2015-05-22 20:37:40 +02:00
|
|
|
package ssh
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/dsa"
|
|
|
|
"crypto/ecdsa"
|
|
|
|
"crypto/elliptic"
|
|
|
|
"crypto/rand"
|
|
|
|
"crypto/rsa"
|
|
|
|
"reflect"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
2015-09-30 03:21:17 +02:00
|
|
|
)
|
2015-05-22 20:37:40 +02:00
|
|
|
|
2015-09-30 03:21:17 +02:00
|
|
|
var (
|
|
|
|
ecdsaKey Signer
|
|
|
|
ecdsa384Key Signer
|
|
|
|
ecdsa521Key Signer
|
|
|
|
testCertKey Signer
|
2015-05-22 20:37:40 +02:00
|
|
|
)
|
|
|
|
|
2015-09-30 03:21:17 +02:00
|
|
|
type testSigner struct {
|
|
|
|
Signer
|
|
|
|
pub PublicKey
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ts *testSigner) PublicKey() PublicKey {
|
|
|
|
if ts.pub != nil {
|
|
|
|
return ts.pub
|
|
|
|
}
|
|
|
|
return ts.Signer.PublicKey()
|
|
|
|
}
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
raw256, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
|
|
ecdsaKey, _ = NewSignerFromKey(raw256)
|
|
|
|
|
|
|
|
raw384, _ := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
|
|
|
ecdsa384Key, _ = NewSignerFromKey(raw384)
|
|
|
|
|
|
|
|
raw521, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
|
|
|
|
ecdsa521Key, _ = NewSignerFromKey(raw521)
|
|
|
|
|
|
|
|
// Create a cert and sign it for use in tests.
|
|
|
|
testCert := &OpenSSHCertV01{
|
|
|
|
Nonce: []byte{}, // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
|
|
|
|
Key: ecdsaKey.PublicKey(),
|
|
|
|
ValidPrincipals: []string{"gopher1", "gopher2"}, // increases test coverage
|
|
|
|
ValidAfter: 0, // unix epoch
|
|
|
|
ValidBefore: maxUint64, // The end of currently representable time.
|
|
|
|
Reserved: []byte{}, // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
|
|
|
|
SignatureKey: rsaKey.PublicKey(),
|
|
|
|
}
|
|
|
|
sigBytes, _ := rsaKey.Sign(rand.Reader, testCert.BytesForSigning())
|
|
|
|
testCert.Signature = &signature{
|
|
|
|
Format: testCert.SignatureKey.PublicKeyAlgo(),
|
|
|
|
Blob: sigBytes,
|
|
|
|
}
|
|
|
|
testCertKey = &testSigner{
|
|
|
|
Signer: ecdsaKey,
|
|
|
|
pub: testCert,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-05-22 20:37:40 +02:00
|
|
|
func rawKey(pub PublicKey) interface{} {
|
|
|
|
switch k := pub.(type) {
|
|
|
|
case *rsaPublicKey:
|
|
|
|
return (*rsa.PublicKey)(k)
|
|
|
|
case *dsaPublicKey:
|
|
|
|
return (*dsa.PublicKey)(k)
|
|
|
|
case *ecdsaPublicKey:
|
|
|
|
return (*ecdsa.PublicKey)(k)
|
2015-09-30 03:21:17 +02:00
|
|
|
case *OpenSSHCertV01:
|
2015-05-22 20:37:40 +02:00
|
|
|
return k
|
|
|
|
}
|
|
|
|
panic("unknown key type")
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestKeyMarshalParse(t *testing.T) {
|
2015-09-30 03:21:17 +02:00
|
|
|
keys := []Signer{rsaKey, dsaKey, ecdsaKey, ecdsa384Key, ecdsa521Key, testCertKey}
|
|
|
|
for _, priv := range keys {
|
2015-05-22 20:37:40 +02:00
|
|
|
pub := priv.PublicKey()
|
2015-09-30 03:21:17 +02:00
|
|
|
roundtrip, rest, ok := ParsePublicKey(MarshalPublicKey(pub))
|
|
|
|
if !ok {
|
|
|
|
t.Errorf("ParsePublicKey(%T) failed", pub)
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(rest) > 0 {
|
|
|
|
t.Errorf("ParsePublicKey(%T): trailing junk", pub)
|
2015-05-22 20:37:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
k1 := rawKey(pub)
|
|
|
|
k2 := rawKey(roundtrip)
|
|
|
|
|
|
|
|
if !reflect.DeepEqual(k1, k2) {
|
|
|
|
t.Errorf("got %#v in roundtrip, want %#v", k2, k1)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestUnsupportedCurves(t *testing.T) {
|
|
|
|
raw, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("GenerateKey: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, err = NewSignerFromKey(raw); err == nil || !strings.Contains(err.Error(), "only P256") {
|
|
|
|
t.Fatalf("NewPrivateKey should not succeed with P224, got: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, err = NewPublicKey(&raw.PublicKey); err == nil || !strings.Contains(err.Error(), "only P256") {
|
|
|
|
t.Fatalf("NewPublicKey should not succeed with P224, got: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestNewPublicKey(t *testing.T) {
|
2015-09-30 03:21:17 +02:00
|
|
|
keys := []Signer{rsaKey, dsaKey, ecdsaKey}
|
|
|
|
for _, k := range keys {
|
2015-05-22 20:37:40 +02:00
|
|
|
raw := rawKey(k.PublicKey())
|
|
|
|
pub, err := NewPublicKey(raw)
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("NewPublicKey(%#v): %v", raw, err)
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(k.PublicKey(), pub) {
|
|
|
|
t.Errorf("NewPublicKey(%#v) = %#v, want %#v", raw, pub, k.PublicKey())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestKeySignVerify(t *testing.T) {
|
2015-09-30 03:21:17 +02:00
|
|
|
keys := []Signer{rsaKey, dsaKey, ecdsaKey, testCertKey}
|
|
|
|
for _, priv := range keys {
|
2015-05-22 20:37:40 +02:00
|
|
|
pub := priv.PublicKey()
|
|
|
|
|
|
|
|
data := []byte("sign me")
|
|
|
|
sig, err := priv.Sign(rand.Reader, data)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Sign(%T): %v", priv, err)
|
|
|
|
}
|
|
|
|
|
2015-09-30 03:21:17 +02:00
|
|
|
if !pub.Verify(data, sig) {
|
|
|
|
t.Errorf("publicKey.Verify(%T) failed", priv)
|
2015-05-22 20:37:40 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestParseRSAPrivateKey(t *testing.T) {
|
2015-09-30 03:21:17 +02:00
|
|
|
key, err := ParsePrivateKey([]byte(testServerPrivateKey))
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("ParsePrivateKey: %v", err)
|
|
|
|
}
|
2015-05-22 20:37:40 +02:00
|
|
|
|
2015-09-30 03:21:17 +02:00
|
|
|
rsa, ok := key.(*rsaPrivateKey)
|
2015-05-22 20:37:40 +02:00
|
|
|
if !ok {
|
|
|
|
t.Fatalf("got %T, want *rsa.PrivateKey", rsa)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := rsa.Validate(); err != nil {
|
|
|
|
t.Errorf("Validate: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestParseECPrivateKey(t *testing.T) {
|
2015-09-30 03:21:17 +02:00
|
|
|
// Taken from the data in test/ .
