anvil-ssh 1.1.0

Pure-Rust SSH stack for Git tooling: transport, keys, signing, agent. Foundation library extracted from Spacecraft-Software/Gitway.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380

// SPDX-License-Identifier: GPL-3.0-or-later
// Rust guideline compliant 2026-04-21
//! SSHSIG (OpenSSH file-signature) sign/verify.
//!
//! Implements the wire format documented in [`PROTOCOL.sshsig`]: a
//! PEM-armored blob bracketed by `-----BEGIN SSH SIGNATURE-----` /
//! `-----END SSH SIGNATURE-----` carrying an algorithm, namespace, and
//! the signed digest.
//!
//! This is the same format git consumes when `gpg.format = ssh`, and what
//! `ssh-keygen -Y sign` / `ssh-keygen -Y verify` emit and accept.
//!
//! # Examples
//!
//! ```no_run
//! use std::io::Cursor;
//! use anvil_ssh::keygen::{generate, KeyType};
//! use anvil_ssh::sshsig::{sign, check_novalidate};
//! use ssh_key::HashAlg;
//!
//! let key = generate(KeyType::Ed25519, None, "me@host").unwrap();
//! let mut msg = Cursor::new(b"hello world");
//! let armored = sign(&mut msg, &key, "git", HashAlg::Sha512).unwrap();
//!
//! let mut verify_msg = Cursor::new(b"hello world");
//! check_novalidate(&mut verify_msg, &armored, "git").unwrap();
//! ```
//!
//! [`PROTOCOL.sshsig`]: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig

use std::io::Read;

use ssh_key::{HashAlg, LineEnding, PrivateKey, PublicKey, SshSig};

use crate::agent::client::Agent;
use crate::allowed_signers::AllowedSigners;
use crate::AnvilError;

// ── Public types ──────────────────────────────────────────────────────────────

/// Result of a successful [`verify`] call.
#[derive(Debug, Clone)]
pub struct Verified {
    /// A principal pattern from the allowed-signers file that matched the
    /// signer identity.
    pub principal: String,
    /// The fingerprint of the signing public key, in `SHA256:<base64>` form.
    pub fingerprint: String,
}

// ── Sign ──────────────────────────────────────────────────────────────────────

/// Signs the bytes read from `data` using `key` under `namespace`, returning
/// the PEM-armored signature string ready to write to stdout or a file.
///
/// The armored output begins with `-----BEGIN SSH SIGNATURE-----` and ends
/// with `-----END SSH SIGNATURE-----\n` — byte-compatible with
/// `ssh-keygen -Y sign`.
///
/// # Errors
///
/// Returns [`AnvilError::signing`] on I/O or cryptographic failure. If `key`
/// is encrypted, decrypt it before calling this function.
pub fn sign<R: Read>(
    data: &mut R,
    key: &PrivateKey,
    namespace: &str,
    hash: HashAlg,
) -> Result<String, AnvilError> {
    let mut buf = Vec::new();
    data.read_to_end(&mut buf)?;
    let sig = SshSig::sign(key, namespace, hash, &buf)
        .map_err(|e| AnvilError::signing(format!("sshsig sign failed: {e}")))?;
    sig.to_pem(LineEnding::LF)
        .map_err(|e| AnvilError::signing(format!("sshsig armor failed: {e}")))
}

