cheddar/sig-auth
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add support for more key types

Browse source
This commit is contained in:
cheddar 2025-02-20 22:53:18 -05:00
parent b1e4a0cf72
commit 001a4b4ac5
No known key found for this signature in database
14 changed files with 98 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

9
client/register.go
View file

@ -3,6 +3,7 @@ package client
import ( import (
"bytes" "bytes"
"encoding/json" "encoding/json"
"fmt"
"io" "io"
"net/http" "net/http"
"net/url" "net/url"
@ -37,7 +38,11 @@ func RegisterKey(baseUrl *url.URL, key string, userId string) (string, error) {
return "", err return "", err
} }
keyId := string(out[:]) bodyContent := string(out[:])
return keyId, nil if resp.StatusCode >= 300 {
return "", fmt.Errorf("bad status: %d - %s", resp.StatusCode, bodyContent)
}
return bodyContent, nil
} }

9
ecdsa Normal file
View file

@ -0,0 +1,9 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQl8nqmx9kQiMeVUceyDaSx7UGOVNxJ
2ZZehRHZxrnYEj3aYBw9FjFuMwDLsPYhe2b6Blz/+LsMlVxJNlCAazudAAAAqJWu9DKVrv
QyAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCXyeqbH2RCIx5VR
x7INpLHtQY5U3EnZll6FEdnGudgSPdpgHD0WMW4zAMuw9iF7ZvoGXP/4uwyVXEk2UIBrO5
0AAAAgXFjJ/LBbKff2oeiOpzrnuhbXL2731pCneA5IrvJLChMAAAAMamFtaWVAYXRoZW5h
AQIDBA==
-----END OPENSSH PRIVATE KEY-----

1
ecdsa.pub Normal file
View file

@ -0,0 +1 @@
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCXyeqbH2RCIx5VRx7INpLHtQY5U3EnZll6FEdnGudgSPdpgHD0WMW4zAMuw9iF7ZvoGXP/4uwyVXEk2UIBrO50= jamie@athena

0
testkey → ed25519
View file

0
testkey.pub → ed25519.pub
View file

3
keydirectory/in_memory_directory.go
View file

@ -28,7 +28,7 @@ func (dir inMemoryDirectory) GetKey(ctx context.Context, keyId string, _ string)
return entry.toAlg() return entry.toAlg()
} }
func (dir inMemoryDirectory) RegisterKey(key crypto.PublicKey, alg string, userId string) (string, error) { func (dir inMemoryDirectory) RegisterKey(key crypto.PublicKey, userId string) (string, error) {
keyId, err := generateKeyId() keyId, err := generateKeyId()
if err != nil { if err != nil {
@ -36,7 +36,6 @@ func (dir inMemoryDirectory) RegisterKey(key crypto.PublicKey, alg string, userI
} }
dir.records[keyId] = keyEntry{ dir.records[keyId] = keyEntry{
Alg: alg,
PublicKey: key, PublicKey: key,
UserId: userId, UserId: userId,
} }

22
keydirectory/keyentry.go
View file

@ -2,15 +2,19 @@ package keydirectory
import ( import (
"crypto" "crypto"
"crypto/ecdsa"
"crypto/ed25519" "crypto/ed25519"
"crypto/rsa"
"fmt" "fmt"
"reflect"
"github.com/common-fate/httpsig/alg_ecdsa"
"github.com/common-fate/httpsig/alg_ed25519" "github.com/common-fate/httpsig/alg_ed25519"
"github.com/common-fate/httpsig/alg_rsa"
"github.com/common-fate/httpsig/verifier" "github.com/common-fate/httpsig/verifier"
) )
type keyEntry struct { type keyEntry struct {
Alg string
PublicKey crypto.PublicKey PublicKey crypto.PublicKey
UserId string UserId string
} }
@ -19,14 +23,24 @@ func (k keyEntry) toAlg() (verifier.Algorithm, error) {
var alg verifier.Algorithm var alg verifier.Algorithm
var err error var err error
switch k.Alg { switch k.PublicKey.(type) {
case "ed25519": case ed25519.PublicKey:
alg = alg_ed25519.Ed25519{ alg = alg_ed25519.Ed25519{
PublicKey: k.PublicKey.(ed25519.PublicKey), PublicKey: k.PublicKey.(ed25519.PublicKey),
Attrs: k.UserId, Attrs: k.UserId,
} }
case *rsa.PublicKey:
alg = alg_rsa.RSAPKCS256{
PublicKey: k.PublicKey.(*rsa.PublicKey),
Attrs: k.UserId,
}
case *ecdsa.PublicKey:
alg = alg_ecdsa.P256{
PublicKey: k.PublicKey.(*ecdsa.PublicKey),
Attrs: k.UserId,
}
default: default:
err = fmt.Errorf("unknown algoritm: %s", k.Alg) err = fmt.Errorf("unknown key type: %s", reflect.TypeOf(k.PublicKey))
} }
return alg, err return alg, err

