate a new host key or authentication key.
+
+ @param bits: number of bits the generated key should be.
+ @type bits: int
+ @param progress_func: an optional function to call at key points in
+ key generation (used by C{pyCrypto.PublicKey}).
+ @type progress_func: function
+ @return: new private key
+ @rtype: L{RSAKey}
+ """
+ signing_key = ECDSA.generate()
+ key = ECDSAKey(vals=(signing_key, signing_key.get_verifying_key()))
+ return key
+ generate = staticmethod(generate)
+
+
+ ### internals...
+
+
+ def _from_private_key_file(self, filename, password):
+ data = self._read_private_key_file('EC', filename, password)
+ self._decode_key(data)
+
+ def _from_private_key(self, file_obj, password):
+ data = self._read_private_key('EC', file_obj, password)
+ self._decode_key(data)
+
+ ALLOWED_PADDINGS = ['\x01', '\x02\x02', '\x03\x03\x03', '\x04\x04\x04\x04',
+ '\x05\x05\x05\x05\x05', '\x06\x06\x06\x06\x06\x06',
+ '\x07\x07\x07\x07\x07\x07\x07']
+ def _decode_key(self, data):
+ s, padding = der.remove_sequence(data)
+ if padding:
+ if padding not in self.ALLOWED_PADDINGS:
+ raise ValueError, "weird padding: %s" % (binascii.hexlify(empty))
+ data = data[:-len(padding)]
+ key = SigningKey.from_der(data)
+ self.signing_key = key
+ self.verifying_key = key.get_verifying_key()
+ self.size = 256
+
+ def _sigencode(self, r, s, order):
+ msg = Message()
+ msg.add_mpint(r)
+ msg.add_mpint(s)
+ return str(msg)
+
+ def _sigdecode(self, sig, order):
+ msg = Message(sig)
+ r = msg.get_mpint()
+ s = msg.get_mpint()
+ return (r, s)
diff --git a/paramiko/hostkeys.py b/paramiko/hostkeys.py
index f967a3da..9bcf0d55 100644
--- a/paramiko/hostkeys.py
+++ b/paramiko/hostkeys.py
@@ -29,6 +29,7 @@ from paramiko.common import *
from paramiko.dsskey import DSSKey
from paramiko.rsakey import RSAKey
from paramiko.util import get_logger
+from paramiko.ecdsakey import ECDSAKey
class InvalidHostKey(Exception):
@@ -81,9 +82,12 @@ class HostKeyEntry:
key = RSAKey(data=base64.decodestring(key))
elif keytype == 'ssh-dss':
key = DSSKey(data=base64.decodestring(key))
+ elif keytype == 'ecdsa-sha2-nistp256':
+ key = ECDSAKey(data=base64.decodestring(key))
else:
log.info("Unable to handle key of type %s" % (keytype,))
return None
+
except binascii.Error, e:
raise InvalidHostKey(line, e)
diff --git a/paramiko/packet.py b/paramiko/packet.py
index 3f85d668..6ab7363d 100644
--- a/paramiko/packet.py
+++ b/paramiko/packet.py
@@ -152,7 +152,6 @@ class Packetizer (object):
def close(self):
self.__closed = True
- self.__socket.close()
def set_hexdump(self, hexdump):
self.__dump_packets = hexdump
diff --git a/paramiko/server.py b/paramiko/server.py
index d737e056..fdb40942 100644
--- a/paramiko/server.py
+++ b/paramiko/server.py
@@ -550,6 +550,27 @@ class ServerInterface (object):
"""
return OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
+ def check_channel_env_request(self, channel, name, value):
+ """
+ Check whether a given environment variable can be specified for the
+ given channel. This method should return C{True} if the server
+ is willing to set the specified environment variable. Note that
+ some environment variables (e.g., PATH) can be exceedingly
+ dangerous, so blindly allowing the client to set the environment
+ is almost certainly not a good idea.
+
+ The default implementation always returns C{False}.