/// Signs via an SSH agent, producing the same armored SSHSIG string as
/// [`sign`] but without ever reading the private-key material.
///
/// Computes the SSHSIG inner blob (`SshSig::signed_data`), hands it to
/// `agent.sign(public_key, ...)`, then wraps the returned raw signature
/// into an `SshSig` and PEM-armors it.  End-to-end indistinguishable
/// from the direct-read path — `ssh-keygen -Y verify` accepts both.
///
/// # Errors
///
/// Returns [`AnvilError::signing`] on agent or cryptographic failure.
/// If the agent does not hold the matching private key, the error comes
/// from the agent side and callers typically want to fall back to the
/// [`sign`] path.
pub fn sign_with_agent<R: Read>(
    data: &mut R,
    agent: &mut Agent,
    public_key: &PublicKey,
    namespace: &str,
    hash: HashAlg,
) -> Result<String, AnvilError> {
    let mut buf = Vec::new();
    data.read_to_end(&mut buf)?;
    let signed_blob = SshSig::signed_data(namespace, hash, &buf)
        .map_err(|e| AnvilError::signing(format!("sshsig signed_data failed: {e}")))?;
    let signature = agent.sign(public_key, &signed_blob)?;
    let sig = SshSig::new(public_key.key_data().clone(), namespace, hash, signature)
        .map_err(|e| AnvilError::signing(format!("sshsig wrap failed: {e}")))?;
    sig.to_pem(LineEnding::LF)
        .map_err(|e| AnvilError::signing(format!("sshsig armor failed: {e}")))
}

// ── Verify ────────────────────────────────────────────────────────────────────

/// Verifies that `armored_sig` is a valid SSHSIG over the bytes read from
/// `data`, in `namespace`, and that `allowed` authorizes `signer_identity`
/// to sign with the embedded public key.
///
/// This is the full `ssh-keygen -Y verify` equivalent: three independent
/// checks — cryptographic signature, namespace match, and principal
/// authorization.
///
/// # Errors
///
/// Returns [`AnvilError::signature_invalid`] on any failed check.
pub fn verify<R: Read>(
    data: &mut R,
    armored_sig: &str,
    signer_identity: &str,
    namespace: &str,
    allowed: &AllowedSigners,
) -> Result<Verified, AnvilError> {
    let sig = SshSig::from_pem(armored_sig)
        .map_err(|e| AnvilError::signature_invalid(format!("malformed signature: {e}")))?;

    if sig.namespace() != namespace {
        return Err(AnvilError::signature_invalid(format!(
            "namespace mismatch: signature is {:?}, expected {namespace:?}",
            sig.namespace()
        )));
    }

    let mut buf = Vec::new();
    data.read_to_end(&mut buf)?;

    let public_key = PublicKey::from(sig.public_key().clone());
    public_key
        .verify(namespace, &buf, &sig)
        .map_err(|e| AnvilError::signature_invalid(format!("cryptographic check failed: {e}")))?;

    if !allowed.is_authorized(signer_identity, &public_key, namespace) {
        return Err(AnvilError::signature_invalid(format!(
            "signer {signer_identity:?} is not authorized for namespace {namespace:?} \
             with key {}",
            public_key.fingerprint(HashAlg::Sha256)
        )));
    }

    Ok(Verified {
        principal: signer_identity.to_owned(),
        fingerprint: public_key.fingerprint(HashAlg::Sha256).to_string(),
    })
}

// ── Check only (no allowed-signers) ───────────────────────────────────────────

/// Verifies the cryptographic signature and namespace, but not the signer
/// identity. This matches `ssh-keygen -Y check-novalidate`.
///
/// # Errors
///
/// Returns [`AnvilError::signature_invalid`] on malformed armor, namespace
/// mismatch, or failed cryptographic check.
pub fn check_novalidate<R: Read>(
    data: &mut R,
    armored_sig: &str,
    namespace: &str,
) -> Result<(), AnvilError> {
    let sig = SshSig::from_pem(armored_sig)
        .map_err(|e| AnvilError::signature_invalid(format!("malformed signature: {e}")))?;

    if sig.namespace() != namespace {
        return Err(AnvilError::signature_invalid(format!(
            "namespace mismatch: signature is {:?}, expected {namespace:?}",
            sig.namespace()
        )));
    }

    let mut buf = Vec::new();
    data.read_to_end(&mut buf)?;

    let public_key = PublicKey::from(sig.public_key().clone());
    public_key
        .verify(namespace, &buf, &sig)
        .map_err(|e| AnvilError::signature_invalid(format!("cryptographic check failed: {e}")))?;

