node_modules/sshpk/lib/formats/openssh-cert.js - nifi-fds - Git at Google

 // Copyright 2017 Joyent, Inc.

 module.exports = {
 	read: read,
 	verify: verify,
 	sign: sign,
 	signAsync: signAsync,
 	write: write,

 	/* Internal private API */
 	fromBuffer: fromBuffer,
 	toBuffer: toBuffer
 };

 var assert = require('assert-plus');
 var SSHBuffer = require('../ssh-buffer');
 var crypto = require('crypto');
 var Buffer = require('safer-buffer').Buffer;
 var algs = require('../algs');
 var Key = require('../key');
 var PrivateKey = require('../private-key');
 var Identity = require('../identity');
 var rfc4253 = require('./rfc4253');
 var Signature = require('../signature');
 var utils = require('../utils');
 var Certificate = require('../certificate');

 function verify(cert, key) {
 	/*
 	 * We always give an issuerKey, so if our verify() is being called then
 	 * there was no signature. Return false.
 	 */
 	return (false);
 }

 var TYPES = {
 	'user': 1,
 	'host': 2
 };
 Object.keys(TYPES).forEach(function (k) { TYPES[TYPES[k]] = k; });

 var ECDSA_ALGO = /^ecdsa-sha2-([^@-]+)-cert-v01@openssh.com$/;

 function read(buf, options) {
 	if (Buffer.isBuffer(buf))
 		buf = buf.toString('ascii');
 	var parts = buf.trim().split(/[ \t\n]+/g);
 	if (parts.length < 2 || parts.length > 3)
 		throw (new Error('Not a valid SSH certificate line'));

 	var algo = parts[0];
 	var data = parts[1];

 	data = Buffer.from(data, 'base64');
 	return (fromBuffer(data, algo));
 }

 function fromBuffer(data, algo, partial) {
 	var sshbuf = new SSHBuffer({ buffer: data });
 	var innerAlgo = sshbuf.readString();
 	if (algo !== undefined && innerAlgo !== algo)
 		throw (new Error('SSH certificate algorithm mismatch'));
 	if (algo === undefined)
 		algo = innerAlgo;

 	var cert = {};
 	cert.signatures = {};
 	cert.signatures.openssh = {};

 	cert.signatures.openssh.nonce = sshbuf.readBuffer();

 	var key = {};
 	var parts = (key.parts = []);
 	key.type = getAlg(algo);

 	var partCount = algs.info[key.type].parts.length;
 	while (parts.length < partCount)
 		parts.push(sshbuf.readPart());
 	assert.ok(parts.length >= 1, 'key must have at least one part');

 	var algInfo = algs.info[key.type];
 	if (key.type === 'ecdsa') {
 		var res = ECDSA_ALGO.exec(algo);
 		assert.ok(res !== null);
 		assert.strictEqual(res[1], parts[0].data.toString());
 	}

 	for (var i = 0; i < algInfo.parts.length; ++i) {
 		parts[i].name = algInfo.parts[i];
 		if (parts[i].name !== 'curve' &&
 		    algInfo.normalize !== false) {
 			var p = parts[i];
 			p.data = utils.mpNormalize(p.data);
 		}
 	}

 	cert.subjectKey = new Key(key);

 	cert.serial = sshbuf.readInt64();

 	var type = TYPES[sshbuf.readInt()];
 	assert.string(type, 'valid cert type');

 	cert.signatures.openssh.keyId = sshbuf.readString();

 	var principals = [];
 	var pbuf = sshbuf.readBuffer();
 	var psshbuf = new SSHBuffer({ buffer: pbuf });
 	while (!psshbuf.atEnd())
 		principals.push(psshbuf.readString());
 	if (principals.length === 0)
 		principals = ['*'];

 	cert.subjects = principals.map(function (pr) {
 		if (type === 'user')
 			return (Identity.forUser(pr));
 		else if (type === 'host')
 			return (Identity.forHost(pr));
 		throw (new Error('Unknown identity type ' + type));
 	});

 	cert.validFrom = int64ToDate(sshbuf.readInt64());
 	cert.validUntil = int64ToDate(sshbuf.readInt64());

 	var exts = [];
 	var extbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() });
 	var ext;
 	while (!extbuf.atEnd()) {
 		ext = { critical: true };
 		ext.name = extbuf.readString();
 		ext.data = extbuf.readBuffer();
 		exts.push(ext);
 	}
 	extbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() });
 	while (!extbuf.atEnd()) {
 		ext = { critical: false };
 		ext.name = extbuf.readString();
 		ext.data = extbuf.readBuffer();
 		exts.push(ext);
 	}
 	cert.signatures.openssh.exts = exts;

