Check-in [d756b0ea34]
Overview
Comment:Better handling for unapproved apps and dealing with non-RSA signing attempts
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1:d756b0ea343b5ea0663716ad63b57d8e3d4a772d
User & Date: rkeene on 2019-01-31 13:25:45
Other Links: manifest | tags
Context
2019-01-31
13:29
Ensure externally connectable IDs are present check-in: e04736eb53 user: rkeene tags: trunk
13:25
Better handling for unapproved apps and dealing with non-RSA signing attempts check-in: d756b0ea34 user: rkeene tags: trunk
07:23
Improved SSH agent check-in: 43f92f8f98 user: rkeene tags: trunk
Changes

Modified build/chrome/ssh-agent.js from [f8ff078c88] to [2a1297f569].

     1      1   /*
     2      2    * CACKey SSH Agent for ChromeOS
     3      3    */
     4      4   
     5      5   cackeySSHAgentApprovedApps = [
     6         -	"pnhechapfaindjhompbnflcldabbghjo"
            6  +	"pnhechapfaindjhompbnflcldabbghjo",
            7  +	"okddffdblfhhnmhodogpojmfkjmhinfp"
     7      8   ];
     8      9   
     9     10   /*
    10     11    * SSH Element Encoding/Decoding
    11     12    */
    12     13   function cackeySSHAgentEncodeInt(uint32) {
    13     14   	var result;
................................................................................
   180    181   		default:
   181    182   			console.log("[cackeySSH] Unsupported public key type:", publicKey.type, "-- ignoring.");
   182    183   	}
   183    184   
   184    185   	if (resultKey) {
   185    186   		result = {
   186    187   			id: certObj.getSubjectString(),
          188  +			type: publicKey.type,
   187    189   			key: resultKey
   188    190   		};
   189    191   	}
   190    192   
   191    193   	return(result);
   192    194   }
   193    195   
................................................................................
   230    232   	});
   231    233   
   232    234   	return(response);
   233    235   }
   234    236   
   235    237   async function cackeySSHAgentCommandSignRequest(request) {
   236    238   	var keyInfo, data, flags;
   237         -	var certs, certToUse;
          239  +	var certs, certToUse, certToUseType;
   238    240   	var hashMethod, signedData, signedDataHeader, signRequest;
   239    241   	var response;
   240    242   	var flagMeaning = {
   241    243   		SSH_AGENT_RSA_SHA2_256: 2,
   242    244   		SSH_AGENT_RSA_SHA2_512: 4
   243    245   	};
   244    246   
................................................................................
   276    278   	certs.forEach(function(cert) {
   277    279   		var key;
   278    280   
   279    281   		key = cackeySSHAgentEncodeCertToKeyAndID(cert.certificate);
   280    282   
   281    283   		if (key.key.join() == keyInfo.join()) {
   282    284   			certToUse = cert;
          285  +			certToUseType = key.type;
   283    286   		}
   284    287   	});
   285    288   
   286    289   	/*
   287    290   	 * If no certificate is found, return an error
   288    291   	 */
   289    292   	if (!certToUse) {
................................................................................