2
keydirectory/registration.go
View file

@ -8,5 +8,5 @@ import (
type RegistrationDirectory interface { type RegistrationDirectory interface {
verifier.KeyDirectory verifier.KeyDirectory
RegisterKey(key crypto.PublicKey, alg string, userId string) (string, error) RegisterKey(key crypto.PublicKey, userId string) (string, error)
} }

33
keydirectory/sqlite.go
View file

@ -3,9 +3,8 @@ package keydirectory
import ( import (
"context" "context"
"crypto" "crypto"
"crypto/ed25519" "crypto/x509"
"database/sql" "database/sql"
"fmt"
"github.com/common-fate/httpsig/verifier" "github.com/common-fate/httpsig/verifier"
_ "github.com/mattn/go-sqlite3" _ "github.com/mattn/go-sqlite3"
@ -40,7 +39,7 @@ func InitSqlite(dbPath string) (*dbWrapper, error) {
func (dir *dbWrapper) GetKey(ctx context.Context, keyId string, _ string) (verifier.Algorithm, error) { func (dir *dbWrapper) GetKey(ctx context.Context, keyId string, _ string) (verifier.Algorithm, error) {
db := dir.db db := dir.db
query := "select userId, alg, publicKey from keys where keyId = ?" query := "select userId, publicKey from keys where keyId = ?"
stmt, err := db.Prepare(query) stmt, err := db.Prepare(query)
@ -51,28 +50,23 @@ func (dir *dbWrapper) GetKey(ctx context.Context, keyId string, _ string) (verif
defer stmt.Close() defer stmt.Close()
var userId string var userId string
var alg string
var keyBytes []byte var keyBytes []byte
row := stmt.QueryRow(keyId) row := stmt.QueryRow(keyId)
err = row.Scan(&userId, &alg, &keyBytes) err = row.Scan(&userId, &keyBytes)
if err != nil { if err != nil {
return nil, err return nil, err
} }
var publicKey crypto.PublicKey publicKey, err := x509.ParsePKIXPublicKey(keyBytes)
switch alg { if err != nil {
case "ed25519": return nil, err
publicKey = ed25519.PublicKey(keyBytes)
default:
return nil, fmt.Errorf("unknown algorithm: %s", alg)
} }
keyEntry := keyEntry{ keyEntry := keyEntry{
Alg: alg,
UserId: userId, UserId: userId,
PublicKey: publicKey, PublicKey: publicKey,
} }
@ -80,7 +74,7 @@ func (dir *dbWrapper) GetKey(ctx context.Context, keyId string, _ string) (verif
return keyEntry.toAlg() return keyEntry.toAlg()
} }
func (dir *dbWrapper) RegisterKey(key crypto.PublicKey, alg string, userId string) (string, error) { func (dir *dbWrapper) RegisterKey(key crypto.PublicKey, userId string) (string, error) {
db := dir.db db := dir.db
keyId, err := generateKeyId() keyId, err := generateKeyId()
@ -89,18 +83,15 @@ func (dir *dbWrapper) RegisterKey(key crypto.PublicKey, alg string, userId strin
return "", err return "", err
} }
stmt := "insert into keys(keyId, userId, alg, publicKey) values (?, ?, ?, ?)" stmt := "insert into keys(keyId, userId, publicKey) values (?, ?, ?)"
var keyBytes []byte keyBytes, err := x509.MarshalPKIXPublicKey(key)
switch alg { if err != nil {
case "ed25519": return "", err
keyBytes = []byte(key.(ed25519.PublicKey))
default:
return "", fmt.Errorf("unknown algorithm: %s", alg)
} }
_, err = db.Exec(stmt, keyId, userId, alg, keyBytes) _, err = db.Exec(stmt, keyId, userId, keyBytes)
if err != nil { if err != nil {
return "", err return "", err

