summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--paramiko/rsakey.py3
-rw-r--r--tests/_support/dss.key-cert.pub (renamed from tests/cert_support/test_dss.key-cert.pub)0
-rw-r--r--tests/_support/ecdsa_256.key (renamed from tests/cert_support/test_ecdsa_256.key)0
-rw-r--r--tests/_support/ecdsa_256.key-cert.pub (renamed from tests/cert_support/test_ecdsa_256.key-cert.pub)0
-rw-r--r--tests/_support/ed25519.key-cert.pub (renamed from tests/cert_support/test_ed25519.key-cert.pub)0
-rw-r--r--tests/_support/rsa.key-cert.pub (renamed from tests/cert_support/test_rsa.key-cert.pub)0
-rw-r--r--tests/cert_support/test_dss.key12
-rw-r--r--tests/cert_support/test_ed25519.key8
-rw-r--r--tests/cert_support/test_rsa.key15
-rw-r--r--tests/pkey.py51
-rw-r--r--tests/test_client.py18
-rw-r--r--tests/test_pkey.py56
12 files changed, 59 insertions, 104 deletions
diff --git a/paramiko/rsakey.py b/paramiko/rsakey.py
index b25768b6..c98a07a2 100644
--- a/paramiko/rsakey.py
+++ b/paramiko/rsakey.py
@@ -125,9 +125,12 @@ class RSAKey(PKey):
sig = self.key.sign(
data,
padding=padding.PKCS1v15(),
+ # HASHES being just a map from long identifier to either SHA1 or
+ # SHA256 - cert'ness is not truly relevant.
algorithm=self.HASHES[algorithm](),
)
m = Message()
+ # And here again, cert'ness is irrelevant, so it is stripped out.
m.add_string(algorithm.replace("-cert-v01@openssh.com", ""))
m.add_string(sig)
return m
diff --git a/tests/cert_support/test_dss.key-cert.pub b/tests/_support/dss.key-cert.pub
index 07fd5578..07fd5578 100644
--- a/tests/cert_support/test_dss.key-cert.pub
+++ b/tests/_support/dss.key-cert.pub
diff --git a/tests/cert_support/test_ecdsa_256.key b/tests/_support/ecdsa_256.key
index 42d44734..42d44734 100644
--- a/tests/cert_support/test_ecdsa_256.key
+++ b/tests/_support/ecdsa_256.key
diff --git a/tests/cert_support/test_ecdsa_256.key-cert.pub b/tests/_support/ecdsa_256.key-cert.pub
index f2c93ccf..f2c93ccf 100644
--- a/tests/cert_support/test_ecdsa_256.key-cert.pub
+++ b/tests/_support/ecdsa_256.key-cert.pub
diff --git a/tests/cert_support/test_ed25519.key-cert.pub b/tests/_support/ed25519.key-cert.pub
index 4e01415a..4e01415a 100644
--- a/tests/cert_support/test_ed25519.key-cert.pub
+++ b/tests/_support/ed25519.key-cert.pub
diff --git a/tests/cert_support/test_rsa.key-cert.pub b/tests/_support/rsa.key-cert.pub
index 7487ab66..7487ab66 100644
--- a/tests/cert_support/test_rsa.key-cert.pub
+++ b/tests/_support/rsa.key-cert.pub
diff --git a/tests/cert_support/test_dss.key b/tests/cert_support/test_dss.key
deleted file mode 100644
index e10807f1..00000000
--- a/tests/cert_support/test_dss.key
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN DSA PRIVATE KEY-----