   291    294   
   292    295   		return(null);
   293    296   	}
   294    297   
   295    298   	/*
   296    299   	 * Perform hashing of the data as specified by the flags
   297    300   	 */
   298         -	if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_512) == flagMeaning.SSH_AGENT_RSA_SHA2_512) {
   299         -		hashMethod = "SHA512";
   300         -		data = await crypto.subtle.digest("SHA-512", new Uint8Array(data));
   301         -	} else if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_256) == flagMeaning.SSH_AGENT_RSA_SHA2_256) {
   302         -		hashMethod = "SHA256";
   303         -		data = await crypto.subtle.digest("SHA-256", new Uint8Array(data));
   304         -	} else if (flags == 0) {
   305         -		hashMethod = "SHA1";
   306         -		data = await crypto.subtle.digest("SHA-1", new Uint8Array(data));
   307         -	} else {
   308         -		console.info("[cackeySSH] Sign request with flags set to", flags, "which is unsupported, failing the request.");
   309         -
   310         -		return(null);
          301  +	switch (certToUseType) {
          302  +		case "RSA":
          303  +			if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_512) == flagMeaning.SSH_AGENT_RSA_SHA2_512) {
          304  +				hashMethod = "SHA512";
          305  +				data = await crypto.subtle.digest("SHA-512", new Uint8Array(data));
          306  +			} else if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_256) == flagMeaning.SSH_AGENT_RSA_SHA2_256) {
          307  +				hashMethod = "SHA256";
          308  +				data = await crypto.subtle.digest("SHA-256", new Uint8Array(data));
          309  +			} else if (flags == 0) {
          310  +				hashMethod = "SHA1";
          311  +				data = await crypto.subtle.digest("SHA-1", new Uint8Array(data));
          312  +			} else {
          313  +				console.info("[cackeySSH] Sign request with flags set to", flags, "which is unsupported, failing the request.");
          314  +
          315  +				return(null);
          316  +			}
          317  +
          318  +			switch (hashMethod) {
          319  +				case "SHA1":
          320  +					signedDataHeader = cackeySSHAgentEncodeString("ssh-rsa");
          321  +					break;
          322  +				case "SHA256":
          323  +					signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-256");
          324  +					break;
          325  +				case "SHA512":
          326  +					signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-512");
          327  +					break;
          328  +				default:
          329  +					console.info("[cackeySSH] Unsupported hashing method for RSA:", hashMethod, "failing the request.");
          330  +
          331  +					return(null);
          332  +					break;
          333  +			}
          334  +			break;
          335  +		default:
          336  +			console.info("[cackeySSH] Unsupported public key type:", certToUseType, "failing the request.");
          337  +
          338  +			return(null);
          339  +			break;
   311    340   	}
   312    341   
   313    342   	/*
   314    343   	 * Sign the data
   315    344   	 */
   316    345   	signRequest = {
   317    346   		hash: hashMethod,
................................................................................
   319    348   	};
   320    349   	signedData = await cackeySignMessage(signRequest);
   321    350   	signedData = Array.from(new Uint8Array(signedData));
   322    351   
   323    352   	/*
   324    353   	 * Encode signature
   325    354   	 */
   326         -	switch (hashMethod) {
   327         -		case "SHA1":
   328         -			signedDataHeader = cackeySSHAgentEncodeString("ssh-rsa");
   329         -			break;
   330         -		case "SHA256":
   331         -			signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-256");
   332         -			break;
   333         -		case "SHA512":
   334         -			signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-512");
   335         -			break;
   336         -		default:
   337         -			signedDataHeader = [];
   338         -			break;
   339         -	}
   340    355   	signedData = signedDataHeader.concat(cackeySSHAgentEncodeLV(signedData));
   341    356   
   342    357   	/*
   343    358   	 * Encode response
   344    359   	 */
   345    360   	response = [];
   346    361   
................................................................................
   413    428   		return;
   414    429   	}
   415    430   
   416    431   	/*
   417    432   	 * Only accept connections from approved apps
   418    433   	 */
   419    434   	if (!socket.sender || !socket.sender.id || !cackeySSHAgentApprovedApps.includes(socket.sender.id)) {
   420         -		console.log("[cackeySSH] Disconnecting unapproved app: ", socket.sender);
   421         -
   422         -		socket.disconnect();
          435  +		console.log("[cackeySSH] Ignoring unapproved app: ", socket.sender);
   423    436   
   424    437   		return;
   425    438   	}
   426    439   
   427    440   	console.log("[cackeySSH] Accepted connection from: ", socket.sender.id);
   428    441   	socket.onMessage.addListener(function(request) {
   429    442   		cackeySSHAgentHandleMessage(socket, request);