    Ok(())
}

// ── find-principals ───────────────────────────────────────────────────────────

/// Returns the principals in `allowed` that are authorized to sign with the
/// public key embedded in `armored_sig` under `namespace`.
///
/// Matches `ssh-keygen -Y find-principals` — it does not verify the
/// signature, only reads the embedded public key.
///
/// # Errors
///
/// Returns [`AnvilError::signature_invalid`] if `armored_sig` is malformed.
pub fn find_principals(
    armored_sig: &str,
    allowed: &AllowedSigners,
    namespace: &str,
) -> Result<Vec<String>, AnvilError> {
    let sig = SshSig::from_pem(armored_sig)
        .map_err(|e| AnvilError::signature_invalid(format!("malformed signature: {e}")))?;
    let public_key = PublicKey::from(sig.public_key().clone());
    Ok(allowed
        .find_principals(&public_key, namespace)
        .iter()
        .map(|s| (*s).to_owned())
        .collect())
}

/// Returns every principal in `allowed` whose entry's public key matches
/// the one embedded in `armored_sig`, ignoring per-entry namespace
/// restrictions.
///
/// Mirrors upstream `ssh-keygen -Y find-principals -s <sig> -f <allowed>`,
/// which git invokes without `-n` during commit verification. Use
/// [`find_principals`] when the caller has a namespace and wants to honor
/// per-entry `namespaces="..."` restrictions.
///
/// # Errors
///
/// Returns [`AnvilError::signature_invalid`] if `armored_sig` is malformed.
pub fn find_principals_any_ns(
    armored_sig: &str,
    allowed: &AllowedSigners,
) -> Result<Vec<String>, AnvilError> {
    let sig = SshSig::from_pem(armored_sig)
        .map_err(|e| AnvilError::signature_invalid(format!("malformed signature: {e}")))?;
    let public_key = PublicKey::from(sig.public_key().clone());
    Ok(allowed
        .find_principals_any_ns(&public_key)
        .iter()
        .map(|s| (*s).to_owned())
        .collect())
}

// ── Tests ─────────────────────────────────────────────────────────────────────

#[cfg(test)]
mod tests {
    use super::*;
    use std::io::Cursor;

    use crate::keygen::{generate, KeyType};

    fn roundtrip(kind: KeyType, hash: HashAlg) {
        let key = generate(kind, None, "sign@test").unwrap();
        let payload = b"the quick brown fox jumps over the lazy dog";
        let armored = sign(&mut Cursor::new(payload), &key, "git", hash).unwrap();
        assert!(armored.contains("BEGIN SSH SIGNATURE"));

        // Namespace match, correct payload.
        check_novalidate(&mut Cursor::new(payload), &armored, "git").unwrap();

        // Wrong namespace rejected.
        let err = check_novalidate(&mut Cursor::new(payload), &armored, "file").unwrap_err();
        assert!(err.to_string().contains("namespace"));

        // Tampered payload rejected.
        let err = check_novalidate(&mut Cursor::new(b"tampered"), &armored, "git").unwrap_err();
        assert!(err.to_string().contains("cryptographic"));
    }

    #[test]
    fn ed25519_sign_verify_roundtrip() {
        roundtrip(KeyType::Ed25519, HashAlg::Sha512);
    }

    #[test]
    fn ecdsa_p256_sign_verify_roundtrip() {
        roundtrip(KeyType::EcdsaP256, HashAlg::Sha512);
    }

