Attempt to fix ssh signing with rsa keys

2025-04-04 06:37:07 +00:00 · 2023-03-12 15:03:37 +10:00 · 2023-03-12 15:03:37 +10:00 · 1240883425
commit 1240883425
parent 1bd724c8bf
6 changed files with 33 additions and 10 deletions
--- a/Sources/Packages/Sources/SecretAgentKit/Agent.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/Agent.swift
@ -150,11 +150,24 @@ extension Agent {
            rawRepresentation = try CryptoKit.P256.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
        case (.ellipticCurve, 384):
            rawRepresentation = try CryptoKit.P384.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
+        case (.rsa, 1024), (.rsa, 2048):
+            var signedData = Data()
+            var sub = Data()
+            sub.append(writer.lengthAndData(of: curveData))
+            sub.append(writer.lengthAndData(of: signed))
+            signedData.append(writer.lengthAndData(of: sub))
+
+            if let witness = witness {
+                try witness.witness(accessTo: secret, from: store, by: provenance)
+            }
+
+            logger.debug("Agent signed request")
+
+            return signedData
        default:
            throw AgentError.unsupportedKeyType
        }

-
        let rawLength = rawRepresentation.count/2
        // Check if we need to pad with 0x00 to prevent certain
        // ssh servers from thinking r or s is negative
@ -207,7 +220,7 @@ extension Agent {
    func secret(matching hash: Data) -> (AnySecretStore, AnySecret)? {
        storeList.stores.compactMap { store -> (AnySecretStore, AnySecret)? in
            let allMatching = store.secrets.filter { secret in
-                hash == writer.data(secret: secret)
+                hash == writer.matchingHashData(secret: secret)
            }
            if let matching = allMatching.first {
                return (store, matching)
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
@ -11,9 +11,19 @@ public struct OpenSSHKeyWriter {
    /// Generates an OpenSSH data payload identifying the secret.
    /// - Returns: OpenSSH data payload identifying the secret.
    public func data<SecretType: Secret>(secret: SecretType) -> Data {
-        lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+        return lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+        lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+        lengthAndData(of: secret.publicKey)
+    }
+    
+    public func matchingHashData<SecretType: Secret>(secret: SecretType) -> Data {
+        if secret.algorithm == .ellipticCurve {
+            return data(secret: secret)
+        } else {
+            return lengthAndData(of: "ssh-rsa".data(using: .utf8)!) +
            lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
            lengthAndData(of: secret.publicKey)
+        }
    }

    /// Generates an OpenSSH string representation of the secret.
--- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
+++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
@ -16,9 +16,11 @@ extension SmartCard {
        @Published public private(set) var secrets: [Secret] = []
        private let watcher = TKTokenWatcher()
        private var tokenID: String?
+        private let includeEncryptionKeys: Bool

        /// Initializes a Store.
-        public init() {
+        public init(includeEncryptionKeys: Bool) {
+            self.includeEncryptionKeys = includeEncryptionKeys
            tokenID = watcher.nonSecureEnclaveTokens.first
            watcher.setInsertionHandler { string in
                guard self.tokenID == nil else { return }
@ -237,9 +239,7 @@ extension SmartCard.Store {
            signatureAlgorithm = .eciesEncryptionCofactorVariableIVX963SHA256AESGCM
        case (.ellipticCurve, 384):
            signatureAlgorithm = .eciesEncryptionCofactorVariableIVX963SHA256AESGCM
-        case (.rsa, 1024):
-            signatureAlgorithm = .rsaEncryptionOAEPSHA512AESGCM
-        case (.rsa, 2048):
+        case (.rsa, 1024), (.rsa, 2048):
            signatureAlgorithm = .rsaEncryptionOAEPSHA512AESGCM
        default:
            fatalError()
--- a/Sources/SecretAgent/AppDelegate.swift
+++ b/Sources/SecretAgent/AppDelegate.swift
@ -13,7 +13,7 @@ class AppDelegate: NSObject, NSApplicationDelegate {
    private let storeList: SecretStoreList = {
        let list = SecretStoreList()
        list.add(store: SecureEnclave.Store())
-        list.add(store: SmartCard.Store())
+        list.add(store: SmartCard.Store(includeEncryptionKeys: false))
        return list
    }()
    private let updater = Updater(checkOnLaunch: false, bundlePrefix: BundlePrefix)
--- a/Sources/Secretive/App.swift
+++ b/Sources/Secretive/App.swift
@ -11,7 +11,7 @@ struct Secretive: App {
    private let storeList: SecretStoreList = {
        let list = SecretStoreList()
        list.add(store: SecureEnclave.Store())
-        list.add(store: SmartCard.Store())
+        list.add(store: SmartCard.Store(includeEncryptionKeys: false))
        return list
    }()
    private let agentStatusChecker = AgentStatusChecker()
--- a/Sources/Secretive/Views/ContentView.swift
+++ b/Sources/Secretive/Views/ContentView.swift
@ -195,7 +195,7 @@ struct ContentView_Previews: PreviewProvider {
    private static let storeList: SecretStoreList = {
        let list = SecretStoreList()
        list.add(store: SecureEnclave.Store())
-        list.add(store: SmartCard.Store())
+        list.add(store: SmartCard.Store(includeEncryptionKeys: false))
        return list
    }()
    private static let agentStatusChecker = AgentStatusChecker()