On 25/04/2020 at 02:58, Loïc wrote :
> Add private key protection information extraction to shh-keygen using -v
> option on top of -y option which is already parsing the private key.
>
> Technically, the passphrase isn't necessary to do this, but it is the
> most logical thing to do for me.
>
> Adding this to -l option is not appropriate because fingerprinting is
> using the .pub file when available.
>
> An other idea is to add a new option, I can do it if you prefer.
>
> Also, I'm laking information for information extraction from PEM and
> PKCS8 file format, I'm OK to have a pointer to implement this correctly.
>
> This patch is also adding a regression test for the functionnality.
>
> ---
>
> authfile.c | 16 ++--
> authfile.h | 7 +-
> regress/Makefile | 3 +-
> regress/keygen-private-information.sh | 81 +++++++++++++++++++++
> ssh-keygen.c | 44 +++++++----
> ssh-keysign.c | 2 +-
> sshconnect2.c | 2 +-
> sshd.c | 2 +-
> sshkey.c | 101 +++++++++++++++++++++++---
> sshkey.h | 14 +++-
> 10 files changed, 234 insertions(+), 38 deletions(-)
> create mode 100644 regress/keygen-private-information.sh
>
In since I discovered the -Z option, I'm adding here a regression test
for this option, the patch below applies on top on the upper one I'm
replying to.
Hope it is useful.
---
regress/keygen-private-information.sh | 82 ++++++++++++++++-----------
1 file changed, 50 insertions(+), 32 deletions(-)
diff --git a/regress/keygen-private-information.sh
b/regress/keygen-private-information.sh
index a9959e919fd1..ddf74eb95c3c 100644
--- a/regress/keygen-private-information.sh
+++ b/regress/keygen-private-information.sh
@@ -7,7 +7,8 @@ check_private_key () {
format="$2"
comment="$3"
secret="$4"
- rounds="$5"
+ cipher="$5"
+ rounds="$6"
# construct expected output in $exp file
exp=$OBJ/$t-expected
@@ -25,7 +26,7 @@ EOF
echo "no passphrase" >> $exp
else
cat >> $exp << EOF
-cipher: aes256-ctr
+cipher: $cipher
kdf: bcrypt
rounds: $rounds
EOF
@@ -44,37 +45,54 @@ EOF
rm -f $OBJ/$t-pub $OBJ/$t-tmp $exp
}
-for fmt in '' PKCS8 PEM ; do
+for fmt in '' RFC4716 PKCS8 PEM ; do
for secret in '' 'secret1'; do
- rounds_list="0"
- test -n "$secret" -a -z "$fmt" && rounds_list="2 16"
- for rounds in $rounds_list; do
- for t in $SSH_KEYTYPES; do
- trace "generating $t key in '$fmt' format with
'$secret' passphrase and '$rounds' rounds"
- rm -f $OBJ/$t-key*
- oldfmt=""
- case "$fmt" in
- PKCS8|PEM) oldfmt=1 ;;
- esac
- # Some key types like ssh-ed25519 and *@openssh.com are
never
- # stored in old formats.
- case "$t" in
- ssh-ed25519|*openssh.com) test -z "$oldfmt" || continue ;;
- esac
- comment="foo bar"
- fmtarg=""
- test -z "$fmt" || fmtarg="-m $fmt"
- test "$rounds" = "0" || roundarg="-a $rounds"
- ${SSHKEYGEN} $fmtarg $roundarg -N "${secret}" -C
"${comment}" \
- -t $t -f $OBJ/$t-key >/dev/null 2>&1 || \
- fatal "keygen of $t in format $fmt failed"
- rm -f $OBJ/$t-key.pub # .pub file not used, remove it
to be sure it is not used
- if [ ! -z "$oldfmt" ] ; then
- # Comment cannot be recovered from old format keys.
- comment=""
- fi
- check_private_key $OBJ/$t-key "${fmt}" "${comment}"
"${secret}" "${rounds}"
- rm -f $OBJ/$t-key*
+ cipher_list="default"
+ test -n "$secret" -a -z "$fmt" && cipher_list=`${SSH} -Q cipher`
+ for cipher in $cipher_list; do
+ rounds_list="default"
+ test -n "$secret" -a -z "$fmt" && rounds_list="2 16"
+ for rounds in $rounds_list; do
+ for t in $SSH_KEYTYPES; do
+ trace "generating $t key in '$fmt' format with
'$secret' passphrase, '$cipher' cipher and '$rounds' rounds"
+ rm -f $OBJ/$t-key*
+ oldfmt=""
+ case "$fmt" in
+ PKCS8|PEM) oldfmt=1 ;;
+ esac
+ # Some key types like ssh-ed25519 and *@openssh.com
are never
+ # stored in old formats.
+ case "$t" in
+ ssh-ed25519|*openssh.com) test -z "$oldfmt" ||
continue ;;
+ esac
+ comment="foo bar"
+ fmtarg=""
+ test -z "$fmt" || fmtarg="-m $fmt"
+ if test "$rounds" = "default" ; then
+ rounds=16;
+ roundarg=""
+ else
+ roundarg="-a $rounds";
+ fi
+ if test "$cipher" = "default" ; then
+ cipher="aes256-ctr" ;
+ cipherarg=""
+ else
+ cipherarg="-Z $cipher";
+ fi
+ ${SSHKEYGEN} $fmtarg $cipherarg $roundarg \
+ -N "${secret}" -C "${comment}" \
+ -t $t -f $OBJ/$t-key >/dev/null 2>&1 || \
+ fatal "keygen of $t in format $fmt failed"
+ rm -f $OBJ/$t-key.pub # .pub file not used, remove
it to be sure it is not used
+ if [ ! -z "$oldfmt" ] ; then
+ # Comment cannot be recovered from old format keys.
+ comment=""
+ fi
+ check_private_key $OBJ/$t-key "${fmt}" "${comment}" \
+ "${secret}" "${cipher}" "${rounds}"
+ rm -f $OBJ/$t-key*
+ done
done
done
done
--
2.17.1
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
