TritonDataCenter#10 add support for rsa-sha2-256 signatures

Alex Wilson · Alex Wilson · commit f6d36e7b9ddb · 2017-04-13T01:19:38.000Z
Reviewed by: Brittany Wald &lt;brittany.wald@joyent.com&gt;
Approved by: Brittany Wald &lt;brittany.wald@joyent.com&gt;
diff --git a/lib/client.js b/lib/client.js
@@ -125,7 +125,7 @@ Client.prototype.sign = function (key, data, opts, cb) {
 		type: 'sign-request',
 		publicKey: key.toBuffer('rfc4253'),
 		data: data,
-		flags: []
+		flags: ['rsa-sha2-256']
 	};
 	var resps = ['failure', 'sign-response'];
 
@@ -146,25 +146,28 @@ Client.prototype.sign = function (key, data, opts, cb) {
 			    key.type, 'ssh');
 
 			/* Emulate the openssh hash algorithm choice */
-			switch (key.type) {
-			case 'rsa':
-			case 'dsa':
-				sig.hashAlgorithm = 'sha1';
-				break;
-			case 'ecdsa':
-				if (key.size <= 256)
-					sig.hashAlgorithm = 'sha256';
-				else if (key.size <= 384)
-					sig.hashAlgorithm = 'sha384';
-				else
+			if (typeof (sig.hashAlgorithm) !== 'string') {
+				switch (key.type) {
+				case 'rsa':
+				case 'dsa':
+					sig.hashAlgorithm = 'sha1';
+					break;
+				case 'ecdsa':
+					if (key.size <= 256)
+						sig.hashAlgorithm = 'sha256';
+					else if (key.size <= 384)
+						sig.hashAlgorithm = 'sha384';
+					else
+						sig.hashAlgorithm = 'sha512';
+					break;
+				case 'ed25519':
 					sig.hashAlgorithm = 'sha512';
-				break;
-			case 'ed25519':
-				sig.hashAlgorithm = 'sha512';
-				break;
-			default:
-				/* what */
-				break;
+					break;
+				default:
+					throw (new Error('Failed to ' +
+					    'determine hash algorithm in use ' +
+					    'with key type ' + key.type));
+				}
 			}
 		} catch (e) {
 			var err2 = new AgentProtocolError(resp,
diff --git a/lib/protocol.js b/lib/protocol.js
@@ -66,6 +66,10 @@ var SignReqFlags = {
 		var x = 0x0;
 		if (v.indexOf('old-signature') !== -1)
 			x |= 0x01;
+		if (v.indexOf('rsa-sha2-256') !== -1)
+			x |= 0x02;
+		if (v.indexOf('rsa-sha2-512') !== -1)
+			x |= 0x04;
 		return (U32.encode(x, buf, offset));
 	},
 	decodeSize: U32.decodeSize,
@@ -74,6 +78,10 @@ var SignReqFlags = {
 		var v = [];
 		if ((r.value & 0x01) === 0x01)
 			v.push('old-signature');
+		if ((r.value & 0x02) === 0x02)
+			v.push('rsa-sha2-256');
+		if ((r.value & 0x04) === 0x04)
+			v.push('rsa-sha2-512');
 		r.value = v;
 		return (r);
 	}
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sshpk-agent",
-  "version": "1.4.2",
+  "version": "1.5.0",
   "description": "ssh-agent client for use with sshpk",
   "main": "lib/index.js",
   "scripts": {
@@ -29,7 +29,7 @@
     "assert-plus": "^1.0.0",
     "mooremachine": "^2.0.1",
     "readable-stream": "^2.1.4",
-    "sshpk": ">=1.9.1 < 1.11.0"
+    "sshpk": ">=1.13.0 < 1.14.0"
   },
   "devDependencies": {
     "tape": "^3.5.0",
diff --git a/test/basic.test.js b/test/basic.test.js
@@ -46,6 +46,11 @@ test('agent setup', function (t) {
 	});
 });
 
+var ver = Agent.getVersion();
+if (!ver.zero()) {
+	console.log('using OpenSSH version ' + ver);
+}
+
 test('Client takes path to socket in constructor', function (t) {
 	var c = new sshpkAgent.Client({
 		socketPath: agent.env['SSH_AUTH_SOCK']
@@ -221,9 +226,14 @@ test('Client can sign data with an rsa key', function (t) {
 			t.ok(sig);
 			t.ok(sig instanceof sshpk.Signature);
 
-			t.strictEqual(sig.hashAlgorithm, 'sha1');
+			t.notStrictEqual(sig.hashAlgorithm, undefined);
+			if (ver.gte(7, 0, 1)) {
+				t.strictEqual(sig.hashAlgorithm, 'sha256');
+			} else {
+				t.strictEqual(sig.hashAlgorithm, 'sha1');
+			}
 
-			var v = key.createVerify('sha1');
+			var v = key.createVerify(sig.hashAlgorithm);
 			v.update('foobar');
 			t.ok(v.verify(sig));
 