+
+ @param channel: the L{Channel} the env request arrived on
+ @type channel: L{Channel}
+ @param name: foo bar baz
+ @type name: str
+ @param value: flklj
+ @type value: str
+ @rtype: bool
+ """
+ return False
+
class SubsystemHandler (threading.Thread):
"""
diff --git a/paramiko/transport.py b/paramiko/transport.py
index cc81ed7b..9dbfa816 100644
--- a/paramiko/transport.py
+++ b/paramiko/transport.py
@@ -42,6 +42,7 @@ from paramiko.message import Message
from paramiko.packet import Packetizer, NeedRekeyException
from paramiko.primes import ModulusPack
from paramiko.rsakey import RSAKey
+from paramiko.ecdsakey import ECDSAKey
from paramiko.server import ServerInterface
from paramiko.sftp_client import SFTPClient
from paramiko.ssh_exception import (SSHException, BadAuthenticationType,
@@ -202,7 +203,7 @@ class Transport (threading.Thread):
_preferred_ciphers = ( 'aes128-ctr', 'aes256-ctr', 'aes128-cbc', 'blowfish-cbc', 'aes256-cbc', '3des-cbc',
'arcfour128', 'arcfour256' )
_preferred_macs = ( 'hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96' )
- _preferred_keys = ( 'ssh-rsa', 'ssh-dss' )
+ _preferred_keys = ( 'ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256' )
_preferred_kex = ( 'diffie-hellman-group1-sha1', 'diffie-hellman-group-exchange-sha1' )
_preferred_compression = ( 'none', )
@@ -227,6 +228,7 @@ class Transport (threading.Thread):
_key_info = {
'ssh-rsa': RSAKey,
'ssh-dss': DSSKey,
+ 'ecdsa-sha2-nistp256': ECDSAKey,
}
_kex_info = {
@@ -400,7 +402,6 @@ class Transport (threading.Thread):
@since: 1.5.3
"""
- self.sock.close()
self.close()
def get_security_options(self):
@@ -614,11 +615,10 @@ class Transport (threading.Thread):
"""
if not self.active:
return
- self.active = False
- self.packetizer.close()
- self.join()
+ self.stop_thread()
for chan in self._channels.values():
chan._unlink()
+ self.sock.close()
def get_remote_server_key(self):
"""
@@ -1403,6 +1403,8 @@ class Transport (threading.Thread):
def stop_thread(self):
self.active = False
self.packetizer.close()
+ while self.isAlive():
+ self.join(10)
### internals...
diff --git a/setup.py b/setup.py
index 8ec4a0ea..f50cfd23 100644
--- a/setup.py
+++ b/setup.py
@@ -40,7 +40,9 @@ import sys
try:
from setuptools import setup
kw = {
- 'install_requires': 'pycrypto >= 2.1, != 2.4',
+ 'install_requires': ['pycrypto >= 2.1, != 2.4',
+ 'ecdsa',
+ ],
}
except ImportError:
from distutils.core import setup
@@ -52,7 +54,7 @@ if sys.platform == 'darwin':
setup(name = "paramiko",
- version = "1.10.5",
+ version = "1.12.1",
description = "SSH2 protocol library",
author = "Jeff Forcier",
author_email = "jeff@bitprophet.org",
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index 7247eb76..1b82c63b 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -10,11 +10,32 @@ Changelog
* :bug:`193` (and its attentant PRs :issue:`230` & :issue:`253`) Fix SSH agent
problems present on Windows. Thanks to David Hobbs for initial report and to
Aarni Koskela & Olle Lundberg for the patches.
+* :release:`1.12.1 <2014-01-08>`
+* :release:`1.11.3 <2014-01-08>`
* :release:`1.10.5 <2014-01-08>`
+* :bug:`225 (1.12+)` Note ecdsa requirement in README. Thanks to Amaury
+ Rodriguez for the catch.
* :bug:`176` Fix AttributeError bugs in known_hosts file (re)loading. Thanks
to Nathan Scowcroft for the patch & Martin Blumenstingl for the initial test
case.
