| Current File : //opt/puppetlabs/puppet/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/key_factory.rb |
require 'net/ssh/transport/openssl'
require 'net/ssh/prompt'
require 'net/ssh/authentication/ed25519_loader'
module Net
module SSH
# A factory class for returning new Key classes. It is used for obtaining
# OpenSSL key instances via their SSH names, and for loading both public and
# private keys. It used used primarily by Net::SSH itself, internally, and
# will rarely (if ever) be directly used by consumers of the library.
#
# klass = Net::SSH::KeyFactory.get("rsa")
# assert klass.is_a?(OpenSSL::PKey::RSA)
#
# key = Net::SSH::KeyFactory.load_public_key("~/.ssh/id_dsa.pub")
class KeyFactory
# Specifies the mapping of SSH names to OpenSSL key classes.
MAP = {
'dh' => OpenSSL::PKey::DH,
'rsa' => OpenSSL::PKey::RSA,
'dsa' => OpenSSL::PKey::DSA,
'ecdsa' => OpenSSL::PKey::EC
}
MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
class <<self
# Fetch an OpenSSL key instance by its SSH name. It will be a new,
# empty key of the given type.
def get(name)
MAP.fetch(name).new
end
# Loads a private key from a file. It will correctly determine
# whether the file describes an RSA or DSA key, and will load it
# appropriately. The new key is returned. If the key itself is
# encrypted (requiring a passphrase to use), the user will be
# prompted to enter their password unless passphrase works.
def load_private_key(filename, passphrase=nil, ask_passphrase=true, prompt=Prompt.default)
data = File.read(File.expand_path(filename))
load_data_private_key(data, passphrase, ask_passphrase, filename, prompt)
end
# Loads a private key. It will correctly determine
# whether the file describes an RSA or DSA key, and will load it
# appropriately. The new key is returned. If the key itself is
# encrypted (requiring a passphrase to use), the user will be
# prompted to enter their password unless passphrase works.
def load_data_private_key(data, passphrase=nil, ask_passphrase=true, filename="", prompt=Prompt.default)
key_type = classify_key(data, filename)
encrypted_key = nil
tries = 0
prompter = nil
result =
begin
key_type.read(data, passphrase || 'invalid')
rescue *key_type.error_classes => e
encrypted_key = !!key_type.encrypted_key?(data, e) if encrypted_key.nil?
if encrypted_key && ask_passphrase
tries += 1
if tries <= 3
prompter ||= prompt.start(type: 'private_key', filename: filename, sha: Digest::SHA256.digest(data))
passphrase = prompter.ask("Enter passphrase for #{filename}:", false)
retry
else
raise
end
else
raise
end
end
prompter.success if prompter
result
end
# Loads a public key from a file. It will correctly determine whether
# the file describes an RSA or DSA key, and will load it
# appropriately. The new public key is returned.
def load_public_key(filename)
data = File.read(File.expand_path(filename))
load_data_public_key(data, filename)
end
# Loads a public key. It will correctly determine whether
# the file describes an RSA or DSA key, and will load it
# appropriately. The new public key is returned.
def load_data_public_key(data, filename="")
fields = data.split(/ /)
blob = nil
begin
blob = fields.shift
end while !blob.nil? && !/^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp\d+)(-cert-v01@openssh\.com)?$/.match(blob)
blob = fields.shift
raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?
blob = blob.unpack("m*").first
reader = Net::SSH::Buffer.new(blob)
reader.read_key or raise OpenSSL::PKey::PKeyError, "not a public key #{filename.inspect}"
end
private
# rubocop:disable Style/Documentation, Lint/DuplicateMethods
class KeyType
def self.read(key_data, passphrase)
raise Exception, "TODO subclasses should implement read"
end
def self.error_classes
raise Exception, "TODO subclasses should implement read"
end
def self.encrypted_key?(data, error)
raise Exception, "TODO subclasses should implement is_encrypted_key"
end
end
class OpenSSHPrivateKeyType < KeyType
def self.read(key_data, passphrase)
Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader.read(key_data, passphrase)
end
def self.error_classes
[Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError]
end
def self.encrypted_key?(key_data, decode_error)
decode_error.is_a?(Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError) && decode_error.encrypted_key?
end
end
class OpenSSLKeyTypeBase < KeyType
def self.open_ssl_class
raise Exception, "TODO: subclasses should implement"
end
def self.read(key_data, passphrase)
open_ssl_class.new(key_data, passphrase)
end
def self.encrypted_key?(key_data, error)
key_data.match(/ENCRYPTED/)
end
end
class OpenSSLPKeyType < OpenSSLKeyTypeBase
def self.read(key_data, passphrase)
open_ssl_class.read(key_data, passphrase)
end
def self.open_ssl_class
OpenSSL::PKey
end
def self.error_classes
[ArgumentError, OpenSSL::PKey::PKeyError]
end
end
class OpenSSLDSAKeyType < OpenSSLKeyTypeBase
def self.open_ssl_class
OpenSSL::PKey::DSA
end
def self.error_classes
[OpenSSL::PKey::DSAError]
end
end
class OpenSSLRSAKeyType < OpenSSLKeyTypeBase
def self.open_ssl_class
OpenSSL::PKey::RSA
end
def self.error_classes
[OpenSSL::PKey::RSAError]
end
end
class OpenSSLECKeyType < OpenSSLKeyTypeBase
def self.open_ssl_class
OpenSSL::PKey::EC
end
def self.error_classes
[OpenSSL::PKey::ECError]
end
end
# rubocop:enable Style/Documentation, Lint/DuplicateMethods
# Determine whether the file describes an RSA or DSA key, and return how load it
# appropriately.
def classify_key(data, filename)
if data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("OpenSSH keys only supported if ED25519 is available")
return OpenSSHPrivateKeyType
elsif OpenSSL::PKey.respond_to?(:read)
return OpenSSLPKeyType
elsif data.match(/-----BEGIN DSA PRIVATE KEY-----/)
return OpenSSLDSAKeyType
elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
return OpenSSLRSAKeyType
elsif data.match(/-----BEGIN EC PRIVATE KEY-----/)
return OpenSSLECKeyType
elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
else
raise OpenSSL::PKey::PKeyError, "not a private key (#{filename})"
end
end
end
end
end
end