sign certificates with RSA SH2 variants

btoews · btoews · commit 8d95e57e3466 · 2019-06-10T15:01:33.000-06:00
diff --git a/lib/ssh_data/certificate.rb b/lib/ssh_data/certificate.rb
@@ -148,11 +148,12 @@ def rfc4253
     # Sign this certificate with a private key.
     #
     # private_key - An SSHData::PrivateKey::Base subclass instance.
+    # algo:       - Optionally specify the signature algorithm to use.
     #
     # Returns nothing.
-    def sign(private_key)
+    def sign(private_key, algo: nil)
       @ca_key = private_key.public_key
-      @signature = private_key.sign(signed_data)
+      @signature = private_key.sign(signed_data, algo: algo)
     end
 
     # Verify the certificate's signature.
diff --git a/lib/ssh_data/private_key/base.rb b/lib/ssh_data/private_key/base.rb
@@ -27,11 +27,12 @@ def sign(signed_data, algo: nil)
 
       # Issue a certificate using this private key.
       #
-      # kwargs - See SSHData::Certificate.new.
+      # signature_algo: - Optionally specify the signature algorithm to use.
+      # kwargs          - See SSHData::Certificate.new.
       #
       # Returns a SSHData::Certificate instance.
-      def issue_certificate(**kwargs)
-        Certificate.new(**kwargs).tap { |c| c.sign(self) }
+      def issue_certificate(signature_algo: nil, **kwargs)
+        Certificate.new(**kwargs).tap { |c| c.sign(self, algo: signature_algo) }
       end
     end
   end
diff --git a/spec/certificate_spec.rb b/spec/certificate_spec.rb
@@ -171,6 +171,22 @@
         expect(subject.verify).to eq(true)
       end
 
+      it "can be signed with an RSA key using ALGO_RSA_SHA2_256" do
+        expect {
+          subject.sign(rsa_ca, algo: SSHData::PublicKey::ALGO_RSA_SHA2_256)
+        }.to change {subject.signature}
+
+        expect(subject.verify).to eq(true)
+      end
+
+      it "can be signed with an RSA key using ALGO_RSA_SHA2_512" do
+        expect {
+          subject.sign(rsa_ca, algo: SSHData::PublicKey::ALGO_RSA_SHA2_512)
+        }.to change {subject.signature}
+
+        expect(subject.verify).to eq(true)
+      end
+
       it "can be signed with an DSA key" do
         expect { subject.sign(dsa_ca) }.to change {subject.signature}
         expect(subject.verify).to eq(true)
diff --git a/spec/private_key/dsa_spec.rb b/spec/private_key/dsa_spec.rb
@@ -5,6 +5,7 @@
   let(:public_key)  { private_key.public_key }
   let(:params)      { private_key.params }
   let(:message)     { "hello, world!" }
+  let(:cert_key)    { SSHData::PrivateKey::DSA.generate.public_key }
 
   let(:openssh_key) { SSHData::PrivateKey.parse(fixture("dsa_leaf_for_rsa_ca")) }
 
@@ -35,6 +36,16 @@
     }.to raise_error(SSHData::AlgorithmError)
   end
 
+  it "raises when trying to sign with bad algo" do
+    expect {
+      subject.issue_certificate(
+        public_key: cert_key,
+        key_id: "some ident",
+        signature_algo: SSHData::PublicKey::ALGO_RSA
+      )
+    }.to raise_error(SSHData::AlgorithmError)
+  end
+
   it "has an algo" do
     expect(subject.algo).to eq(SSHData::PublicKey::ALGO_DSA)
   end
diff --git a/spec/private_key/ecdsa_spec.rb b/spec/private_key/ecdsa_spec.rb
@@ -2,6 +2,7 @@
 
 describe SSHData::PrivateKey::ECDSA do
   let(:openssh_key) { SSHData::PrivateKey.parse(fixture("ecdsa_leaf_for_rsa_ca")) }
+  let(:cert_key)    { SSHData::PrivateKey::DSA.generate.public_key }
 
   it "can raises AlgorithmError for unknown curves" do
     expect {
@@ -48,6 +49,16 @@
         }.to raise_error(SSHData::AlgorithmError)
       end
 
+      it "raises when trying to sign with bad algo" do
+        expect {
+          subject.issue_certificate(
+            public_key: cert_key,
+            key_id: "some ident",
+            signature_algo: SSHData::PublicKey::ALGO_RSA
+          )
+        }.to raise_error(SSHData::AlgorithmError)
+      end
+
       it "has an algo" do
         expect(subject.algo).to eq(algo)
       end
diff --git a/spec/private_key/ed25519_spec.rb b/spec/private_key/ed25519_spec.rb
@@ -5,6 +5,7 @@
   let(:verify_key)  { signing_key.verify_key }
   let(:comment)     { "asdf" }
   let(:message)     { "hello, world!" }
+  let(:cert_key)    { SSHData::PrivateKey::DSA.generate.public_key }
 
   let(:openssh_key) { SSHData::PrivateKey.parse(fixture("ed25519_leaf_for_rsa_ca")) }
 