|
|
|
|
pem := []byte(`-----BEGIN EC PRIVATE KEY-----
|
|
|
|
MHcCAQEEINGWx0zo6fhJ/0EAfrPzVFyFC9s18lBt3cRoEDhS3ARooAoGCCqGSM49
|
|
|
|
AwEHoUQDQgAEi9Hdw6KvZcWxfg2IDhA7UkpDtzzt6ZqJXSsFdLd+Kx4S3Sx4cVO+
|
|
|
|
6/ZOXRnPmNAlLUqjShUsUBBngG0u2fqEqA==
|
|
|
|
-----END EC PRIVATE KEY-----`)
|
|
|
|
|
|
|
|
key, err := ParsePrivateKey(pem)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("ParsePrivateKey: %v", err)
|
|
|
|
}
|
2015-05-22 20:37:40 +02:00
|
|
|
|
2015-09-30 03:21:17 +02:00
|
|
|
ecKey, ok := key.(*ecdsaPrivateKey)
|
2015-05-22 20:37:40 +02:00
|
|
|
if !ok {
|
2015-09-30 03:21:17 +02:00
|
|
|
t.Fatalf("got %T, want *ecdsaPrivateKey", ecKey)
|
2015-05-22 20:37:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if !validateECPublicKey(ecKey.Curve, ecKey.X, ecKey.Y) {
|
|
|
|
t.Fatalf("public key does not validate.")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-30 03:21:17 +02:00
|
|
|
// ssh-keygen -t dsa -f /tmp/idsa.pem
|
|
|
|
var dsaPEM = `-----BEGIN DSA PRIVATE KEY-----
|
|
|
|
MIIBuwIBAAKBgQD6PDSEyXiI9jfNs97WuM46MSDCYlOqWw80ajN16AohtBncs1YB
|
|
|
|
lHk//dQOvCYOsYaE+gNix2jtoRjwXhDsc25/IqQbU1ahb7mB8/rsaILRGIbA5WH3
|
|
|
|
EgFtJmXFovDz3if6F6TzvhFpHgJRmLYVR8cqsezL3hEZOvvs2iH7MorkxwIVAJHD
|
|
|
|
nD82+lxh2fb4PMsIiaXudAsBAoGAQRf7Q/iaPRn43ZquUhd6WwvirqUj+tkIu6eV
|
|
|
|
2nZWYmXLlqFQKEy4Tejl7Wkyzr2OSYvbXLzo7TNxLKoWor6ips0phYPPMyXld14r
|
|
|
|
juhT24CrhOzuLMhDduMDi032wDIZG4Y+K7ElU8Oufn8Sj5Wge8r6ANmmVgmFfynr
|
|
|
|
FhdYCngCgYEA3ucGJ93/Mx4q4eKRDxcWD3QzWyqpbRVRRV1Vmih9Ha/qC994nJFz
|
|
|
|
DQIdjxDIT2Rk2AGzMqFEB68Zc3O+Wcsmz5eWWzEwFxaTwOGWTyDqsDRLm3fD+QYj
|
|
|
|
nOwuxb0Kce+gWI8voWcqC9cyRm09jGzu2Ab3Bhtpg8JJ8L7gS3MRZK4CFEx4UAfY
|
|
|
|
Fmsr0W6fHB9nhS4/UXM8
|
|
|
|
-----END DSA PRIVATE KEY-----`
|
|
|
|
|
2015-05-22 20:37:40 +02:00
|
|
|
func TestParseDSA(t *testing.T) {
|
2015-09-30 03:21:17 +02:00
|
|
|
s, err := ParsePrivateKey([]byte(dsaPEM))
|
2015-05-22 20:37:40 +02:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("ParsePrivateKey returned error: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
data := []byte("sign me")
|
|
|
|
sig, err := s.Sign(rand.Reader, data)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("dsa.Sign: %v", err)
|
|
|
|
}
|
|
|
|
|
2015-09-30 03:21:17 +02:00
|
|
|
if !s.PublicKey().Verify(data, sig) {
|
|
|
|
t.Error("Verify failed.")
|
2015-05-22 20:37:40 +02:00
|
|
|
}
|
|
|
|
}
|