38
rsa Normal file
View file

@ -0,0 +1,38 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuuE3B3FyhjNnvkfDQEn7t6E97spa4tTNKDsGUWHtVk090I4v8wXu
yM+fTiuU6ReSQEDGERUkyL/kS6yt7dL78GR5ApPB2LglcoKUTt34wwCaa7aapNHQ6Q5Gjy
Fs16NCCAd7kJLpAf6ixpptkLzChCmSYWQ7fZgSafkcnXYhlAxT11drXGFNEopMbL2hLyxt
+C83hFiqKmBY6KyANXyiANjRcHq3Zcn/1NR0AfB5nfkdjjK6X5sNCShvlX91X4iV6BHfnQ
QSJmV4DGdmasBD27dpZA5MkomL6lRu8RbDMB4zCbhy6AGEX1epN1CtNmPi0raV5ifHGHbF
qY/BgolwQmYyZgvvtACzp2EEPEV1QMre//i+XIU3BhQUM9v8TtnvrXR1lII04nCdeaCwLb
Uu1NHp4BdAJgmBHiPdMoWSB91K1JDfsK07Rtvrtvu20Va+9mPLcQZAFqYa0zv0Rc/ubT++
2WScs+51tbpprBBY3zUeO9KMNc2m0FMmIlW8hyfJAAAFiCusRwcrrEcHAAAAB3NzaC1yc2
EAAAGBALrhNwdxcoYzZ75Hw0BJ+7ehPe7KWuLUzSg7BlFh7VZNPdCOL/MF7sjPn04rlOkX
kkBAxhEVJMi/5Eusre3S+/BkeQKTwdi4JXKClE7d+MMAmmu2mqTR0OkORo8hbNejQggHe5
CS6QH+osaabZC8woQpkmFkO32YEmn5HJ12IZQMU9dXa1xhTRKKTGy9oS8sbfgvN4RYqipg
WOisgDV8ogDY0XB6t2XJ/9TUdAHweZ35HY4yul+bDQkob5V/dV+IlegR350EEiZleAxnZm
rAQ9u3aWQOTJKJi+pUbvEWwzAeMwm4cugBhF9XqTdQrTZj4tK2leYnxxh2xamPwYKJcEJm
MmYL77QAs6dhBDxFdUDK3v/4vlyFNwYUFDPb/E7Z7610dZSCNOJwnXmgsC21LtTR6eAXQC
YJgR4j3TKFkgfdStSQ37CtO0bb67b7ttFWvvZjy3EGQBamGtM79EXP7m0/vtlknLPudbW6
aawQWN81HjvSjDXNptBTJiJVvIcnyQAAAAMBAAEAAAGACoshUSyv4u1siXpABFUIPBx/Q4
UsKocKCh6GZToKq2dROP6EqwfnKHI6US05SgtX54MgCZ+xQxg8d56G85eHOlFY2HHgqmr9
ReAjIO36Fnpmu/QB9pGV4Ug6Z+HhY6sk0xIlAQug1Ml6goz86IEV0mIMDa2bg6L8SvlQiX
u8Oj+VzVzzxDMDJ6wg0rPCL8iobauwTKm59AkaiwoMc7gT5ctVyaxKw5XpdqcD4oYgPm7r
IXYwOKulSSJ8ZSlbRGgOwGDPfTindH3rZ9r14P3XRCIaK9RtFSV4TowVwrlMW73fnCWe51
T1xK5TEopue7k30viR/JTO0CUnxcHBeQy4xc1TT+ojNnSg/QbN77rLLVG/v7ezYRqDUFM2
mEymtpNuS8uXh4TFwlUi89kROYLmRsarUvVChO1p2pRuUuVjSAz33Oqe68EmT32n44L0eC
lV2owKy3a0CWg+VKERrDV6O17Qv5b9FPWKgWn8kY2mUvDJ49oyMzHl6aWAVoEctp9nAAAA
wGmKkmMv2BavrJPH3u31PN8uAJFXGXPtS2PxhrXPYfNfT878zNCtHJ7jWaJ3758oVMxZKn
gpM/i6sKKKyCWHgI7DRTSEKCYT8541iAcG46UZxx0YtvX7cNYsLgYiNv8KWIaIi2qGlvH3
x2pxfQczdXYkMDwXn2O16TPpj5cKr8nxLL/qGSrKRvQIaN2v5d0yiQkIrT8pJnnSZ0H98F
j5ZCkL4624lg3qtilihoE68bUXUo3IPrEL/yHA5CLItKofCwAAAMEA5xEmu0Te3kXoLk3o
wi/oMNcAcl3PFH3s2xWqhySWzBQ0jx+V9vPZPmEJNsnY/wAcA2f0uQr7i8Fi5gGFQXZYm3
P7mnMtrNpA7DJM8UzR7FDwx8JENF24fY2dVkdT26BPNLAhNooc53251AO88iS8RAiWNrlG
TWZTyM/TWXZHbW+5Fu8P6f8BLQAu/2EV71YumfxbhrlqyhKRDI8hA5qxvKTdhE93I7wt31
QoMxbmsWrqHgqbGInhNsxhDmzdNzI7AAAAwQDPC3aEVm8gSWM52LRS1aU7hQgxCJla1dQG
HRAIY3AQ8JhAJV+7TRTpXEfOBM1Z7K/7w5Jz/V6KdebxAc8VIYF6SDtZJzO91xuNZbEg5P
tAeOMk5kK2X1a73KJPbBW5LZaxng3gj9b13f6vRSdlgzz2+4QVVbQukFwsAmGd0E8bmuPl
r6uKKdfhS34MDFCzEuAyuzBkDT1sIObNrMULxzDKtCSi4y5cH1jWidgglF63oYEqjJGByd
/fJi/N/BrWycsAAAAMamFtaWVAYXRoZW5hAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