 	/* reserved */
 	sshbuf.readBuffer();

 	var signingKeyBuf = sshbuf.readBuffer();
 	cert.issuerKey = rfc4253.read(signingKeyBuf);

 	/*
 	 * OpenSSH certs don't give the identity of the issuer, just their
 	 * public key. So, we use an Identity that matches anything. The
 	 * isSignedBy() function will later tell you if the key matches.
 	 */
 	cert.issuer = Identity.forHost('**');

 	var sigBuf = sshbuf.readBuffer();
 	cert.signatures.openssh.signature =
 	    Signature.parse(sigBuf, cert.issuerKey.type, 'ssh');

 	if (partial !== undefined) {
 		partial.remainder = sshbuf.remainder();
 		partial.consumed = sshbuf._offset;
 	}

 	return (new Certificate(cert));
 }

 function int64ToDate(buf) {
 	var i = buf.readUInt32BE(0) * 4294967296;
 	i += buf.readUInt32BE(4);
 	var d = new Date();
 	d.setTime(i * 1000);
 	d.sourceInt64 = buf;
 	return (d);
 }

 function dateToInt64(date) {
 	if (date.sourceInt64 !== undefined)
 		return (date.sourceInt64);
 	var i = Math.round(date.getTime() / 1000);
 	var upper = Math.floor(i / 4294967296);
 	var lower = Math.floor(i % 4294967296);
 	var buf = Buffer.alloc(8);
 	buf.writeUInt32BE(upper, 0);
 	buf.writeUInt32BE(lower, 4);
 	return (buf);
 }

 function sign(cert, key) {
 	if (cert.signatures.openssh === undefined)
 		cert.signatures.openssh = {};
 	try {
 		var blob = toBuffer(cert, true);
 	} catch (e) {
 		delete (cert.signatures.openssh);
 		return (false);
 	}
 	var sig = cert.signatures.openssh;
 	var hashAlgo = undefined;
 	if (key.type === 'rsa' || key.type === 'dsa')
 		hashAlgo = 'sha1';
 	var signer = key.createSign(hashAlgo);
 	signer.write(blob);
 	sig.signature = signer.sign();
 	return (true);
 }

 function signAsync(cert, signer, done) {
 	if (cert.signatures.openssh === undefined)
 		cert.signatures.openssh = {};
 	try {
 		var blob = toBuffer(cert, true);
 	} catch (e) {
 		delete (cert.signatures.openssh);
 		done(e);
 		return;
 	}
 	var sig = cert.signatures.openssh;

 	signer(blob, function (err, signature) {
 		if (err) {
 			done(err);
 			return;
 		}
 		try {
 			/*
 			 * This will throw if the signature isn't of a
 			 * type/algo that can be used for SSH.
 			 */
 			signature.toBuffer('ssh');
 		} catch (e) {
 			done(e);
 			return;
 		}
 		sig.signature = signature;
 		done();
 	});
 }

 function write(cert, options) {
 	if (options === undefined)
 		options = {};

 	var blob = toBuffer(cert);
 	var out = getCertType(cert.subjectKey) + ' ' + blob.toString('base64');
 	if (options.comment)
 		out = out + ' ' + options.comment;
 	return (out);
 }


 function toBuffer(cert, noSig) {
 	assert.object(cert.signatures.openssh, 'signature for openssh format');
 	var sig = cert.signatures.openssh;

 	if (sig.nonce === undefined)
 		sig.nonce = crypto.randomBytes(16);
 	var buf = new SSHBuffer({});
 	buf.writeString(getCertType(cert.subjectKey));
 	buf.writeBuffer(sig.nonce);

 	var key = cert.subjectKey;
 	var algInfo = algs.info[key.type];
 	algInfo.parts.forEach(function (part) {
 		buf.writePart(key.part[part]);
 	});

 	buf.writeInt64(cert.serial);

 	var type = cert.subjects[0].type;
 	assert.notStrictEqual(type, 'unknown');
 	cert.subjects.forEach(function (id) {
 		assert.strictEqual(id.type, type);
 	});
 	type = TYPES[type];
 	buf.writeInt(type);

