Overview
| Comment: | Added support for x509v3-ssh-rsa and x509v3-sign-rsa to agent |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: |
648368d41d22147a0a1d77ff4ceb6df7 |
| User & Date: | rkeene on 2019-01-31 15:04:33 |
| Other Links: | manifest | tags |
Context
|
2019-02-04
| ||
| 17:32 | More X.509v3 support for SSH agent check-in: 0defa19481 user: rkeene tags: trunk | |
|
2019-01-31
| ||
| 15:04 | Added support for x509v3-ssh-rsa and x509v3-sign-rsa to agent check-in: 648368d41d user: rkeene tags: trunk | |
| 13:29 | Ensure externally connectable IDs are present check-in: e04736eb53 user: rkeene tags: trunk | |
Changes
Modified build/chrome/ssh-agent.js from [2a1297f569] to [d4659c8b69].
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
/*
* CACKey SSH Agent for ChromeOS
*/
cackeySSHAgentApprovedApps = [
"pnhechapfaindjhompbnflcldabbghjo",
"okddffdblfhhnmhodogpojmfkjmhinfp"
];
/*
* SSH Element Encoding/Decoding
*/
function cackeySSHAgentEncodeInt(uint32) {
var result;
| > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
/*
* CACKey SSH Agent for ChromeOS
*/
cackeySSHAgentApprovedApps = [
"pnhechapfaindjhompbnflcldabbghjo",
"okddffdblfhhnmhodogpojmfkjmhinfp"
];
/*
* XXX:TODO: Expose UI for this
*/
cackeySSHAgentFeatures = {
enabled: true,
includeKeys: true,
includeCerts: true,
legacy: false
};
/*
* Feature support checking
*/
function cackeySSHAgentGetSSHKeyTypes() {
var types = [];
if (cackeySSHAgentFeatures.includeKeys) {
types.push("ssh");
}
if (cackeySSHAgentFeatures.includeCerts) {
types.push("x509v3-ssh");
if (cackeySSHAgentFeatures.legacy) {
types.push("x509v3-sign");
}
}
return(types);
}
async function cackeySSHAgentGetCertificates() {
var certs;
if (!cackeySSHAgentFeatures.enabled) {
return([]);
}
certs = await cackeyListCertificates();
return(certs);
}
/*
* SSH Element Encoding/Decoding
*/
function cackeySSHAgentEncodeInt(uint32) {
var result;
|
| ︙ | ︙ | |||
46 47 48 49 50 51 52 |
while (bigInt) {
result.push(bigInt & 0xff);
bigInt = bigInt >> 8;
}
result.reverse();
break;
case "object":
| < | < < | 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
while (bigInt) {
result.push(bigInt & 0xff);
bigInt = bigInt >> 8;
}
result.reverse();
break;
case "object":
result = Array.from(new Uint8Array(bigInt.toByteArray()));
break;
}
result = cackeySSHAgentEncodeLV(result);
return(result);
}
|
| ︙ | ︙ | |||
84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
result = input.slice(0, info.value);
return({
value: result,
output: input.slice(info.value)
});
}
function cackeySSHAgentEncodeToUTF8Array(str) {
var utf8 = [];
if (typeof(str) === "string") {
str = str.split("").map(function(c) {
return(c.charCodeAt(0));
| > > > > > > > > > > > | 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 |
result = input.slice(0, info.value);
return({
value: result,
output: input.slice(info.value)
});
}
function cackeySSHAgentEncodeArray(input) {
var result;
result = cackeySSHAgentEncodeInt(input.length);
input.forEach(function(element) {
result = result.concat(element);
});
return(result);
}
function cackeySSHAgentEncodeToUTF8Array(str) {
var utf8 = [];
if (typeof(str) === "string") {
str = str.split("").map(function(c) {
return(c.charCodeAt(0));
|
| ︙ | ︙ | |||
154 155 156 157 158 159 160 |
buffer = buffer.join("");
break;
}
return(buffer);
}
| | | > > | > > | | | | | | | | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | > | > | | | | | | > | 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 |
buffer = buffer.join("");
break;
}
return(buffer);
}
function cackeySSHAgentEncodeCertToKeyAndID(cert, keyType) {
var result = null, resultKey = null;
var certObj, certBytes;
var publicKey;
certObj = new X509;
if (!certObj) {
return(result);
}
certBytes = Array.from(new Uint8Array(cert));
certObj.readCertHex(cackeySSHAgentEncodeBinaryToHex(certBytes));
publicKey = certObj.getPublicKey();
switch (keyType) {
case "ssh":
switch (publicKey.type) {
case "RSA":
resultKey = cackeySSHAgentEncodeString("ssh-rsa");
resultKey = resultKey.concat(cackeySSHAgentEncodeBigInt(publicKey.e));
resultKey = resultKey.concat(cackeySSHAgentEncodeBigInt(publicKey.n));
break;
default:
console.log("[cackeySSH] Unsupported public key type:", keyType, "/", publicKey.type, "-- ignoring.");
break;
}
break;
case "x509v3-sign":
resultKey = certBytes;
break;
case "x509v3-ssh":
switch (publicKey.type) {
case "RSA":
resultKey = cackeySSHAgentEncodeString("x509v3-ssh-rsa");
/*
* Array of certificates
*/
resultKey = resultKey.concat(cackeySSHAgentEncodeArray([
cackeySSHAgentEncodeLV(certBytes)
]));
/*
* Array of OCSP responses
*/
resultKey = resultKey.concat(cackeySSHAgentEncodeArray([]));
break;
default:
console.log("[cackeySSH] Unsupported public key type:", keyType, "/", publicKey.type, "-- ignoring.");
break;
}
break;
default:
console.log("[cackeySSH] Unsupported SSH key type:", keyType, "-- ignoring.");
break;
}
if (resultKey) {
result = {
id: certObj.getSubjectString(),
publicKeyType: publicKey.type,
sshKeyType: keyType,
key: resultKey
};
}
return(result);
}
/*
* Command Handlers
*/
async function cackeySSHAgentCommandRequestIdentity(request) {
var response;
var certs = [];
var keys = [];
/*
* Get a list of certificates
*/
certs = await cackeySSHAgentGetCertificates();
/*
* Convert each certificate to an SSH key blob
*/
cackeySSHAgentGetSSHKeyTypes().forEach(function(sshKeyType) {
certs.forEach(function(cert) {
var key;
key = cackeySSHAgentEncodeCertToKeyAndID(cert.certificate, sshKeyType);
if (key) {
keys.push(key);
}
});
});
/*
* Encode response
*/
response = [];
|
| ︙ | ︙ | |||
269 270 271 272 273 274 275 | flags = cackeySSHAgentDecodeInt(request); request = flags.output; flags = flags.value; /* * Find the certificate that matches the requested key */ | | > | | | | | | | > | 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 |
flags = cackeySSHAgentDecodeInt(request);
request = flags.output;
flags = flags.value;
/*
* Find the certificate that matches the requested key
*/
certs = await cackeySSHAgentGetCertificates();
certToUse = null;
cackeySSHAgentGetSSHKeyTypes().forEach(function(sshKeyType) {
certs.forEach(function(cert) {
var key;
key = cackeySSHAgentEncodeCertToKeyAndID(cert.certificate, sshKeyType);
if (key.key.join() == keyInfo.join()) {
certToUse = cert;
certToUseType = key.publicKeyType;
}
});
});
/*
* If no certificate is found, return an error
*/
if (!certToUse) {
console.info("[cackeySSH] Unable to find a certificate to match the requested key:", keyInfo);
|
| ︙ | ︙ |