1
rsa.pub Normal file
View file

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC64TcHcXKGM2e+R8NASfu3oT3uylri1M0oOwZRYe1WTT3Qji/zBe7Iz59OK5TpF5JAQMYRFSTIv+RLrK3t0vvwZHkCk8HYuCVygpRO3fjDAJprtpqk0dDpDkaPIWzXo0IIB3uQkukB/qLGmm2QvMKEKZJhZDt9mBJp+RyddiGUDFPXV2tcYU0SikxsvaEvLG34LzeEWKoqYFjorIA1fKIA2NFwerdlyf/U1HQB8Hmd+R2OMrpfmw0JKG+Vf3VfiJXoEd+dBBImZXgMZ2ZqwEPbt2lkDkySiYvqVG7xFsMwHjMJuHLoAYRfV6k3UK02Y+LStpXmJ8cYdsWpj8GCiXBCZjJmC++0ALOnYQQ8RXVAyt7/+L5chTcGFBQz2/xO2e+tdHWUgjTicJ15oLAttS7U0engF0AmCYEeI90yhZIH3UrUkN+wrTtG2+u2+7bRVr72Y8txBkAWphrTO/RFz+5tP77ZZJyz7nW1ummsEFjfNR470ow1zabQUyYiVbyHJ8k= jamie@athena

20
server/server.go
View file

@ -77,22 +77,25 @@ func getRegistrationHandler(keyDir keydirectory.RegistrationDirectory) http.Hand
err := json.NewDecoder(r.Body).Decode(&request) err := json.NewDecoder(r.Body).Decode(&request)
if err != nil { if err != nil {
fmt.Println(err)
http.Error(w, fmt.Sprintf("Bad request - %s", err), 400) http.Error(w, fmt.Sprintf("Bad request - %s", err), 400)
return return
} }
key, alg, err := parsePublicKey(request.Key) key, err := parsePublicKey(request.Key)
if err != nil { if err != nil {
fmt.Println(err)
http.Error(w, fmt.Sprintf("Bad request - %s", err), 400) http.Error(w, fmt.Sprintf("Bad request - %s", err), 400)
return return
} }
fmt.Printf("Registering %s key for %s\n", alg, request.UserId) fmt.Printf("Registering key for %s\n", request.UserId)
keyId, err := keyDir.RegisterKey(key, alg, request.UserId) keyId, err := keyDir.RegisterKey(key, request.UserId)
if err != nil { if err != nil {
fmt.Println(err)
http.Error(w, fmt.Sprintf("Server error - %s", err), 500) http.Error(w, fmt.Sprintf("Server error - %s", err), 500)
return return
} }
@ -103,15 +106,12 @@ func getRegistrationHandler(keyDir keydirectory.RegistrationDirectory) http.Hand
return http.HandlerFunc(handler) return http.HandlerFunc(handler)
} }
func parsePublicKey(input string) (crypto.PublicKey, string, error) { func parsePublicKey(input string) (crypto.PublicKey, error) {
pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(input)) pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(input))
var alg string if err != nil {
return nil, err
switch pk.Type() {
case "ssh-ed25519":
alg = "ed25519"
} }
return pk.(ssh.CryptoPublicKey).CryptoPublicKey(), alg, err return pk.(ssh.CryptoPublicKey).CryptoPublicKey(), err
} }

7
testkey2
View file

@ -1,7 +0,0 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAVBfVj2Gf8IBbU9G8nYz9Y6UQRcjdocl3CD0GKhIAt5wAAAJA3GdxYNxnc
WAAAAAtzc2gtZWQyNTUxOQAAACAVBfVj2Gf8IBbU9G8nYz9Y6UQRcjdocl3CD0GKhIAt5w
AAAECcClGiCCayTB0yRGxnn3R26heCf966qN+YAISC4dCMERUF9WPYZ/wgFtT0bydjP1jp
RBFyN2hyXcIPQYqEgC3nAAAADGphbWllQGF0aGVuYQE=
-----END OPENSSH PRIVATE KEY-----

1
testkey2.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUF9WPYZ/wgFtT0bydjP1jpRBFyN2hyXcIPQYqEgC3n jamie@athena