 	if (sig.keyId === undefined) {
 		sig.keyId = cert.subjects[0].type + '_' +
 		    (cert.subjects[0].uid || cert.subjects[0].hostname);
 	}
 	buf.writeString(sig.keyId);

 	var sub = new SSHBuffer({});
 	cert.subjects.forEach(function (id) {
 		if (type === TYPES.host)
 			sub.writeString(id.hostname);
 		else if (type === TYPES.user)
 			sub.writeString(id.uid);
 	});
 	buf.writeBuffer(sub.toBuffer());

 	buf.writeInt64(dateToInt64(cert.validFrom));
 	buf.writeInt64(dateToInt64(cert.validUntil));

 	var exts = sig.exts;
 	if (exts === undefined)
 		exts = [];

 	var extbuf = new SSHBuffer({});
 	exts.forEach(function (ext) {
 		if (ext.critical !== true)
 			return;
 		extbuf.writeString(ext.name);
 		extbuf.writeBuffer(ext.data);
 	});
 	buf.writeBuffer(extbuf.toBuffer());

 	extbuf = new SSHBuffer({});
 	exts.forEach(function (ext) {
 		if (ext.critical === true)
 			return;
 		extbuf.writeString(ext.name);
 		extbuf.writeBuffer(ext.data);
 	});
 	buf.writeBuffer(extbuf.toBuffer());

 	/* reserved */
 	buf.writeBuffer(Buffer.alloc(0));

 	sub = rfc4253.write(cert.issuerKey);
 	buf.writeBuffer(sub);

 	if (!noSig)
 		buf.writeBuffer(sig.signature.toBuffer('ssh'));

 	return (buf.toBuffer());
 }

 function getAlg(certType) {
 	if (certType === 'ssh-rsa-cert-v01@openssh.com')
 		return ('rsa');
 	if (certType === 'ssh-dss-cert-v01@openssh.com')
 		return ('dsa');
 	if (certType.match(ECDSA_ALGO))
 		return ('ecdsa');
 	if (certType === 'ssh-ed25519-cert-v01@openssh.com')
 		return ('ed25519');
 	throw (new Error('Unsupported cert type ' + certType));
 }

 function getCertType(key) {
 	if (key.type === 'rsa')
 		return ('ssh-rsa-cert-v01@openssh.com');
 	if (key.type === 'dsa')
 		return ('ssh-dss-cert-v01@openssh.com');
 	if (key.type === 'ecdsa')
 		return ('ecdsa-sha2-' + key.curve + '-cert-v01@openssh.com');
 	if (key.type === 'ed25519')
 		return ('ssh-ed25519-cert-v01@openssh.com');
 	throw (new Error('Unsupported key type ' + key.type));
 }
	// Copyright 2017 Joyent, Inc.

	module.exports = {
	read: read,
	verify: verify,
	sign: sign,
	signAsync: signAsync,
	write: write,

	/* Internal private API */
	fromBuffer: fromBuffer,
	toBuffer: toBuffer
	};

	var assert = require('assert-plus');
	var SSHBuffer = require('../ssh-buffer');
	var crypto = require('crypto');
	var Buffer = require('safer-buffer').Buffer;
	var algs = require('../algs');
	var Key = require('../key');
	var PrivateKey = require('../private-key');
	var Identity = require('../identity');
	var rfc4253 = require('./rfc4253');
	var Signature = require('../signature');
	var utils = require('../utils');
	var Certificate = require('../certificate');

	function verify(cert, key) {
	/*
	* We always give an issuerKey, so if our verify() is being called then
	* there was no signature. Return false.
	*/
	return (false);
	}

	var TYPES = {
	'user': 1,
	'host': 2
	};
	Object.keys(TYPES).forEach(function (k) { TYPES[TYPES[k]] = k; });

	var ECDSA_ALGO = /^ecdsa-sha2-([^@-]+)-cert-v01@openssh.com$/;

	function read(buf, options) {
	if (Buffer.isBuffer(buf))
	buf = buf.toString('ascii');
	var parts = buf.trim().split(/[ \t\n]+/g);
	if (parts.length < 2 \|\| parts.length > 3)
	throw (new Error('Not a valid SSH certificate line'));

	var algo = parts[0];
	var data = parts[1];

	data = Buffer.from(data, 'base64');
	return (fromBuffer(data, algo));
	}

	function fromBuffer(data, algo, partial) {
	var sshbuf = new SSHBuffer({ buffer: data });
	var innerAlgo = sshbuf.readString();
	if (algo !== undefined && innerAlgo !== algo)
	throw (new Error('SSH certificate algorithm mismatch'));
	if (algo === undefined)
	algo = innerAlgo;