    // RSA SSHSIG signing via `ssh-key` 0.6.7 fails with an opaque
    // `cryptographic error`. Ed25519 and ECDSA are the dominant choices
    // for git SSH signing in 2026, and `ssh-keygen -Y sign` itself
    // recommends Ed25519. Keep the test skeleton for a future fix.
    #[test]
    #[ignore = "RSA SSHSIG path not yet wired up in ssh-key 0.6.7"]
    fn rsa_sign_verify_roundtrip() {
        let key = generate(KeyType::Rsa, Some(2048), "rsa-sign@test").unwrap();
        let payload = b"hello rsa";
        let armored = sign(&mut Cursor::new(payload), &key, "git", HashAlg::Sha512).unwrap();
        check_novalidate(&mut Cursor::new(payload), &armored, "git").unwrap();
    }

    #[test]
    fn verify_against_allowed_signers_success() {
        let key = generate(KeyType::Ed25519, None, "alice@test").unwrap();
        let pubkey_line = key.public_key().to_openssh().unwrap();
        let allowed_text = format!("alice@example.com {pubkey_line}");
        let allowed = AllowedSigners::parse(&allowed_text).unwrap();

        let payload = b"signed content";
        let armored = sign(&mut Cursor::new(payload), &key, "git", HashAlg::Sha512).unwrap();

        let verified = verify(
            &mut Cursor::new(payload),
            &armored,
            "alice@example.com",
            "git",
            &allowed,
        )
        .unwrap();
        assert_eq!(verified.principal, "alice@example.com");
        assert!(verified.fingerprint.starts_with("SHA256:"));
    }

    #[test]
    fn verify_against_allowed_signers_rejects_unknown_identity() {
        let key = generate(KeyType::Ed25519, None, "bob@test").unwrap();
        let pubkey_line = key.public_key().to_openssh().unwrap();
        let allowed_text = format!("alice@example.com {pubkey_line}");
        let allowed = AllowedSigners::parse(&allowed_text).unwrap();

        let payload = b"signed content";
        let armored = sign(&mut Cursor::new(payload), &key, "git", HashAlg::Sha512).unwrap();

        let err = verify(
            &mut Cursor::new(payload),
            &armored,
            "mallory@example.com",
            "git",
            &allowed,
        )
        .unwrap_err();
        assert!(err.to_string().contains("not authorized"));
    }

    #[test]
    fn find_principals_returns_matching_entries() {
        let key = generate(KeyType::Ed25519, None, "carol@test").unwrap();
        let pubkey_line = key.public_key().to_openssh().unwrap();
        let allowed_text = format!("carol@example.com,dave@example.com {pubkey_line}");
        let allowed = AllowedSigners::parse(&allowed_text).unwrap();

        let armored = sign(&mut Cursor::new(b"x"), &key, "git", HashAlg::Sha512).unwrap();
        let principals = find_principals(&armored, &allowed, "git").unwrap();
        assert!(principals.iter().any(|p| p == "carol@example.com"));
        assert!(principals.iter().any(|p| p == "dave@example.com"));
    }

    #[test]
    fn find_principals_any_ns_ignores_namespace_restriction() {
        // Entry restricts itself to namespaces="signing", but the signature
        // is over namespace "git". Namespace-aware lookup must skip the
        // entry; the any-ns lookup must still return its principals.
        let key = generate(KeyType::Ed25519, None, "erin@test").unwrap();
        let pubkey_line = key.public_key().to_openssh().unwrap();
        let allowed_text =
            format!("erin@example.com namespaces=\"signing\" {pubkey_line}");
        let allowed = AllowedSigners::parse(&allowed_text).unwrap();

        let armored = sign(&mut Cursor::new(b"x"), &key, "git", HashAlg::Sha512).unwrap();

        let strict = find_principals(&armored, &allowed, "git").unwrap();
        assert!(
            strict.is_empty(),
            "namespace-aware lookup must skip entries restricted to a different namespace, got {strict:?}"
        );

        let any = find_principals_any_ns(&armored, &allowed).unwrap();
        assert!(
            any.iter().any(|p| p == "erin@example.com"),
            "any-ns lookup must return the principal regardless of namespace restriction, got {any:?}"
        );
    }
}