Overview
Comment: | Better handling for unapproved apps and dealing with non-RSA signing attempts |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: | d756b0ea343b5ea0663716ad63b57d8e3d4a772d |
User & Date: | rkeene on 2019-01-31 13:25:45 |
Other Links: | manifest | tags |
Context
2019-01-31
| ||
13:29 | Ensure externally connectable IDs are present check-in: e04736eb53 user: rkeene tags: trunk | |
13:25 | Better handling for unapproved apps and dealing with non-RSA signing attempts check-in: d756b0ea34 user: rkeene tags: trunk | |
07:23 | Improved SSH agent check-in: 43f92f8f98 user: rkeene tags: trunk | |
Changes
Modified build/chrome/ssh-agent.js from [f8ff078c88] to [2a1297f569].
1 1 /* 2 2 * CACKey SSH Agent for ChromeOS 3 3 */ 4 4 5 5 cackeySSHAgentApprovedApps = [ 6 - "pnhechapfaindjhompbnflcldabbghjo" 6 + "pnhechapfaindjhompbnflcldabbghjo", 7 + "okddffdblfhhnmhodogpojmfkjmhinfp" 7 8 ]; 8 9 9 10 /* 10 11 * SSH Element Encoding/Decoding 11 12 */ 12 13 function cackeySSHAgentEncodeInt(uint32) { 13 14 var result; ................................................................................ 180 181 default: 181 182 console.log("[cackeySSH] Unsupported public key type:", publicKey.type, "-- ignoring."); 182 183 } 183 184 184 185 if (resultKey) { 185 186 result = { 186 187 id: certObj.getSubjectString(), 188 + type: publicKey.type, 187 189 key: resultKey 188 190 }; 189 191 } 190 192 191 193 return(result); 192 194 } 193 195 ................................................................................ 230 232 }); 231 233 232 234 return(response); 233 235 } 234 236 235 237 async function cackeySSHAgentCommandSignRequest(request) { 236 238 var keyInfo, data, flags; 237 - var certs, certToUse; 239 + var certs, certToUse, certToUseType; 238 240 var hashMethod, signedData, signedDataHeader, signRequest; 239 241 var response; 240 242 var flagMeaning = { 241 243 SSH_AGENT_RSA_SHA2_256: 2, 242 244 SSH_AGENT_RSA_SHA2_512: 4 243 245 }; 244 246 ................................................................................ 276 278 certs.forEach(function(cert) { 277 279 var key; 278 280 279 281 key = cackeySSHAgentEncodeCertToKeyAndID(cert.certificate); 280 282 281 283 if (key.key.join() == keyInfo.join()) { 282 284 certToUse = cert; 285 + certToUseType = key.type; 283 286 } 284 287 }); 285 288 286 289 /* 287 290 * If no certificate is found, return an error 288 291 */ 289 292 if (!certToUse) { ................................................................................ 291 294 292 295 return(null); 293 296 } 294 297 295 298 /* 296 299 * Perform hashing of the data as specified by the flags 297 300 */ 298 - if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_512) == flagMeaning.SSH_AGENT_RSA_SHA2_512) { 299 - hashMethod = "SHA512"; 300 - data = await crypto.subtle.digest("SHA-512", new Uint8Array(data)); 301 - } else if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_256) == flagMeaning.SSH_AGENT_RSA_SHA2_256) { 302 - hashMethod = "SHA256"; 303 - data = await crypto.subtle.digest("SHA-256", new Uint8Array(data)); 304 - } else if (flags == 0) { 305 - hashMethod = "SHA1"; 306 - data = await crypto.subtle.digest("SHA-1", new Uint8Array(data)); 307 - } else { 308 - console.info("[cackeySSH] Sign request with flags set to", flags, "which is unsupported, failing the request."); 309 - 310 - return(null); 301 + switch (certToUseType) { 302 + case "RSA": 303 + if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_512) == flagMeaning.SSH_AGENT_RSA_SHA2_512) { 304 + hashMethod = "SHA512"; 305 + data = await crypto.subtle.digest("SHA-512", new Uint8Array(data)); 306 + } else if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_256) == flagMeaning.SSH_AGENT_RSA_SHA2_256) { 307 + hashMethod = "SHA256"; 308 + data = await crypto.subtle.digest("SHA-256", new Uint8Array(data)); 309 + } else if (flags == 0) { 310 + hashMethod = "SHA1"; 311 + data = await crypto.subtle.digest("SHA-1", new Uint8Array(data)); 312 + } else { 313 + console.info("[cackeySSH] Sign request with flags set to", flags, "which is unsupported, failing the request."); 314 + 315 + return(null); 316 + } 317 + 318 + switch (hashMethod) { 319 + case "SHA1": 320 + signedDataHeader = cackeySSHAgentEncodeString("ssh-rsa"); 321 + break; 322 + case "SHA256": 323 + signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-256"); 324 + break; 325 + case "SHA512": 326 + signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-512"); 327 + break; 328 + default: 329 + console.info("[cackeySSH] Unsupported hashing method for RSA:", hashMethod, "failing the request."); 330 + 331 + return(null); 332 + break; 333 + } 334 + break; 335 + default: 336 + console.info("[cackeySSH] Unsupported public key type:", certToUseType, "failing the request."); 337 + 338 + return(null); 339 + break; 311 340 } 312 341 313 342 /* 314 343 * Sign the data 315 344 */ 316 345 signRequest = { 317 346 hash: hashMethod, ................................................................................ 319 348 }; 320 349 signedData = await cackeySignMessage(signRequest); 321 350 signedData = Array.from(new Uint8Array(signedData)); 322 351 323 352 /* 324 353 * Encode signature 325 354 */ 326 - switch (hashMethod) { 327 - case "SHA1": 328 - signedDataHeader = cackeySSHAgentEncodeString("ssh-rsa"); 329 - break; 330 - case "SHA256": 331 - signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-256"); 332 - break; 333 - case "SHA512": 334 - signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-512"); 335 - break; 336 - default: 337 - signedDataHeader = []; 338 - break; 339 - } 340 355 signedData = signedDataHeader.concat(cackeySSHAgentEncodeLV(signedData)); 341 356 342 357 /* 343 358 * Encode response 344 359 */ 345 360 response = []; 346 361 ................................................................................ 413 428 return; 414 429 } 415 430 416 431 /* 417 432 * Only accept connections from approved apps 418 433 */ 419 434 if (!socket.sender || !socket.sender.id || !cackeySSHAgentApprovedApps.includes(socket.sender.id)) { 420 - console.log("[cackeySSH] Disconnecting unapproved app: ", socket.sender); 421 - 422 - socket.disconnect(); 435 + console.log("[cackeySSH] Ignoring unapproved app: ", socket.sender); 423 436 424 437 return; 425 438 } 426 439 427 440 console.log("[cackeySSH] Accepted connection from: ", socket.sender.id); 428 441 socket.onMessage.addListener(function(request) { 429 442 cackeySSHAgentHandleMessage(socket, request);