+* :release:`1.12.0 <2013-09-27>`
+* :release:`1.11.2 <2013-09-27>`
* :release:`1.10.4 <2013-09-27>`
+* :feature:`152` Add tentative support for ECDSA keys. *This adds the ecdsa
+ module as a new dependency of Paramiko.* The module is available at
+ [warner/python-ecdsa on Github](https://github.com/warner/python-ecdsa) and
+ [ecdsa on PyPI](https://pypi.python.org/pypi/ecdsa).
+
+ * Note that you might still run into problems with key negotiation --
+ Paramiko picks the first key that the server offers, which might not be
+ what you have in your known_hosts file.
+ * Mega thanks to Ethan Glasser-Camp for the patch.
+
+* :feature:`136` Add server-side support for the SSH protocol's 'env' command.
+ Thanks to Benjamin Pollack for the patch.
+* :bug:`156 (1.11+)` Fix potential deadlock condition when using Channel
+ objects as sockets (e.g. when using SSH gatewaying). Thanks to Steven Noonan
+ and Frank Arnold for catch & patch.
* :bug:`179` Fix a missing variable causing errors when an ssh_config file has
a non-default AddressFamily set. Thanks to Ed Marshall & Tomaz Muraus for
catch & patch.
@@ -22,6 +43,7 @@ Changelog
Buchanan for catch & Dave Foster for patch.
* :bug:`199` Typo fix in the license header cross-project. Thanks to Armin
Ronacher for catch & patch.
+* :release:`1.11.1 <2013-09-20>`
* :release:`1.10.3 <2013-09-20>`
* :bug:`162` Clean up HMAC module import to avoid deadlocks in certain uses of
SSHClient. Thanks to Gernot Hillier for the catch & suggested fix.
@@ -29,7 +51,22 @@ Changelog
Thanks to Jonathan Halcrow for catch & patch.
* :bug:`168` Update config handling to properly handle multiple 'localforward'
and 'remoteforward' keys. Thanks to Emre Yılmaz for the patch.
+* :release:`1.11.0 <2013-07-26>`
* :release:`1.10.2 <2013-07-26>`
+* :bug:`98 major` On Windows, when interacting with the PuTTY PAgeant, Paramiko
+ now creates the shared memory map with explicit Security Attributes of the
+ user, which is the same technique employed by the canonical PuTTY library to
+ avoid permissions issues when Paramiko is running under a different UAC
+ context than the PuTTY Ageant process. Thanks to Jason R. Coombs for the
+ patch.
+* :support:`100` Remove use of PyWin32 in ``win_pageant`` module. Module was
+ already dependent on ctypes for constructing appropriate structures and had
+ ctypes implementations of all functionality. Thanks to Jason R. Coombs for
+ the patch.
+* :bug:`87 major` Ensure updates to ``known_hosts`` files account for any
+ updates to said files after Paramiko initially read them. (Includes related
+ fix to guard against duplicate entries during subsequent ``known_hosts``
+ loads.) Thanks to ``@sunweaver`` for the contribution.
* :bug:`153` (also :issue:`67`) Warn on parse failure when reading known_hosts
file. Thanks to ``@glasserc`` for patch.
* :bug:`146` Indentation fixes for readability. Thanks to Abhinav Upadhyay for
diff --git a/tests/test_ecdsa.key b/tests/test_ecdsa.key
new file mode 100644
index 00000000..42d44734
--- /dev/null
+++ b/tests/test_ecdsa.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKB6ty3yVyKEnfF/zprx0qwC76MsMlHY4HXCnqho2eKioAoGCCqGSM49
+AwEHoUQDQgAElI9mbdlaS+T9nHxY/59lFnn80EEecZDBHq4gLpccY8Mge5ZTMiMD
+ADRvOqQ5R98Sxst765CAqXmRtz8vwoD96g==
+-----END EC PRIVATE KEY-----
diff --git a/tests/test_ecdsa_password.key b/tests/test_ecdsa_password.key
new file mode 100644
index 00000000..eb7910ed
--- /dev/null
+++ b/tests/test_ecdsa_password.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,EEB56BC745EDB2DE04FC3FE1F8DA387E
+
+wdt7QTCa6ahTJLaEPH7NhHyBcxhzrzf93d4UwQOuAhkM6//jKD4lF9fErHBW0f3B
+ExberCU3UxfEF3xX2thXiLw47JgeOCeQUlqRFx92p36k6YmfNGX6W8CsZ3d+XodF
+Z+pb6m285CiSX+W95NenFMexXFsIpntiCvTifTKJ8os=
+-----END EC PRIVATE KEY-----
diff --git a/tests/test_pkey.py b/tests/test_pkey.py
index 5e143373..8e8c4aa7 100644
--- a/tests/test_pkey.py
+++ b/tests/test_pkey.py
@@ -23,14 +23,17 @@ Some unit tests for public/private key objects.
