From 12408834250ed458fa80149658fbb6a6688ac729 Mon Sep 17 00:00:00 2001
From: Maxwell Swadling <maxwellswadling@gmail.com>
Date: Sun, 12 Mar 2023 15:03:37 +1000
Subject: [PATCH] Attempt to fix ssh signing with rsa keys

---
 .../Packages/Sources/SecretAgentKit/Agent.swift | 17 +++++++++++++++--
 .../SecretKit/OpenSSH/OpenSSHKeyWriter.swift    | 12 +++++++++++-
 .../SmartCardSecretKit/SmartCardStore.swift     |  8 ++++----
 Sources/SecretAgent/AppDelegate.swift           |  2 +-
 Sources/Secretive/App.swift                     |  2 +-
 Sources/Secretive/Views/ContentView.swift       |  2 +-
 6 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/Sources/Packages/Sources/SecretAgentKit/Agent.swift b/Sources/Packages/Sources/SecretAgentKit/Agent.swift
index e89488e..95faa9b 100644
--- a/Sources/Packages/Sources/SecretAgentKit/Agent.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/Agent.swift
@@ -150,11 +150,24 @@ extension Agent {
             rawRepresentation = try CryptoKit.P256.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
         case (.ellipticCurve, 384):
             rawRepresentation = try CryptoKit.P384.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
+        case (.rsa, 1024), (.rsa, 2048):
+            var signedData = Data()
+            var sub = Data()
+            sub.append(writer.lengthAndData(of: curveData))
+            sub.append(writer.lengthAndData(of: signed))
+            signedData.append(writer.lengthAndData(of: sub))
+
+            if let witness = witness {
+                try witness.witness(accessTo: secret, from: store, by: provenance)
+            }
+
+            logger.debug("Agent signed request")
+
+            return signedData
         default:
             throw AgentError.unsupportedKeyType
         }
 
-
         let rawLength = rawRepresentation.count/2
         // Check if we need to pad with 0x00 to prevent certain
         // ssh servers from thinking r or s is negative
@@ -207,7 +220,7 @@ extension Agent {
     func secret(matching hash: Data) -> (AnySecretStore, AnySecret)? {
         storeList.stores.compactMap { store -> (AnySecretStore, AnySecret)? in
             let allMatching = store.secrets.filter { secret in
-                hash == writer.data(secret: secret)
+                hash == writer.matchingHashData(secret: secret)
             }
             if let matching = allMatching.first {
                 return (store, matching)
diff --git a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
index da8c4b1..877fff2 100644
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
@@ -11,9 +11,19 @@ public struct OpenSSHKeyWriter {
     /// Generates an OpenSSH data payload identifying the secret.
     /// - Returns: OpenSSH data payload identifying the secret.
     public func data<SecretType: Secret>(secret: SecretType) -> Data {
-        lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+        return lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+        lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+        lengthAndData(of: secret.publicKey)
+    }
+    
+    public func matchingHashData<SecretType: Secret>(secret: SecretType) -> Data {
+        if secret.algorithm == .ellipticCurve {
+            return data(secret: secret)
+        } else {
+            return lengthAndData(of: "ssh-rsa".data(using: .utf8)!) +
             lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
             lengthAndData(of: secret.publicKey)
+        }
     }
 
     /// Generates an OpenSSH string representation of the secret.
diff --git a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
index 0d06cbc..0d5f2de 100644
--- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
+++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
@@ -16,9 +16,11 @@ extension SmartCard {
         @Published public private(set) var secrets: [Secret] = []
         private let watcher = TKTokenWatcher()
         private var tokenID: String?
+        private let includeEncryptionKeys: Bool
 
         /// Initializes a Store.
-        public init() {
+        public init(includeEncryptionKeys: Bool) {
+            self.includeEncryptionKeys = includeEncryptionKeys
             tokenID = watcher.nonSecureEnclaveTokens.first
             watcher.setInsertionHandler { string in
                 guard self.tokenID == nil else { return }
@@ -237,9 +239,7 @@ extension SmartCard.Store {
             signatureAlgorithm = .eciesEncryptionCofactorVariableIVX963SHA256AESGCM
         case (.ellipticCurve, 384):
             signatureAlgorithm = .eciesEncryptionCofactorVariableIVX963SHA256AESGCM
-        case (.rsa, 1024):
-            signatureAlgorithm = .rsaEncryptionOAEPSHA512AESGCM
-        case (.rsa, 2048):
+        case (.rsa, 1024), (.rsa, 2048):
             signatureAlgorithm = .rsaEncryptionOAEPSHA512AESGCM
         default:
             fatalError()
diff --git a/Sources/SecretAgent/AppDelegate.swift b/Sources/SecretAgent/AppDelegate.swift
index 22a20a4..f9d11b8 100644
--- a/Sources/SecretAgent/AppDelegate.swift
+++ b/Sources/SecretAgent/AppDelegate.swift
@@ -13,7 +13,7 @@ class AppDelegate: NSObject, NSApplicationDelegate {
     private let storeList: SecretStoreList = {
         let list = SecretStoreList()
         list.add(store: SecureEnclave.Store())
-        list.add(store: SmartCard.Store())
+        list.add(store: SmartCard.Store(includeEncryptionKeys: false))
         return list
     }()
     private let updater = Updater(checkOnLaunch: false, bundlePrefix: BundlePrefix)
diff --git a/Sources/Secretive/App.swift b/Sources/Secretive/App.swift
index fbd530b..eb18739 100644
--- a/Sources/Secretive/App.swift
+++ b/Sources/Secretive/App.swift
@@ -11,7 +11,7 @@ struct Secretive: App {
     private let storeList: SecretStoreList = {
         let list = SecretStoreList()
         list.add(store: SecureEnclave.Store())
-        list.add(store: SmartCard.Store())
+        list.add(store: SmartCard.Store(includeEncryptionKeys: false))
         return list
     }()
     private let agentStatusChecker = AgentStatusChecker()
diff --git a/Sources/Secretive/Views/ContentView.swift b/Sources/Secretive/Views/ContentView.swift
index 461db2d..204b063 100644
--- a/Sources/Secretive/Views/ContentView.swift
+++ b/Sources/Secretive/Views/ContentView.swift
@@ -195,7 +195,7 @@ struct ContentView_Previews: PreviewProvider {
     private static let storeList: SecretStoreList = {
         let list = SecretStoreList()
         list.add(store: SecureEnclave.Store())
-        list.add(store: SmartCard.Store())
+        list.add(store: SmartCard.Store(includeEncryptionKeys: false))
         return list
     }()
     private static let agentStatusChecker = AgentStatusChecker()