external
/
secretive
mirror of https://github.com/maxgoedjen/secretive.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Attempt to fix ssh signing with rsa keys

This commit is contained in:
Maxwell Swadling 2023-03-12 15:03:37 +10:00
parent 1bd724c8bf
commit 1240883425
6 changed files with 33 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Sources/Packages/Sources/SecretAgentKit/Agent.swift
View File

@ -150,11 +150,24 @@ extension Agent {
rawRepresentation = try CryptoKit.P256.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation rawRepresentation = try CryptoKit.P256.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
case (.ellipticCurve, 384): case (.ellipticCurve, 384):
rawRepresentation = try CryptoKit.P384.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation rawRepresentation = try CryptoKit.P384.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
case (.rsa, 1024), (.rsa, 2048):
var signedData = Data()
var sub = Data()
sub.append(writer.lengthAndData(of: curveData))
sub.append(writer.lengthAndData(of: signed))
signedData.append(writer.lengthAndData(of: sub))
if let witness = witness {
try witness.witness(accessTo: secret, from: store, by: provenance)
}
logger.debug("Agent signed request")
return signedData
default: default:
throw AgentError.unsupportedKeyType throw AgentError.unsupportedKeyType
} }
let rawLength = rawRepresentation.count/2 let rawLength = rawRepresentation.count/2
// Check if we need to pad with 0x00 to prevent certain // Check if we need to pad with 0x00 to prevent certain
// ssh servers from thinking r or s is negative // ssh servers from thinking r or s is negative
@ -207,7 +220,7 @@ extension Agent {
func secret(matching hash: Data) -> (AnySecretStore, AnySecret)? { func secret(matching hash: Data) -> (AnySecretStore, AnySecret)? {
storeList.stores.compactMap { store -> (AnySecretStore, AnySecret)? in storeList.stores.compactMap { store -> (AnySecretStore, AnySecret)? in
let allMatching = store.secrets.filter { secret in let allMatching = store.secrets.filter { secret in
hash == writer.data(secret: secret) hash == writer.matchingHashData(secret: secret)
} }
if let matching = allMatching.first { if let matching = allMatching.first {
return (store, matching) return (store, matching)

12
Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
View File

@ -11,9 +11,19 @@ public struct OpenSSHKeyWriter {
/// Generates an OpenSSH data payload identifying the secret. /// Generates an OpenSSH data payload identifying the secret.
/// - Returns: OpenSSH data payload identifying the secret. /// - Returns: OpenSSH data payload identifying the secret.
public func data<SecretType: Secret>(secret: SecretType) -> Data { public func data<SecretType: Secret>(secret: SecretType) -> Data {
lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) + return lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
lengthAndData(of: secret.publicKey)
}
public func matchingHashData<SecretType: Secret>(secret: SecretType) -> Data {
if secret.algorithm == .ellipticCurve {
return data(secret: secret)
} else {
return lengthAndData(of: "ssh-rsa".data(using: .utf8)!) +
lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) + lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
lengthAndData(of: secret.publicKey) lengthAndData(of: secret.publicKey)
}
} }
/// Generates an OpenSSH string representation of the secret. /// Generates an OpenSSH string representation of the secret.

8
Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
View File

@ -16,9 +16,11 @@ extension SmartCard {
@Published public private(set) var secrets: [Secret] = [] @Published public private(set) var secrets: [Secret] = []
private let watcher = TKTokenWatcher() private let watcher = TKTokenWatcher()
private var tokenID: String? private var tokenID: String?
private let includeEncryptionKeys: Bool
/// Initializes a Store. /// Initializes a Store.
public init() { public init(includeEncryptionKeys: Bool) {
self.includeEncryptionKeys = includeEncryptionKeys
tokenID = watcher.nonSecureEnclaveTokens.first tokenID = watcher.nonSecureEnclaveTokens.first
watcher.setInsertionHandler { string in watcher.setInsertionHandler { string in
guard self.tokenID == nil else { return } guard self.tokenID == nil else { return }
@ -237,9 +239,7 @@ extension SmartCard.Store {
signatureAlgorithm = .eciesEncryptionCofactorVariableIVX963SHA256AESGCM signatureAlgorithm = .eciesEncryptionCofactorVariableIVX963SHA256AESGCM
case (.ellipticCurve, 384): case (.ellipticCurve, 384):
signatureAlgorithm = .eciesEncryptionCofactorVariableIVX963SHA256AESGCM signatureAlgorithm = .eciesEncryptionCofactorVariableIVX963SHA256AESGCM
case (.rsa, 1024): case (.rsa, 1024), (.rsa, 2048):
signatureAlgorithm = .rsaEncryptionOAEPSHA512AESGCM
case (.rsa, 2048):
signatureAlgorithm = .rsaEncryptionOAEPSHA512AESGCM signatureAlgorithm = .rsaEncryptionOAEPSHA512AESGCM
default: default:
fatalError() fatalError()

2
Sources/SecretAgent/AppDelegate.swift
View File

@ -13,7 +13,7 @@ class AppDelegate: NSObject, NSApplicationDelegate {
private let storeList: SecretStoreList = { private let storeList: SecretStoreList = {
let list = SecretStoreList() let list = SecretStoreList()
list.add(store: SecureEnclave.Store()) list.add(store: SecureEnclave.Store())
list.add(store: SmartCard.Store()) list.add(store: SmartCard.Store(includeEncryptionKeys: false))
return list return list
}() }()
private let updater = Updater(checkOnLaunch: false, bundlePrefix: BundlePrefix) private let updater = Updater(checkOnLaunch: false, bundlePrefix: BundlePrefix)

2
Sources/Secretive/App.swift
View File

@ -11,7 +11,7 @@ struct Secretive: App {
private let storeList: SecretStoreList = { private let storeList: SecretStoreList = {
let list = SecretStoreList() let list = SecretStoreList()
list.add(store: SecureEnclave.Store()) list.add(store: SecureEnclave.Store())
list.add(store: SmartCard.Store()) list.add(store: SmartCard.Store(includeEncryptionKeys: false))
return list return list
}() }()
private let agentStatusChecker = AgentStatusChecker() private let agentStatusChecker = AgentStatusChecker()

2
Sources/Secretive/Views/ContentView.swift
View File

@ -195,7 +195,7 @@ struct ContentView_Previews: PreviewProvider {
private static let storeList: SecretStoreList = { private static let storeList: SecretStoreList = {
let list = SecretStoreList() let list = SecretStoreList()
list.add(store: SecureEnclave.Store()) list.add(store: SecureEnclave.Store())
list.add(store: SmartCard.Store()) list.add(store: SmartCard.Store(includeEncryptionKeys: false))
return list return list
}() }()
private static let agentStatusChecker = AgentStatusChecker() private static let agentStatusChecker = AgentStatusChecker()