from binascii import hexlify, unhexlify
import StringIO
import unittest
-from paramiko import RSAKey, DSSKey, Message, util
+from paramiko import RSAKey, DSSKey, ECDSAKey, Message, util
from paramiko.common import rng
# from openssh's ssh-keygen
PUB_RSA = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA049W6geFpmsljTwfvI1UmKWWJPNFI74+vNKTk4dmzkQY2yAMs6FhlvhlI8ysU4oj71ZsRYMecHbBbxdN79+JRFVYTKaLqjwGENeTd+yv4q+V2PvZv3fLnzApI3l7EJCqhWwJUHJ1jAkZzqDx0tyOL4uoZpww3nmE0kb3y21tH4c='
PUB_DSS = 'ssh-dss AAAAB3NzaC1kc3MAAACBAOeBpgNnfRzr/twmAQRu2XwWAp3CFtrVnug6s6fgwj/oLjYbVtjAy6pl/h0EKCWx2rf1IetyNsTxWrniA9I6HeDj65X1FyDkg6g8tvCnaNB8Xp/UUhuzHuGsMIipRxBxw9LF608EqZcj1E3ytktoW5B5OcjrkEoz3xG7C+rpIjYvAAAAFQDwz4UnmsGiSNu5iqjn3uTzwUpshwAAAIEAkxfFeY8P2wZpDjX0MimZl5wkoFQDL25cPzGBuB4OnB8NoUk/yjAHIIpEShw8V+LzouMK5CTJQo5+Ngw3qIch/WgRmMHy4kBq1SsXMjQCte1So6HBMvBPIW5SiMTmjCfZZiw4AYHK+B/JaOwaG9yRg2Ejg4Ok10+XFDxlqZo8Y+wAAACARmR7CCPjodxASvRbIyzaVpZoJ/Z6x7dAumV+ysrV1BVYd0lYukmnjO1kKBWApqpH1ve9XDQYN8zgxM4b16L21kpoWQnZtXrY3GZ4/it9kUgyB7+NwacIBlXa8cMDL7Q/69o0d54U0X/NeX5QxuYR6OMJlrkQB7oiW/P/1mwjQgE='
+PUB_ECDSA = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJSPZm3ZWkvk/Zx8WP+fZRZ5/NBBHnGQwR6uIC6XHGPDIHuWUzIjAwA0bzqkOUffEsbLe+uQgKl5kbc/L8KA/eo='
+
FINGER_RSA = '1024 60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5'
FINGER_DSS = '1024 44:78:f0:b9:a2:3c:c5:18:20:09:ff:75:5b:c1:d2:6c'
+FINGER_ECDSA = '256 25:19:eb:55:e6:a1:47:ff:4f:38:d2:75:6f:a5:d5:60'
SIGNED_RSA = '20:d7:8a:31:21:cb:f7:92:12:f2:a4:89:37:f5:78:af:e6:16:b6:25:b9:97:3d:a2:cd:5f:ca:20:21:73:4c:ad:34:73:8f:20:77:28:e2:94:15:08:d8:91:40:7a:85:83:bf:18:37:95:dc:54:1a:9b:88:29:6c:73:ca:38:b4:04:f1:56:b9:f2:42:9d:52:1b:29:29:b4:4f:fd:c9:2d:af:47:d2:40:76:30:f3:63:45:0c:d9:1d:43:86:0f:1c:70:e2:93:12:34:f3:ac:c5:0a:2f:14:50:66:59:f1:88:ee:c1:4a:e9:d1:9c:4e:46:f0:0e:47:6f:38:74:f1:44:a8'
RSA_PRIVATE_OUT = """\
@@ -66,6 +69,13 @@ QPSch9pT9XHqn+1rZ4bK+QGA
-----END DSA PRIVATE KEY-----
"""
+ECDSA_PRIVATE_OUT = """\
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKB6ty3yVyKEnfF/zprx0qwC76MsMlHY4HXCnqho2eKioAoGCCqGSM49
+AwEHoUQDQgAElI9mbdlaS+T9nHxY/59lFnn80EEecZDBHq4gLpccY8Mge5ZTMiMD
+ADRvOqQ5R98Sxst765CAqXmRtz8vwoD96g==
+-----END EC PRIVATE KEY-----
+"""
class KeyTest (unittest.TestCase):
@@ -176,7 +186,7 @@ class KeyTest (unittest.TestCase):