-MIIBuwIBAAKBgQDngaYDZ30c6/7cJgEEbtl8FgKdwhba1Z7oOrOn4MI/6C42G1bY
-wMuqZf4dBCglsdq39SHrcjbE8Vq54gPSOh3g4+uV9Rcg5IOoPLbwp2jQfF6f1FIb
-sx7hrDCIqUcQccPSxetPBKmXI9RN8rZLaFuQeTnI65BKM98Ruwvq6SI2LwIVAPDP
-hSeawaJI27mKqOfe5PPBSmyHAoGBAJMXxXmPD9sGaQ419DIpmZecJKBUAy9uXD8x
-gbgeDpwfDaFJP8owByCKREocPFfi86LjCuQkyUKOfjYMN6iHIf1oEZjB8uJAatUr
-FzI0ArXtUqOhwTLwTyFuUojE5own2WYsOAGByvgfyWjsGhvckYNhI4ODpNdPlxQ8
-ZamaPGPsAoGARmR7CCPjodxASvRbIyzaVpZoJ/Z6x7dAumV+ysrV1BVYd0lYukmn
-jO1kKBWApqpH1ve9XDQYN8zgxM4b16L21kpoWQnZtXrY3GZ4/it9kUgyB7+NwacI
-BlXa8cMDL7Q/69o0d54U0X/NeX5QxuYR6OMJlrkQB7oiW/P/1mwjQgECFGI9QPSc
-h9pT9XHqn+1rZ4bK+QGA
------END DSA PRIVATE KEY-----
diff --git a/tests/cert_support/test_ed25519.key b/tests/cert_support/test_ed25519.key
deleted file mode 100644
index eb9f94c2..00000000
--- a/tests/cert_support/test_ed25519.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACB69SvZKJh/9VgSL0G27b5xVYa8nethH3IERbi0YqJDXwAAAKhjwAdrY8AH
-awAAAAtzc2gtZWQyNTUxOQAAACB69SvZKJh/9VgSL0G27b5xVYa8nethH3IERbi0YqJDXw
-AAAEA9tGQi2IrprbOSbDCF+RmAHd6meNSXBUQ2ekKXm4/8xnr1K9komH/1WBIvQbbtvnFV
-hryd62EfcgRFuLRiokNfAAAAI2FsZXhfZ2F5bm9yQEFsZXhzLU1hY0Jvb2stQWlyLmxvY2
-FsAQI=
------END OPENSSH PRIVATE KEY-----
diff --git a/tests/cert_support/test_rsa.key b/tests/cert_support/test_rsa.key
deleted file mode 100644
index f50e9c53..00000000
--- a/tests/cert_support/test_rsa.key
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICWgIBAAKBgQDTj1bqB4WmayWNPB+8jVSYpZYk80Ujvj680pOTh2bORBjbIAyz
-oWGW+GUjzKxTiiPvVmxFgx5wdsFvF03v34lEVVhMpouqPAYQ15N37K/ir5XY+9m/
-d8ufMCkjeXsQkKqFbAlQcnWMCRnOoPHS3I4vi6hmnDDeeYTSRvfLbW0fhwIBIwKB
-gBIiOqZYaoqbeD9OS9z2K9KR2atlTxGxOJPXiP4ESqP3NVScWNwyZ3NXHpyrJLa0
-EbVtzsQhLn6rF+TzXnOlcipFvjsem3iYzCpuChfGQ6SovTcOjHV9z+hnpXvQ/fon
-soVRZY65wKnF7IAoUwTmJS9opqgrN6kRgCd3DASAMd1bAkEA96SBVWFt/fJBNJ9H
-tYnBKZGw0VeHOYmVYbvMSstssn8un+pQpUm9vlG/bp7Oxd/m+b9KWEh2xPfv6zqU
-avNwHwJBANqzGZa/EpzF4J8pGti7oIAPUIDGMtfIcmqNXVMckrmzQ2vTfqtkEZsA
-4rE1IERRyiJQx6EJsz21wJmGV9WJQ5kCQQDwkS0uXqVdFzgHO6S++tjmjYcxwr3g
-H0CoFYSgbddOT6miqRskOQF3DZVkJT3kyuBgU2zKygz52ukQZMqxCb1fAkASvuTv
-qfpH87Qq5kQhNKdbbwbmd2NxlNabazPijWuphGTdW0VfJdWfklyS2Kr+iqrs/5wV
-HhathJt636Eg7oIjAkA8ht3MQ+XSl9yIJIS8gVpbPxSw5OMfw0PjVE7tBdQruiSc
-nvuQES5C9BMHjF39LZiGH1iLQy7FgdHyoP+eodI7
------END RSA PRIVATE KEY-----
diff --git a/tests/pkey.py b/tests/pkey.py
index 9c8fe8fc..98193165 100644
--- a/tests/pkey.py
+++ b/tests/pkey.py
@@ -1,7 +1,7 @@
from pytest import raises
from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PrivateKey
-from paramiko import PKey, UnknownKeyType, RSAKey
+from paramiko import PKey, Ed25519Key, RSAKey, UnknownKeyType, Message
from ._util import _support
@@ -36,3 +36,52 @@ class PKey_:
