Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adds an embeddedProvider BC available within the fatJar #6

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

adds an embeddedProvider BC available within the fatJar #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
008ed59
adds a embeddedProvider BC available within the fatJar
Aug 12, 2015
a089554
fix iqmp, p & q missing in SSH2_AGENTC_ADD_IDENTITY request for RSA …
Aug 19, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions src/main/java/com/geoxp/oss/CryptoHelper.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,7 @@
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.interfaces.*;
import java.security.spec.DSAPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
Expand All @@ -64,6 +61,7 @@
import org.bouncycastle.crypto.paddings.PKCS7Padding;
import org.bouncycastle.crypto.params.KeyParameter;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
Expand Down Expand Up @@ -607,10 +605,12 @@ public static byte[] sshPrivateKeyBlobFromKeyPair(KeyPair kp) {
BigInteger e = ((RSAPublicKey) kp.getPublic()).getPublicExponent();
BigInteger d = ((RSAPrivateKey) kp.getPrivate()).getPrivateExponent();

// Not available and not used by ssh-agent anyway ...
BigInteger iqmp = BigInteger.ZERO;
BigInteger p = BigInteger.ZERO;
BigInteger q = BigInteger.ZERO;
//
// CrtCoef, P & Q are needed by the ssh-agent
//
BigInteger iqmp = ((BCRSAPrivateCrtKey) kp.getPrivate()).getCrtCoefficient();
BigInteger p = ((BCRSAPrivateCrtKey) kp.getPrivate()).getPrimeP();
BigInteger q = ((BCRSAPrivateCrtKey) kp.getPrivate()).getPrimeQ();

byte[] tns = null;
try { tns = encodeNetworkString(SSH_RSA_PREFIX.getBytes("UTF-8")); } catch (UnsupportedEncodingException uee) {}
Expand Down
96 changes: 66 additions & 30 deletions src/main/java/com/geoxp/oss/client/OSSSshAgentAddIdentity.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,19 @@
package com.geoxp.oss.client;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.Reader;
import java.io.*;
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Hex;
import org.bouncycastle.openssl.EncryptionException;
import org.bouncycastle.openssl.PEMReader;
import org.bouncycastle.openssl.PasswordFinder;

import com.geoxp.oss.CryptoHelper;
import com.geoxp.oss.CryptoHelper.SSHAgentClient;
import com.geoxp.oss.CryptoHelper.SSHAgentClient.SSHKey;
import com.geoxp.oss.client.OSSClient;

public class OSSSshAgentAddIdentity {
private static class DefaultPasswordFinder implements PasswordFinder {
Expand Down Expand Up @@ -54,58 +51,97 @@ private static List<File> getDefaultsKeyFiles() {
*/
public static void main(String[] args) throws Exception {
if (args.length < 3) {
System.err.println("Usage: OSSLoadAgent OSS_URL SECRET_NAME WRAPPED_PASSPHRASE AGENT_AUTH_SOCK [KEY_FILE]");
System.err.println("Usage: OSSLoadAgent OSS_URL SECRET_NAME AGENT_AUTH_SOCK WRAPPED_PASSPHRASE [ProviderEmbedded default false] [KEY_FILE]");
System.exit(1);
}

SSHAgentClient sshAgent = new SSHAgentClient(args[2]);

System.out.println("Unwrap secret");
// Get the secret from OSS
// FIXME ? Provide a way to specify the ssh signing key fingerprint
byte[] secret = OSSClient.getSecret(args[0], args[1], null);
// Use the secret to unwrap the passphrase
byte[] unwrap = CryptoHelper.unwrapBlob(secret, Hex.decode(args[3]));
String password = new String(unwrap, "UTF-8");

boolean providerEmbedded = false;

// Read private keys
// openssh store it in PEM format
List<File> sshKeyFiles;
if (args.length > 4) {
sshKeyFiles = new ArrayList<File>(1);
sshKeyFiles.add(new File(args[4]));
} else {
// openssh store it in PEM format
List<File> sshKeyFiles = new ArrayList<File>(1);

for (int i=4; i<args.length; i++) {
if ("ProviderEmbedded".equals(args[i])) {
providerEmbedded = true;
} else {
sshKeyFiles.add(new File(args[i]));
}
}

// not key founded take the default keyFiles
if (sshKeyFiles.size() == 0){
sshKeyFiles = getDefaultsKeyFiles();
}

for (File sshKeyFile : sshKeyFiles) {
Reader fRd = new BufferedReader(new FileReader(sshKeyFile));
PEMReader pem = new PEMReader(fRd, new DefaultPasswordFinder(password.toCharArray()), "BC");

Object o;
try {
while ((o = pem.readObject()) != null) {
if (o instanceof KeyPair) {
KeyPair kp = (KeyPair) o;
// Add the identity in the ssh-agent
byte[] keyblob = CryptoHelper.sshPrivateKeyBlobFromKeyPair(kp);
System.out.println("Loading " + sshKeyFile.getPath());
sshAgent.addIdentity(keyblob, sshKeyFile.getPath());

if (providerEmbedded) {
// load with embedded provider
System.out.println("Load PEM file " + sshKeyFile.getName() + " with embedded provider" );
BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider();
com.geoxp.oss.client.bouncycastle.openssl.PEMReader pem = new com.geoxp.oss.client.bouncycastle.openssl.PEMReader(fRd, new DefaultPasswordFinder(password.toCharArray()), bouncyCastleProvider);
Object o;
try {
while ((o = pem.readObject()) != null) {
if (o instanceof KeyPair) {
loadKeyPair((KeyPair) o, sshKeyFile, sshAgent);
}
}
} catch (EncryptionException ee) {
System.err.println("Can't read private key in " + sshKeyFile.getAbsolutePath());
ee.printStackTrace();
} finally {
pem.close();
}
} else {
// load with signed javax security provider
System.out.println("Load PEM file " + sshKeyFile.getName() + " with JCE provider" );
org.bouncycastle.openssl.PEMReader pem = new org.bouncycastle.openssl.PEMReader(fRd, new DefaultPasswordFinder(password.toCharArray()), "BC");
Object o;
try {
while ((o = pem.readObject()) != null) {
if (o instanceof KeyPair) {
loadKeyPair((KeyPair) o, sshKeyFile, sshAgent);
}
}
} catch (EncryptionException ee) {
System.err.println("Can't read private key in " + sshKeyFile.getAbsolutePath());
ee.printStackTrace();
} finally {
pem.close();
}
} catch (EncryptionException ee) {
System.err.println("Can't read private key in " + sshKeyFile.getAbsolutePath());
ee.printStackTrace();
}

pem.close();
}

System.out.println("Keys in agent:");

List<SSHKey> identities = sshAgent.requestIdentities();
for (SSHKey identity : identities) {
System.out.println(identity);
}

}

private static void loadKeyPair(KeyPair kp, File sshKeyFile, SSHAgentClient sshAgent) {
// Add the identity in the ssh-agent
try {
byte[] keyblob = CryptoHelper.sshPrivateKeyBlobFromKeyPair(kp);
System.out.println("Loading " + sshKeyFile.getPath());
sshAgent.addIdentity(keyblob, sshKeyFile.getPath());
} catch (IOException e) {
System.err.println("Can't read private key in " + sshKeyFile.getAbsolutePath());
e.printStackTrace();
}
}
}
Loading