1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
use crate::ssh::{CurveKind, PrivateKey, PrivateKeyKind, PublicKeyKind};
use crate::utils::signature_convert_asn1_ecdsa_to_ssh;
use ring::{rand, signature};
pub fn create_signer(privkey: PrivateKey) -> Box<dyn Fn(&[u8]) -> Option<Vec<u8>> + Send + Sync> {
Box::new(move |buf: &[u8]| {
ssh_cert_signer(buf, &privkey)
})
}
impl Into<Box<dyn Fn(&[u8]) -> Option<Vec<u8>> + Send + Sync>> for PrivateKey {
fn into(self) -> Box<dyn Fn(&[u8]) -> Option<Vec<u8>> + Send + Sync> {
Box::new(move |buf: &[u8]| {
ssh_cert_signer(buf, &self)
})
}
}
pub fn ssh_cert_signer(buf: &[u8], privkey: &PrivateKey) -> Option<Vec<u8>> {
let rng = rand::SystemRandom::new();
let (signature, sig_type) = match &privkey.kind {
#[cfg(feature = "rsa-signing")]
PrivateKeyKind::Rsa(key) => {
let asn_privkey = match simple_asn1::der_encode(key) {
Ok(apk) => apk,
Err(_) => return None,
};
let keypair = match signature::RsaKeyPair::from_der(&asn_privkey) {
Ok(kp) => kp,
Err(_) => return None,
};
let rng = rand::SystemRandom::new();
let mut signature = vec![0; keypair.public_modulus_len()];
if let Err(_) = keypair.sign(&signature::RSA_PKCS1_SHA512, &rng, buf, &mut signature) {
return None
}
let mut encoding = (signature.len() as u32).to_be_bytes().to_vec();
encoding.extend(signature);
(encoding, "rsa-sha2-512")
},
#[cfg(not(feature = "rsa-signing"))]
PrivateKeyKind::Rsa(_) => return None,
PrivateKeyKind::Ecdsa(key) => {
let (alg, alg_name) = match key.curve.kind {
CurveKind::Nistp256 => (&signature::ECDSA_P256_SHA256_ASN1_SIGNING, "ecdsa-sha2-nistp256"),
CurveKind::Nistp384 => (&signature::ECDSA_P384_SHA384_ASN1_SIGNING, "ecdsa-sha2-nistp384"),
CurveKind::Nistp521 => return None
};
let pubkey = match &privkey.pubkey.kind {
PublicKeyKind::Ecdsa(key) => &key.key,
_ => return None,
};
let key = if key.key[0] == 0x0_u8 {&key.key[1..]} else {&key.key};
let key_pair = match signature::EcdsaKeyPair::from_private_key_and_public_key(alg, &key, &pubkey) {
Ok(kp) => kp,
Err(_) => return None,
};
let signature = match key_pair.sign(&rng, &buf) {
Ok(sig) => signature_convert_asn1_ecdsa_to_ssh(&sig.as_ref()),
Err(_) => return None,
};
match signature {
Some(sig) => (sig, alg_name),
None => return None,
}
},
PrivateKeyKind::Ed25519(key) => {
let public_key = match &privkey.pubkey.kind {
PublicKeyKind::Ed25519(key) => &key.key,
_ => return None,
};
let key_pair = match signature::Ed25519KeyPair::from_seed_and_public_key(&key.key[..32], public_key) {
Ok(kp) => kp,
Err(_) => return None,
};
let signature = key_pair.sign(&buf).as_ref().to_vec();
let mut encoding = (signature.len() as u32).to_be_bytes().to_vec();
encoding.extend(signature);
(encoding, "ssh-ed25519")
},
};
let mut encoded: Vec<u8> = (sig_type.len() as u32).to_be_bytes().to_vec();
encoded.extend_from_slice(sig_type.as_bytes());
encoded.extend(signature);
Some(encoded)
}
