Index: build/chrome/ssh-agent.js ================================================================== --- build/chrome/ssh-agent.js +++ build/chrome/ssh-agent.js @@ -4,10 +4,53 @@ cackeySSHAgentApprovedApps = [ "pnhechapfaindjhompbnflcldabbghjo", "okddffdblfhhnmhodogpojmfkjmhinfp" ]; + +/* + * XXX:TODO: Expose UI for this + */ +cackeySSHAgentFeatures = { + enabled: true, + includeKeys: true, + includeCerts: true, + legacy: false +}; + +/* + * Feature support checking + */ +function cackeySSHAgentGetSSHKeyTypes() { + var types = []; + + if (cackeySSHAgentFeatures.includeKeys) { + types.push("ssh"); + } + + if (cackeySSHAgentFeatures.includeCerts) { + types.push("x509v3-ssh"); + + if (cackeySSHAgentFeatures.legacy) { + types.push("x509v3-sign"); + } + } + + return(types); +} + +async function cackeySSHAgentGetCertificates() { + var certs; + + if (!cackeySSHAgentFeatures.enabled) { + return([]); + } + + certs = await cackeyListCertificates(); + + return(certs); +} /* * SSH Element Encoding/Decoding */ function cackeySSHAgentEncodeInt(uint32) { @@ -48,14 +91,11 @@ bigInt = bigInt >> 8; } result.reverse(); break; case "object": - result = []; - new Uint8Array(bigInt.toByteArray()).forEach(function(e) { - result.push(e); - }); + result = Array.from(new Uint8Array(bigInt.toByteArray())); break; } result = cackeySSHAgentEncodeLV(result); @@ -86,10 +126,21 @@ return({ value: result, output: input.slice(info.value) }); } + +function cackeySSHAgentEncodeArray(input) { + var result; + + result = cackeySSHAgentEncodeInt(input.length); + input.forEach(function(element) { + result = result.concat(element); + }); + + return(result); +} function cackeySSHAgentEncodeToUTF8Array(str) { var utf8 = []; if (typeof(str) === "string") { @@ -156,38 +207,74 @@ } return(buffer); } -function cackeySSHAgentEncodeCertToKeyAndID(cert) { +function cackeySSHAgentEncodeCertToKeyAndID(cert, keyType) { var result = null, resultKey = null; - var certObj; + var certObj, certBytes; var publicKey; certObj = new X509; if (!certObj) { return(result); } - certObj.readCertHex(cackeySSHAgentEncodeBinaryToHex(cert)); + certBytes = Array.from(new Uint8Array(cert)); + + certObj.readCertHex(cackeySSHAgentEncodeBinaryToHex(certBytes)); publicKey = certObj.getPublicKey(); - switch (publicKey.type) { - case "RSA": - resultKey = cackeySSHAgentEncodeString("ssh-rsa"); - resultKey = resultKey.concat(cackeySSHAgentEncodeBigInt(publicKey.e)); - resultKey = resultKey.concat(cackeySSHAgentEncodeBigInt(publicKey.n)); + switch (keyType) { + case "ssh": + switch (publicKey.type) { + case "RSA": + resultKey = cackeySSHAgentEncodeString("ssh-rsa"); + resultKey = resultKey.concat(cackeySSHAgentEncodeBigInt(publicKey.e)); + resultKey = resultKey.concat(cackeySSHAgentEncodeBigInt(publicKey.n)); + break; + default: + console.log("[cackeySSH] Unsupported public key type:", keyType, "/", publicKey.type, "-- ignoring."); + break; + } + break; + case "x509v3-sign": + resultKey = certBytes; + break; + case "x509v3-ssh": + switch (publicKey.type) { + case "RSA": + resultKey = cackeySSHAgentEncodeString("x509v3-ssh-rsa"); + + /* + * Array of certificates + */ + resultKey = resultKey.concat(cackeySSHAgentEncodeArray([ + cackeySSHAgentEncodeLV(certBytes) + ])); + + /* + * Array of OCSP responses + */ + resultKey = resultKey.concat(cackeySSHAgentEncodeArray([])); + break; + default: + console.log("[cackeySSH] Unsupported public key type:", keyType, "/", publicKey.type, "-- ignoring."); + break; + } break; default: - console.log("[cackeySSH] Unsupported public key type:", publicKey.type, "-- ignoring."); + console.log("[cackeySSH] Unsupported SSH key type:", keyType, "-- ignoring."); + break; } if (resultKey) { result = { id: certObj.getSubjectString(), - type: publicKey.type, + publicKeyType: publicKey.type, + sshKeyType: keyType, key: resultKey }; } return(result); @@ -202,23 +289,25 @@ var keys = []; /* * Get a list of certificates */ - certs = await cackeyListCertificates(); + certs = await cackeySSHAgentGetCertificates(); /* * Convert each certificate to an SSH key blob */ - certs.forEach(function(cert) { - var key; - - key = cackeySSHAgentEncodeCertToKeyAndID(cert.certificate); - - if (key) { - keys.push(key); - } + cackeySSHAgentGetSSHKeyTypes().forEach(function(sshKeyType) { + certs.forEach(function(cert) { + var key; + + key = cackeySSHAgentEncodeCertToKeyAndID(cert.certificate, sshKeyType); + + if (key) { + keys.push(key); + } + }); }); /* * Encode response */ @@ -271,21 +360,23 @@ flags = flags.value; /* * Find the certificate that matches the requested key */ - certs = await cackeyListCertificates(); + certs = await cackeySSHAgentGetCertificates(); certToUse = null; - certs.forEach(function(cert) { - var key; - - key = cackeySSHAgentEncodeCertToKeyAndID(cert.certificate); - - if (key.key.join() == keyInfo.join()) { - certToUse = cert; - certToUseType = key.type; - } + cackeySSHAgentGetSSHKeyTypes().forEach(function(sshKeyType) { + certs.forEach(function(cert) { + var key; + + key = cackeySSHAgentEncodeCertToKeyAndID(cert.certificate, sshKeyType); + + if (key.key.join() == keyInfo.join()) { + certToUse = cert; + certToUseType = key.publicKeyType; + } + }); }); /* * If no certificate is found, return an error */