msg.rewind()
pub = DSSKey(data=str(key))
self.assert_(pub.verify_ssh_sig('ice weasels', msg))
-
+
def test_A_generate_rsa(self):
key = RSAKey.generate(1024)
msg = key.sign_ssh_data(rng, 'jerri blank')
@@ -188,3 +198,53 @@ class KeyTest (unittest.TestCase):
msg = key.sign_ssh_data(rng, 'jerri blank')
msg.rewind()
self.assert_(key.verify_ssh_sig('jerri blank', msg))
+
+ def test_10_load_ecdsa(self):
+ key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key')
+ self.assertEquals('ecdsa-sha2-nistp256', key.get_name())
+ exp_ecdsa = FINGER_ECDSA.split()[1].replace(':', '')
+ my_ecdsa = hexlify(key.get_fingerprint())
+ self.assertEquals(exp_ecdsa, my_ecdsa)
+ self.assertEquals(PUB_ECDSA.split()[1], key.get_base64())
+ self.assertEquals(256, key.get_bits())
+
+ s = StringIO.StringIO()
+ key.write_private_key(s)
+ self.assertEquals(ECDSA_PRIVATE_OUT, s.getvalue())
+ s.seek(0)
+ key2 = ECDSAKey.from_private_key(s)
+ self.assertEquals(key, key2)
+
+ def test_11_load_ecdsa_password(self):
+ key = ECDSAKey.from_private_key_file('tests/test_ecdsa_password.key', 'television')
+ self.assertEquals('ecdsa-sha2-nistp256', key.get_name())
+ exp_ecdsa = FINGER_ECDSA.split()[1].replace(':', '')
+ my_ecdsa = hexlify(key.get_fingerprint())
+ self.assertEquals(exp_ecdsa, my_ecdsa)
+ self.assertEquals(PUB_ECDSA.split()[1], key.get_base64())
+ self.assertEquals(256, key.get_bits())
+
+ def test_12_compare_ecdsa(self):
+ # verify that the private & public keys compare equal
+ key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key')
+ self.assertEquals(key, key)
+ pub = ECDSAKey(data=str(key))
+ self.assert_(key.can_sign())
+ self.assert_(not pub.can_sign())
+ self.assertEquals(key, pub)
+
+ def test_13_sign_ecdsa(self):
+ # verify that the rsa private key can sign and verify
+ key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key')
+ msg = key.sign_ssh_data(rng, 'ice weasels')
+ self.assert_(type(msg) is Message)
+ msg.rewind()
+ self.assertEquals('ecdsa-sha2-nistp256', msg.get_string())
+ # ECDSA signatures, like DSS signatures, tend to be different
+ # each time, so we can't compare against a "known correct"
+ # signature.
+ # Even the length of the signature can change.
+
+ msg.rewind()
+ pub = ECDSAKey(data=str(key))
+ self.assert_(pub.verify_ssh_sig('ice weasels', msg))