Index: build/chrome/ssh-agent.js ================================================================== --- build/chrome/ssh-agent.js +++ build/chrome/ssh-agent.js @@ -1,11 +1,12 @@ /* * CACKey SSH Agent for ChromeOS */ cackeySSHAgentApprovedApps = [ - "pnhechapfaindjhompbnflcldabbghjo" + "pnhechapfaindjhompbnflcldabbghjo", + "okddffdblfhhnmhodogpojmfkjmhinfp" ]; /* * SSH Element Encoding/Decoding */ @@ -182,10 +183,11 @@ } if (resultKey) { result = { id: certObj.getSubjectString(), + type: publicKey.type, key: resultKey }; } return(result); @@ -232,11 +234,11 @@ return(response); } async function cackeySSHAgentCommandSignRequest(request) { var keyInfo, data, flags; - var certs, certToUse; + var certs, certToUse, certToUseType; var hashMethod, signedData, signedDataHeader, signRequest; var response; var flagMeaning = { SSH_AGENT_RSA_SHA2_256: 2, SSH_AGENT_RSA_SHA2_512: 4 @@ -278,10 +280,11 @@ key = cackeySSHAgentEncodeCertToKeyAndID(cert.certificate); if (key.key.join() == keyInfo.join()) { certToUse = cert; + certToUseType = key.type; } }); /* * If no certificate is found, return an error @@ -293,23 +296,49 @@ } /* * Perform hashing of the data as specified by the flags */ - if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_512) == flagMeaning.SSH_AGENT_RSA_SHA2_512) { - hashMethod = "SHA512"; - data = await crypto.subtle.digest("SHA-512", new Uint8Array(data)); - } else if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_256) == flagMeaning.SSH_AGENT_RSA_SHA2_256) { - hashMethod = "SHA256"; - data = await crypto.subtle.digest("SHA-256", new Uint8Array(data)); - } else if (flags == 0) { - hashMethod = "SHA1"; - data = await crypto.subtle.digest("SHA-1", new Uint8Array(data)); - } else { - console.info("[cackeySSH] Sign request with flags set to", flags, "which is unsupported, failing the request."); - - return(null); + switch (certToUseType) { + case "RSA": + if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_512) == flagMeaning.SSH_AGENT_RSA_SHA2_512) { + hashMethod = "SHA512"; + data = await crypto.subtle.digest("SHA-512", new Uint8Array(data)); + } else if ((flags & flagMeaning.SSH_AGENT_RSA_SHA2_256) == flagMeaning.SSH_AGENT_RSA_SHA2_256) { + hashMethod = "SHA256"; + data = await crypto.subtle.digest("SHA-256", new Uint8Array(data)); + } else if (flags == 0) { + hashMethod = "SHA1"; + data = await crypto.subtle.digest("SHA-1", new Uint8Array(data)); + } else { + console.info("[cackeySSH] Sign request with flags set to", flags, "which is unsupported, failing the request."); + + return(null); + } + + switch (hashMethod) { + case "SHA1": + signedDataHeader = cackeySSHAgentEncodeString("ssh-rsa"); + break; + case "SHA256": + signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-256"); + break; + case "SHA512": + signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-512"); + break; + default: + console.info("[cackeySSH] Unsupported hashing method for RSA:", hashMethod, "failing the request."); + + return(null); + break; + } + break; + default: + console.info("[cackeySSH] Unsupported public key type:", certToUseType, "failing the request."); + + return(null); + break; } /* * Sign the data */ @@ -321,24 +350,10 @@ signedData = Array.from(new Uint8Array(signedData)); /* * Encode signature */ - switch (hashMethod) { - case "SHA1": - signedDataHeader = cackeySSHAgentEncodeString("ssh-rsa"); - break; - case "SHA256": - signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-256"); - break; - case "SHA512": - signedDataHeader = cackeySSHAgentEncodeString("rsa-sha2-512"); - break; - default: - signedDataHeader = []; - break; - } signedData = signedDataHeader.concat(cackeySSHAgentEncodeLV(signedData)); /* * Encode response */ @@ -415,13 +430,11 @@ /* * Only accept connections from approved apps */ if (!socket.sender || !socket.sender.id || !cackeySSHAgentApprovedApps.includes(socket.sender.id)) { - console.log("[cackeySSH] Disconnecting unapproved app: ", socket.sender); - - socket.disconnect(); + console.log("[cackeySSH] Ignoring unapproved app: ", socket.sender); return; } console.log("[cackeySSH] Accepted connection from: ", socket.sender.id);