@@ -246,9 +256,9 @@ test('Client can sign data with an ecdsa key', function (t) {
 			t.ok(sig);
 			t.ok(sig instanceof sshpk.Signature);
 
-			t.strictEqual(sig.hashAlgorithm, 'sha384');
+			t.notStrictEqual(sig.hashAlgorithm, undefined);
 
-			var v = key.createVerify('sha384');
+			var v = key.createVerify(sig.hashAlgorithm);
 			v.update('foobar');
 			t.ok(v.verify(sig));
 
@@ -258,13 +268,8 @@ test('Client can sign data with an ecdsa key', function (t) {
 });
 
 var usedEd = false;
-var ver = Agent.getVersion();
-if (ver === undefined)
-	ver = [0, 0, 0];
-else
-	console.log('using OpenSSH version %d.%dp%d', ver[0], ver[1], ver[2]);
 
-if (ver >= [6, 5, 1]) {
+if (ver.gte(6, 5, 1)) {
 	usedEd = true;
 	test('Client can sign data with an ed25519 key', function (t) {
 		var c = new sshpkAgent.Client();
@@ -282,9 +287,11 @@ if (ver >= [6, 5, 1]) {
 					t.ok(sig);
 					t.ok(sig instanceof sshpk.Signature);
 
-					t.strictEqual(sig.hashAlgorithm, 'sha512');
+					t.notStrictEqual(sig.hashAlgorithm,
+					    undefined);
 
-					var v = key.createVerify('sha512');
+					var v = key.createVerify(
+					    sig.hashAlgorithm);
 					v.update('foobar');
 					t.ok(v.verify(sig));
 
@@ -314,9 +321,9 @@ test('Client can sign data with a dsa key', function (t) {
 				t.ok(sig);
 				t.ok(sig instanceof sshpk.Signature);
 
-				t.strictEqual(sig.hashAlgorithm, 'sha1');
+				t.notStrictEqual(sig.hashAlgorithm, undefined);
 
-				var v = key.createVerify('sha1');
+				var v = key.createVerify(sig.hashAlgorithm);
 				v.update('foobar');
 				t.ok(v.verify(sig));
 
diff --git a/test/key-mgmt.test.js b/test/key-mgmt.test.js
@@ -125,6 +125,11 @@ test('Client can add an RSA certificate', function (t) {
 	});
 });
 
+var ver = Agent.getVersion();
+if (!ver.zero()) {
+	console.log('using OpenSSH version ' + ver);
+}
+
 test('Client can add an ECDSA certificate', function (t) {
 	var pem = fs.readFileSync(path.join(testDir, 'id_ecdsa'));
 	var pk = sshpk.parsePrivateKey(pem, 'pem', 'test/id_ecdsa');
@@ -152,13 +157,7 @@ test('Client can add an ECDSA certificate', function (t) {
 	});
 });
 
-var ver = Agent.getVersion();
-if (ver === undefined)
-	ver = [0, 0, 0];
-else
-	console.log('using OpenSSH version %d.%dp%d', ver[0], ver[1], ver[2]);
-
-if (ver >= [6, 5, 1]) {
+if (ver.gte(6, 5, 1)) {
 	test('Client can add an ED25519 certificate', function (t) {
 		var pem = fs.readFileSync(path.join(testDir, 'id_ed25519'));
 		var pk = sshpk.parsePrivateKey(pem, 'pem', 'test/id_ed25519');
diff --git a/test/ssh-agent-ctl.js b/test/ssh-agent-ctl.js
@@ -18,6 +18,29 @@ function Agent(opts) {
 }
 util.inherits(Agent, EventEmitter);
 
+function SSHVersion(maj, min, patch) {
+    this.major = maj;
+    this.minor = min;
+    this.patch = patch;
+}
+SSHVersion.prototype.gte = function (maj, min, patch) {
+    var v;
+    if (maj instanceof SSHVersion)
+        v = maj;
+    else
+        v = new SSHVersion(maj, min, patch);
+
+    return (this.major > v.major ||
+        (this.major == v.major && (this.minor > v.minor ||
+        (this.minor == v.minor && this.patch >= v.patch))));
+};
+SSHVersion.prototype.zero = function () {
+    return (this.major == 0 && this.minor == 0 && this.patch == 0);
+};
+SSHVersion.prototype.toString = function () {
+    return (this.major + '.' + this.minor + 'p' + this.patch);
+};
+
 Agent.getVersion = function () {
     if (typeof (spawnSync) !== 'function')
         return (undefined);
@@ -29,9 +52,10 @@ Agent.getVersion = function () {
     var m = out.trim().match(/^OpenSSH_([0-9]+)\.([0-9]+)p([0-9]+)[, ]|$/);
     if (!m) {
         console.error('ssh -V: %s', out);
-        return (undefined);
+        return (new SSHVersion(0, 0, 0));
     }
-    return ([parseInt(m[1], 10), parseInt(m[2], 10), parseInt(m[3], 10)]);
+    return (new SSHVersion(parseInt(m[1], 10), parseInt(m[2], 10),
+        parseInt(m[3], 10)));
 };
 
 Agent.prototype.open = function () {