	var cert = {};
	cert.signatures = {};
	cert.signatures.openssh = {};

	cert.signatures.openssh.nonce = sshbuf.readBuffer();

	var key = {};
	var parts = (key.parts = []);
	key.type = getAlg(algo);

	var partCount = algs.info[key.type].parts.length;
	while (parts.length < partCount)
	parts.push(sshbuf.readPart());
	assert.ok(parts.length >= 1, 'key must have at least one part');

	var algInfo = algs.info[key.type];
	if (key.type === 'ecdsa') {
	var res = ECDSA_ALGO.exec(algo);
	assert.ok(res !== null);
	assert.strictEqual(res[1], parts[0].data.toString());
	}

	for (var i = 0; i < algInfo.parts.length; ++i) {
	parts[i].name = algInfo.parts[i];
	if (parts[i].name !== 'curve' &&
	algInfo.normalize !== false) {
	var p = parts[i];
	p.data = utils.mpNormalize(p.data);
	}
	}

	cert.subjectKey = new Key(key);

	cert.serial = sshbuf.readInt64();

	var type = TYPES[sshbuf.readInt()];
	assert.string(type, 'valid cert type');

	cert.signatures.openssh.keyId = sshbuf.readString();

	var principals = [];
	var pbuf = sshbuf.readBuffer();
	var psshbuf = new SSHBuffer({ buffer: pbuf });
	while (!psshbuf.atEnd())
	principals.push(psshbuf.readString());
	if (principals.length === 0)
	principals = ['*'];

	cert.subjects = principals.map(function (pr) {
	if (type === 'user')
	return (Identity.forUser(pr));
	else if (type === 'host')
	return (Identity.forHost(pr));
	throw (new Error('Unknown identity type ' + type));
	});

	cert.validFrom = int64ToDate(sshbuf.readInt64());
	cert.validUntil = int64ToDate(sshbuf.readInt64());

	var exts = [];
	var extbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() });
	var ext;
	while (!extbuf.atEnd()) {
	ext = { critical: true };
	ext.name = extbuf.readString();
	ext.data = extbuf.readBuffer();
	exts.push(ext);
	}
	extbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() });
	while (!extbuf.atEnd()) {
	ext = { critical: false };
	ext.name = extbuf.readString();
	ext.data = extbuf.readBuffer();
	exts.push(ext);
	}
	cert.signatures.openssh.exts = exts;

	/* reserved */
	sshbuf.readBuffer();

	var signingKeyBuf = sshbuf.readBuffer();
	cert.issuerKey = rfc4253.read(signingKeyBuf);

	/*
	* OpenSSH certs don't give the identity of the issuer, just their
	* public key. So, we use an Identity that matches anything. The
	* isSignedBy() function will later tell you if the key matches.
	*/
	cert.issuer = Identity.forHost('**');

	var sigBuf = sshbuf.readBuffer();
	cert.signatures.openssh.signature =
	Signature.parse(sigBuf, cert.issuerKey.type, 'ssh');

	if (partial !== undefined) {
	partial.remainder = sshbuf.remainder();
	partial.consumed = sshbuf._offset;
	}

	return (new Certificate(cert));
	}

	function int64ToDate(buf) {
	var i = buf.readUInt32BE(0) * 4294967296;
	i += buf.readUInt32BE(4);
	var d = new Date();
	d.setTime(i * 1000);
	d.sourceInt64 = buf;
	return (d);
	}

	function dateToInt64(date) {
	if (date.sourceInt64 !== undefined)
	return (date.sourceInt64);
	var i = Math.round(date.getTime() / 1000);
	var upper = Math.floor(i / 4294967296);
	var lower = Math.floor(i % 4294967296);
	var buf = Buffer.alloc(8);
	buf.writeUInt32BE(upper, 0);
	buf.writeUInt32BE(lower, 4);
	return (buf);
	}

	function sign(cert, key) {
	if (cert.signatures.openssh === undefined)
	cert.signatures.openssh = {};
	try {
	var blob = toBuffer(cert, true);
	} catch (e) {
	delete (cert.signatures.openssh);
	return (false);
	}
	var sig = cert.signatures.openssh;
	var hashAlgo = undefined;
	if (key.type === 'rsa' \|\| key.type === 'dsa')
	hashAlgo = 'sha1';
	var signer = key.createSign(hashAlgo);
	signer.write(blob);
	sig.signature = signer.sign();
	return (true);
	}

