From f60d3b5d4250f7da23a5511992ab46b7b36cd91e Mon Sep 17 00:00:00 2001 From: Eugene Date: Sat, 16 Nov 2024 20:41:53 +0100 Subject: [PATCH 1/5] ssh-key: added optional support for verifying legacy ssh-rsa SHA1 signatures --- ssh-key/Cargo.toml | 1 + ssh-key/src/signature.rs | 17 ++++++++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ssh-key/Cargo.toml b/ssh-key/Cargo.toml index 389e266..96dac19 100644 --- a/ssh-key/Cargo.toml +++ b/ssh-key/Cargo.toml @@ -80,6 +80,7 @@ p256 = ["dep:p256", "ecdsa"] p384 = ["dep:p384", "ecdsa"] p521 = ["dep:p521", "ecdsa"] rsa = ["dep:bigint", "dep:rsa", "alloc", "rand_core"] +rsa-sha1 = ["rsa", "dep:sha1"] tdes = ["cipher/tdes", "encryption"] [package.metadata.docs.rs] diff --git a/ssh-key/src/signature.rs b/ssh-key/src/signature.rs index 50f0668..c6a7180 100644 --- a/ssh-key/src/signature.rs +++ b/ssh-key/src/signature.rs @@ -13,7 +13,6 @@ use crate::{private::Ed25519Keypair, public::Ed25519PublicKey}; use { crate::{private::DsaKeypair, public::DsaPublicKey}, bigint::BigUint, - sha1::Sha1, signature::{DigestSigner, DigestVerifier}, }; @@ -32,6 +31,9 @@ use { sha2::Sha512, }; +#[cfg(any(feature = "rsa-sha1", feature = "dsa"))] +use sha1::Sha1; + #[cfg(any(feature = "ed25519", feature = "rsa", feature = "p256"))] use sha2::Sha256; @@ -680,15 +682,20 @@ impl Signer for RsaKeypair { impl Verifier for RsaPublicKey { fn verify(&self, message: &[u8], signature: &Signature) -> signature::Result<()> { match signature.algorithm { - // TODO(tarcieri): optional off-by-default support for legacy SHA1 signatures? - Algorithm::Rsa { hash: Some(hash) } => { + Algorithm::Rsa { hash } => { let signature = rsa::pkcs1v15::Signature::try_from(signature.data.as_ref())?; match hash { - HashAlg::Sha256 => rsa::pkcs1v15::VerifyingKey::::try_from(self)? + #[cfg(not(feature = "rsa-sha1"))] + None => Err(Algorithm::Rsa { hash: None }.unsupported_error().into()), + #[cfg(feature = "rsa-sha1")] + None => rsa::pkcs1v15::VerifyingKey::::try_from(self)? + .verify(message, &signature) + .map_err(|_| signature::Error::new()), + Some(HashAlg::Sha256) => rsa::pkcs1v15::VerifyingKey::::try_from(self)? .verify(message, &signature) .map_err(|_| signature::Error::new()), - HashAlg::Sha512 => rsa::pkcs1v15::VerifyingKey::::try_from(self)? + Some(HashAlg::Sha512) => rsa::pkcs1v15::VerifyingKey::::try_from(self)? .verify(message, &signature) .map_err(|_| signature::Error::new()), } From 2e96c3fa33e8b3a5916843caf8a6c9c60110c120 Mon Sep 17 00:00:00 2001 From: Eugene Date: Sat, 16 Nov 2024 20:53:14 +0100 Subject: [PATCH 2/5] ssh-key: added missing sha1/oid dependency --- ssh-key/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssh-key/Cargo.toml b/ssh-key/Cargo.toml index 96dac19..3ca3af6 100644 --- a/ssh-key/Cargo.toml +++ b/ssh-key/Cargo.toml @@ -80,7 +80,7 @@ p256 = ["dep:p256", "ecdsa"] p384 = ["dep:p384", "ecdsa"] p521 = ["dep:p521", "ecdsa"] rsa = ["dep:bigint", "dep:rsa", "alloc", "rand_core"] -rsa-sha1 = ["rsa", "dep:sha1"] +rsa-sha1 = ["rsa", "dep:sha1", "sha1/oid"] tdes = ["cipher/tdes", "encryption"] [package.metadata.docs.rs] From 1dbf6c05a7419362eb8fdfafde5361fdf375a088 Mon Sep 17 00:00:00 2001 From: Eugene Date: Sat, 28 Dec 2024 00:08:45 +0100 Subject: [PATCH 3/5] ssh-key: support making RSA-SHA1 signatures --- ssh-key/src/signature.rs | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/ssh-key/src/signature.rs b/ssh-key/src/signature.rs index c6a7180..fe1bcfc 100644 --- a/ssh-key/src/signature.rs +++ b/ssh-key/src/signature.rs @@ -663,11 +663,21 @@ impl Verifier for EcdsaPublicKey { } #[cfg(feature = "rsa")] -impl Signer for RsaKeypair { +impl Signer for (&RsaKeypair, Option) { fn try_sign(&self, message: &[u8]) -> signature::Result { - let data = rsa::pkcs1v15::SigningKey::::try_from(self)? - .try_sign(message) - .map_err(|_| signature::Error::new())?; + let data = match self.1 { + Some(HashAlg::Sha512) => { + rsa::pkcs1v15::SigningKey::::try_from(self.0)?.try_sign(message) + } + Some(HashAlg::Sha256) => { + rsa::pkcs1v15::SigningKey::::try_from(self.0)?.try_sign(message) + } + #[cfg(feature = "rsa-sha1")] + None => rsa::pkcs1v15::SigningKey::::try_from(self.0)?.try_sign(message), + #[cfg(not(feature = "rsa-sha1"))] + None => return Err(Algorithm::Rsa { hash: None }.unsupported_error().into()), + } + .map_err(|_| signature::Error::new())?; Ok(Signature { algorithm: Algorithm::Rsa { @@ -678,6 +688,13 @@ impl Signer for RsaKeypair { } } +#[cfg(feature = "rsa")] +impl Signer for RsaKeypair { + fn try_sign(&self, message: &[u8]) -> signature::Result { + (self, Some(HashAlg::Sha512)).try_sign(message) + } +} + #[cfg(feature = "rsa")] impl Verifier for RsaPublicKey { fn verify(&self, message: &[u8], signature: &Signature) -> signature::Result<()> { From 8d83f783d6fce89aa8c8af9c0371e0d14da0f058 Mon Sep 17 00:00:00 2001 From: Eugene Date: Fri, 3 Jan 2025 18:37:58 +0100 Subject: [PATCH 4/5] fixed rsa-sha1 signature --- ssh-key/src/signature.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssh-key/src/signature.rs b/ssh-key/src/signature.rs index fe1bcfc..40cc081 100644 --- a/ssh-key/src/signature.rs +++ b/ssh-key/src/signature.rs @@ -681,7 +681,7 @@ impl Signer for (&RsaKeypair, Option) { Ok(Signature { algorithm: Algorithm::Rsa { - hash: Some(HashAlg::Sha512), + hash: self.1, }, data: data.to_vec(), }) From 3619fe54218f6a3e7a49c5db74d03bec8484dbbc Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 6 Jan 2025 02:40:56 +0100 Subject: [PATCH 5/5] fmt --- ssh-key/src/signature.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ssh-key/src/signature.rs b/ssh-key/src/signature.rs index 40cc081..5b030d5 100644 --- a/ssh-key/src/signature.rs +++ b/ssh-key/src/signature.rs @@ -680,9 +680,7 @@ impl Signer for (&RsaKeypair, Option) { .map_err(|_| signature::Error::new())?; Ok(Signature { - algorithm: Algorithm::Rsa { - hash: self.1, - }, + algorithm: Algorithm::Rsa { hash: self.1 }, data: data.to_vec(), }) }