# a Python file is not a private key!
with raises(ValueError):
PKey.from_path(__file__)
+
+
+ class load_certificate:
+ def rsa_public_cert_blobs(self):
+ # Data to test signing with (arbitrary)
+ data = b"ice weasels"
+ # Load key w/o cert at first (so avoiding .from_path)
+ key = RSAKey.from_private_key_file(_support("rsa.key"))
+ assert key.public_blob is None
+ # Sign regular-style (using, arbitrarily, SHA2)
+ msg = key.sign_ssh_data(data, "rsa-sha2-256")
+ msg.rewind()
+ assert "rsa-sha2-256" == msg.get_text()
+ signed = msg.get_binary() # for comparison later
+
+ # Load cert and inspect its internals
+ key.load_certificate(_support("rsa.key-cert.pub"))
+ assert key.public_blob is not None
+ assert key.public_blob.key_type == "ssh-rsa-cert-v01@openssh.com"
+ assert key.public_blob.comment == "test_rsa.key.pub"
+ msg = Message(key.public_blob.key_blob)
+ # cert type
+ assert msg.get_text() == "ssh-rsa-cert-v01@openssh.com"
+ # nonce
+ msg.get_string()
+ # public numbers
+ assert msg.get_mpint() == key.public_numbers.e
+ assert msg.get_mpint() == key.public_numbers.n
+ # serial number
+ assert msg.get_int64() == 1234
+ # TODO: whoever wrote the OG tests didn't care about the remaining
+ # fields from
+ # https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys
+ # so neither do I, for now...
+
+ # Sign cert-style (still SHA256 - so this actually does almost
+ # exactly the same thing under the hood as the previous sign)
+ msg = key.sign_ssh_data(data, "rsa-sha2-256-cert-v01@openssh.com")
+ msg.rewind()
+ assert "rsa-sha2-256" == msg.get_text()
+ assert signed == msg.get_binary() # same signature as above
+ msg.rewind()
+ assert key.verify_ssh_sig(b"ice weasels", msg) # our data verified
+
+ def loading_cert_of_different_type_from_key_raises_ValueError(self):
+ edkey = Ed25519Key.from_private_key_file(_support("ed25519.key"))
+ err = "PublicBlob type ssh-rsa-cert-v01@openssh.com incompatible with key type ssh-ed25519" # noqa
+ with raises(ValueError, match=err):
+ edkey.load_certificate(_support("rsa.key-cert.pub"))
diff --git a/tests/test_client.py b/tests/test_client.py
index ea7396d9..5ce6f0a2 100644
--- a/tests/test_client.py
+++ b/tests/test_client.py
@@ -328,11 +328,10 @@ class SSHClientTest(ClientTest):
# server-side behavior is 100% identical.)
# NOTE: only bothered whipping up one cert per overall class/family.
for type_ in ("rsa", "dss", "ecdsa_256", "ed25519"):
- cert_name = "test_{}.key-cert.pub".format(type_)
- cert_path = _support(os.path.join("cert_support", cert_name))
+ key_path = _support(f"{type_}.key")
self._test_connection(
- key_filename=cert_path,
- public_blob=PublicBlob.from_file(cert_path),
+ key_filename=key_path,
+ public_blob=PublicBlob.from_file(f"{key_path}-cert.pub"),
)
@requires_sha1_signing
@@ -344,13 +343,10 @@ class SSHClientTest(ClientTest):
# that a specific cert was found, along with regular authorization
# succeeding proving that the overall flow works.
for type_ in ("rsa", "dss", "ecdsa_256", "ed25519"):
- key_name = "test_{}.key".format(type_)
- key_path = _support(os.path.join("cert_support", key_name))
+ key_path = _support(f"{type_}.key")
self._test_connection(
key_filename=key_path,
- public_blob=PublicBlob.from_file(
- "{}-cert.pub".format(key_path)
- ),
+ public_blob=PublicBlob.from_file(f"{key_path}-cert.pub"),
)
def _cert_algo_test(self, ver, alg):
@@ -359,9 +355,7 @@ class SSHClientTest(ClientTest):
self._test_connection(
# NOTE: SSHClient is able to take either the key or the cert & will
# set up its internals as needed
- key_filename=_support(
- os.path.join("cert_support", "test_rsa.key-cert.pub")
- ),
+ key_filename=_support("rsa.key-cert.pub"),
server_name="SSH-2.0-OpenSSH_{}".format(ver),
)
assert (
diff --git a/tests/test_pkey.py b/tests/test_pkey.py
index 47e19945..9d840bb4 100644
--- a/tests/test_pkey.py
+++ b/tests/test_pkey.py
@@ -686,43 +686,6 @@ class KeyTest(unittest.TestCase):
finally:
os.remove(newfile)
- def test_certificates(self):
- # NOTE: we also test 'live' use of cert auth for all key types in
- # test_client.py; this and nearby cert tests are more about the gritty
- # details.
- # PKey.load_certificate
- key_path = _support(os.path.join("cert_support", "test_rsa.key"))
- key = RSAKey.from_private_key_file(key_path)
- self.assertTrue(key.public_blob is None)
- cert_path = _support(
- os.path.join("cert_support", "test_rsa.key-cert.pub")
- )
- key.load_certificate(cert_path)
- self.assertTrue(key.public_blob is not None)
- self.assertEqual(
- key.public_blob.key_type, "ssh-rsa-cert-v01@openssh.com"
- )
- self.assertEqual(key.public_blob.comment, "test_rsa.key.pub")
- # Delve into blob contents, for test purposes
- msg = Message(key.public_blob.key_blob)
- self.assertEqual(msg.get_text(), "ssh-rsa-cert-v01@openssh.com")
- msg.get_string()
- e = msg.get_mpint()
- n = msg.get_mpint()
- self.assertEqual(e, key.public_numbers.e)
- self.assertEqual(n, key.public_numbers.n)
- # Serial number
- self.assertEqual(msg.get_int64(), 1234)
-
- # Prevented from loading certificate that doesn't match
- key_path = _support(os.path.join("cert_support", "test_ed25519.key"))
- key1 = Ed25519Key.from_private_key_file(key_path)
- self.assertRaises(
- ValueError,
- key1.load_certificate,
- _support("test_rsa.key-cert.pub"),
- )
-
@patch("paramiko.pkey.os")
def _test_keyfile_race(self, os_, exists):
# Re: CVE-2022-24302
@@ -776,22 +739,3 @@ class KeyTest(unittest.TestCase):
finally:
if os.path.exists(new):
os.unlink(new)
-
- def test_sign_rsa_with_certificate(self):
- data = b"ice weasels"
- key_path = _support(os.path.join("cert_support", "test_rsa.key"))
- key = RSAKey.from_private_key_file(key_path)
- msg = key.sign_ssh_data(data, "rsa-sha2-256")
- msg.rewind()
- assert "rsa-sha2-256" == msg.get_text()
- sign = msg.get_binary()
- cert_path = _support(
- os.path.join("cert_support", "test_rsa.key-cert.pub")
- )
- key.load_certificate(cert_path)
- msg = key.sign_ssh_data(data, "rsa-sha2-256-cert-v01@openssh.com")
- msg.rewind()
- assert "rsa-sha2-256" == msg.get_text()
- assert sign == msg.get_binary()
- msg.rewind()
- assert key.verify_ssh_sig(b"ice weasels", msg)