	function signAsync(cert, signer, done) {
	if (cert.signatures.openssh === undefined)
	cert.signatures.openssh = {};
	try {
	var blob = toBuffer(cert, true);
	} catch (e) {
	delete (cert.signatures.openssh);
	done(e);
	return;
	}
	var sig = cert.signatures.openssh;

	signer(blob, function (err, signature) {
	if (err) {
	done(err);
	return;
	}
	try {
	/*
	* This will throw if the signature isn't of a
	* type/algo that can be used for SSH.
	*/
	signature.toBuffer('ssh');
	} catch (e) {
	done(e);
	return;
	}
	sig.signature = signature;
	done();
	});
	}

	function write(cert, options) {
	if (options === undefined)
	options = {};

	var blob = toBuffer(cert);
	var out = getCertType(cert.subjectKey) + ' ' + blob.toString('base64');
	if (options.comment)
	out = out + ' ' + options.comment;
	return (out);
	}


	function toBuffer(cert, noSig) {
	assert.object(cert.signatures.openssh, 'signature for openssh format');
	var sig = cert.signatures.openssh;

	if (sig.nonce === undefined)
	sig.nonce = crypto.randomBytes(16);
	var buf = new SSHBuffer({});
	buf.writeString(getCertType(cert.subjectKey));
	buf.writeBuffer(sig.nonce);

	var key = cert.subjectKey;
	var algInfo = algs.info[key.type];
	algInfo.parts.forEach(function (part) {
	buf.writePart(key.part[part]);
	});

	buf.writeInt64(cert.serial);

	var type = cert.subjects[0].type;
	assert.notStrictEqual(type, 'unknown');
	cert.subjects.forEach(function (id) {
	assert.strictEqual(id.type, type);
	});
	type = TYPES[type];
	buf.writeInt(type);

	if (sig.keyId === undefined) {
	sig.keyId = cert.subjects[0].type + '_' +
	(cert.subjects[0].uid \|\| cert.subjects[0].hostname);
	}
	buf.writeString(sig.keyId);

	var sub = new SSHBuffer({});
	cert.subjects.forEach(function (id) {
	if (type === TYPES.host)
	sub.writeString(id.hostname);
	else if (type === TYPES.user)
	sub.writeString(id.uid);
	});
	buf.writeBuffer(sub.toBuffer());

	buf.writeInt64(dateToInt64(cert.validFrom));
	buf.writeInt64(dateToInt64(cert.validUntil));

	var exts = sig.exts;
	if (exts === undefined)
	exts = [];

	var extbuf = new SSHBuffer({});
	exts.forEach(function (ext) {
	if (ext.critical !== true)
	return;
	extbuf.writeString(ext.name);
	extbuf.writeBuffer(ext.data);
	});
	buf.writeBuffer(extbuf.toBuffer());

	extbuf = new SSHBuffer({});
	exts.forEach(function (ext) {
	if (ext.critical === true)
	return;
	extbuf.writeString(ext.name);
	extbuf.writeBuffer(ext.data);
	});
	buf.writeBuffer(extbuf.toBuffer());

	/* reserved */
	buf.writeBuffer(Buffer.alloc(0));

	sub = rfc4253.write(cert.issuerKey);
	buf.writeBuffer(sub);

	if (!noSig)
	buf.writeBuffer(sig.signature.toBuffer('ssh'));

	return (buf.toBuffer());
	}

	function getAlg(certType) {
	if (certType === 'ssh-rsa-cert-v01@openssh.com')
	return ('rsa');
	if (certType === 'ssh-dss-cert-v01@openssh.com')
	return ('dsa');
	if (certType.match(ECDSA_ALGO))
	return ('ecdsa');
	if (certType === 'ssh-ed25519-cert-v01@openssh.com')
	return ('ed25519');
	throw (new Error('Unsupported cert type ' + certType));
	}

	function getCertType(key) {
	if (key.type === 'rsa')
	return ('ssh-rsa-cert-v01@openssh.com');
	if (key.type === 'dsa')
	return ('ssh-dss-cert-v01@openssh.com');
	if (key.type === 'ecdsa')
	return ('ecdsa-sha2-' + key.curve + '-cert-v01@openssh.com');
	if (key.type === 'ed25519')
	return ('ssh-ed25519-cert-v01@openssh.com');
	throw (new Error('Unsupported key type ' + key.type));
	}