OpenSSH public key serialization #1744
Comments
|
This is my code based on Twisted SSH keys https://github.com/chevah/chevah-keycert it no longer depends on Twisted and on top of twisted it add support for SSH.Com (Tectia) and Putty keys... fixed for parsing invalid keys If you want I can help integrate the code with python cryptography. |
|
This issue boils down to essentially reversing the code here: https://github.com/pyca/cryptography/blob/master/src/cryptography/hazmat/primitives/serialization.py#L35 (plus adding a new serialization.PublicFormat type and supporting it in the public_bytes methods of the public keys). |
|
One challenge here: our |
|
Encoding=SSH(), format=SSH()? On Mon, Mar 14, 2016 at 11:10 PM, Paul Kehrer notifications@github.com
"I disapprove of what you say, but I will defend to the death your right to |
|
We can do that. We'll need to audit every place we currently use the Encoding enum to make sure we're erroring properly when you pass that value, but we'd have to do that with |
|
I think the worst case scenario is an assertionerror On Mon, Mar 14, 2016 at 11:15 PM, Paul Kehrer notifications@github.com
"I disapprove of what you say, but I will defend to the death your right to |
|
I'm working a bit on this. Will hopefully have time to put together a full PR tonight. Here's roughly what serializing an RSA public key looks like: e = self._bn_to_int(cdata.e)
n = self._bn_to_int(cdata.n)
e_bytes = utils.int_to_bytes(e)
if ord(e_bytes[0]) & 0x80 != 0:
e_bytes = b"\x00" + e_bytes
n_bytes = utils.int_to_bytes(n)
if ord(n_bytes[0]) & 0x80 != 0:
n_bytes = b"\x00" + n_bytes
payload = base64.b64encode(b"{0}{1}{2}{3}{4}{5}".format(
struct.pack(">I", 7),
b"ssh-rsa",
struct.pack(">I", len(e_bytes)),
e_bytes,
struct.pack(">I", len(n_bytes)),
n_bytes,
))
return b"ssh-rsa {0}".format(payload) |
|
Latest Twisted code was ported to use pyca/cryptography twisted.conch.ssh.keys was also recently ported to py3 and has pretty good test coverage. Are you interested in re-using that code in pyca/cryptography ? Once you have decided on an API I can work on implementing that API based on twisted.conch.ssh.keys. Once that code is in pyca/cryptography I can updated Twisted to use the shard code from pyca/cryptography. |
|
If you'd like to work on this I'm happy to define the API. It's just an expansion of enums for our current public_bytes method. So public_key.public_bytes(Encoding.OpenSSH, PublicFormat.OpenSSH)I'm not sure if this work will make it into 1.3 (as that's going out this week) but we can definitely land it for 1.4. |
|
@adiroiban Were you interested in contributing this, or shall we go ahead and port the code ourselves? |
|
I am interested into SSH key format support, but I was not aware of the scope of this ticket. I was looking to see if for example we could completely replace twisted.conch.ssh.keys (https://github.com/twisted/twisted/blob/trunk/twisted/conch/ssh/keys.py) with something implemented here. From the current feedback, it looks like the scope of this ticket is very specific and target only the OpenSSH key encoding on disk, without support the extra comment field or supporting multiple formats. At this stage, I think that is better for someone with a good understanding of the scope of this ticket to implement it. Later we can discuss if it make sense to have a high level API in cryptography to manage SSH keys. |
We should support serialization of public keys to OpenSSH format.
The text was updated successfully, but these errors were encountered: