opemssh 0.1.1

Pass a key from the PEM format to the OpenSSH format
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

extern crate yasna;
extern crate base64;
extern crate num;
extern crate byteorder;

const RSA_ENCRYPTION: [u64; 7] = [1, 2, 840, 113549, 1, 1, 1];
const SSH_RSA_TEXT: &str = "ssh-rsa";

use std::io::{Read, BufRead};
use std::io::{self, BufReader};
use num::bigint::{BigInt, Sign};
use base64::{decode, encode, DecodeError};
use yasna::{parse_der, ASN1Error};
use yasna::models::ObjectIdentifier;
use byteorder::BigEndian;
use byteorder::WriteBytesExt;

#[derive(Debug)]
pub enum Error {
    IoError(io::Error),
    DecodeError(DecodeError),
    ASN1Error(ASN1Error),
    InvalidSshaRsa,
}

#[derive(Debug)]
struct PublicDer {
    object_identifier: ObjectIdentifier,
    exponent: BigInt,
    modulus: BigInt,
}

// TODO: check header name
pub fn pem_to_der<R: Read>(pem: &mut R) -> Result<Vec<u8>, Error> {
    let buff = BufReader::new(pem);
    let mut pem = String::new();

    for line in buff.lines() {
        let line = line.map_err(Error::IoError)?;
        if !line.starts_with('-') {
            pem.extend(line.chars());
        }
    }

    Ok(decode(&pem).map_err(Error::DecodeError)?)
}

pub fn der_to_openssh(der: &[u8]) -> Result<String, Error> {
    let public_der = parse_der(der, |reader| {
        reader.read_sequence(|reader| {
            let oid = reader.next().read_sequence(|reader| {
                let oid = reader.next().read_oid()?;
                let _ = reader.next().read_null()?;
                Ok(oid)
            })?;

            let bs = reader.next().read_bitvec()?.to_bytes();
            let (n, e) = parse_der(&bs, |reader| {
                reader.read_sequence(|reader| {
                    let n = reader.next().read_bigint()?;
                    let e = reader.next().read_bigint()?;
                    Ok((n, e))
                })
            })?;

            Ok(PublicDer {
                object_identifier: oid,
                exponent: e,
                modulus: n,
            })
        })
    }).map_err(Error::ASN1Error)?;

    let iod = public_der.object_identifier.components().as_slice();
    if iod != RSA_ENCRYPTION {
        return Err(Error::InvalidSshaRsa);
    }

    // TODO: compute capacity
    let mut openssh_key = Vec::new();

    // write the size of the 'ssh-rsa' text
    let ssh_rsa_text_len = SSH_RSA_TEXT.len() as u32;
    openssh_key.write_u32::<BigEndian>(ssh_rsa_text_len).map_err(Error::IoError)?;
    // write the 'ssh-rsa' text itself
    openssh_key.extend_from_slice(SSH_RSA_TEXT.as_bytes());

    // write the size of the exponent
    let exp_bits_size = (public_der.exponent.bits() / 8 + 1) as u32;
    openssh_key.write_u32::<BigEndian>(exp_bits_size).map_err(Error::IoError)?;
    let (sign, mut bytes) = public_der.exponent.to_bytes_be();
    // add a byte to toggle the sign bit
    if bytes.len() < exp_bits_size as usize {
        bytes.insert(0, 0);
    }
    bytes[0] |= if sign == Sign::Minus { 0b1000_0000 } else { 0 };
    // write the exponent itself (with sign bit)
    openssh_key.extend_from_slice(&bytes);

    // write the size of the modulus
    let mod_bits_size = (public_der.modulus.bits() / 8 + 1) as u32;
    openssh_key.write_u32::<BigEndian>(mod_bits_size).map_err(Error::IoError)?;

    let (sign, mut bytes) = public_der.modulus.to_bytes_be();
    // add a byte to toggle the sign bit
    if bytes.len() < mod_bits_size as usize {
        bytes.insert(0, 0);
    }
    bytes[0] |= if sign == Sign::Minus { 0b1000_0000 } else { 0 };
    // write the modulus itself (with sign bit)
    openssh_key.extend_from_slice(&bytes);

    let mut openssh_key = encode(&openssh_key);
    openssh_key.insert_str(0, "ssh-rsa ");
    Ok(openssh_key)
}