@@ -38,6 +39,16 @@
     }.to raise_error(SSHData::AlgorithmError)
   end
 
+  it "raises when trying to sign with bad algo" do
+    expect {
+      subject.issue_certificate(
+        public_key: cert_key,
+        key_id: "some ident",
+        signature_algo: SSHData::PublicKey::ALGO_RSA
+      )
+    }.to raise_error(SSHData::AlgorithmError)
+  end
+
   it "has an algo" do
     expect(subject.algo).to eq(SSHData::PublicKey::ALGO_ED25519)
   end
diff --git a/spec/private_key/rsa_spec.rb b/spec/private_key/rsa_spec.rb
@@ -5,6 +5,7 @@
   let(:public_key)  { private_key.public_key }
   let(:params)      { private_key.params }
   let(:message)     { "hello, world!" }
+  let(:cert_key)    { SSHData::PrivateKey::DSA.generate.public_key }
 
   let(:openssh_key) { SSHData::PrivateKey.parse(fixture("rsa_leaf_for_rsa_ca")) }
 
@@ -28,26 +29,45 @@
     }.not_to raise_error
   end
 
-  it "can sign messages" do
-    expect(subject.public_key.verify(message, subject.sign(message))).to eq(true)
+  [
+    nil,
+    SSHData::PublicKey::ALGO_RSA,
+    SSHData::PublicKey::ALGO_RSA_SHA2_256,
+    SSHData::PublicKey::ALGO_RSA_SHA2_512
+  ].each do |signature_algo|
+    it "can sign messages with #{signature_algo}" do
+      sig = subject.sign(message, algo: signature_algo)
+      expect(subject.public_key.verify(message, sig)).to eq(true)
+
+      algo, _ = SSHData::Encoding.decode_signature(sig)
+      expect(algo).to eq(signature_algo || SSHData::PublicKey::ALGO_RSA)
+    end
+
+    it "can issue a certificate with a #{signature_algo} signature" do
+      cert = subject.issue_certificate(
+        public_key: cert_key,
+        key_id: "some ident",
+        signature_algo: signature_algo
+      )
+
+      algo, _ = SSHData::Encoding.decode_signature(cert.signature)
+
+      expect(algo).to eq(signature_algo || SSHData::PublicKey::ALGO_RSA)
+      expect(cert.verify).to be(true)
+    end
   end
 
-  it "can sign messages with ALGO_RSA" do
-    sig = subject.sign(message, algo: SSHData::PublicKey::ALGO_RSA)
-    expect(subject.public_key.verify(message, sig)).to eq(true)
-  end
-
-  it "can sign messages with ALGO_RSA_SHA2_256" do
-    sig = subject.sign(message, algo: SSHData::PublicKey::ALGO_RSA_SHA2_256)
-    expect(subject.public_key.verify(message, sig)).to eq(true)
-  end
-
-  it "can sign messages with ALGO_RSA_SHA2_512" do
-    sig = subject.sign(message, algo: SSHData::PublicKey::ALGO_RSA_SHA2_512)
-    expect(subject.public_key.verify(message, sig)).to eq(true)
+  it "raises when trying to sign with bad algo" do
+    expect {
+      subject.issue_certificate(
+        public_key: cert_key,
+        key_id: "some ident",
+        signature_algo: SSHData::PublicKey::ALGO_DSA
+      )
+    }.to raise_error(SSHData::AlgorithmError)
   end
 
-  it "raises when trying to sign with bad algo" do
+  it "raises when trying to issue a certificate with bad signature algo" do
     expect {
       subject.sign(message, algo: SSHData::PublicKey::ALGO_DSA)
     }.to raise_error(SSHData::AlgorithmError)

Original file line number	Diff line number	Diff line change
`@@ -148,11 +148,12 @@ def rfc4253`
`148`	`148`	`# Sign this certificate with a private key.`
`149`	`149`	`#`
`150`	`150`	`# private_key - An SSHData::PrivateKey::Base subclass instance.`
	`151`	`+ # algo: - Optionally specify the signature algorithm to use.`
`151`	`152`	`#`
`152`	`153`	`# Returns nothing.`
`153`		`- def sign(private_key)`
	`154`	`+ def sign(private_key, algo: nil)`
`154`	`155`	`@ca_key = private_key.public_key`
`155`		`- @signature = private_key.sign(signed_data)`
	`156`	`+ @signature = private_key.sign(signed_data, algo: algo)`
`156`	`157`	`end`
`157`	`158`
`158`	`159`	`# Verify the certificate's signature.`