Initial commit

Author: ojarva

.gitignore

@@ -0,0 +1,4 @@
+syntax: glob
+
+*.pyc
+__pycache__

DESCRIPTION.rst

@@ -0,0 +1,8 @@
+OpenSSH Public Key Parser for Python
+====================================
+
+This library validates OpenSSH public keys. 
+
+::
+
+  

LICENSE.txt

@@ -0,0 +1,28 @@
+Copyright (c) 2014, Olli Jarva <[email protected]>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without 
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, 
+   this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its 
+   contributors may be used to endorse or promote products derived from this
+   software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.

README.rst

@@ -0,0 +1,43 @@
+OpenSSH Public Key Parser for Python
+====================================
+
+This library validates OpenSSH public keys.
+
+Currently ssh-rsa, ssh-dss (DSA) and ecdsa-ssh keys with NIST curves is supported.
+
+::
+
+  import sshpubkeys
+  ssh = SSHKey("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAYQCxO38tKAJXIs9ivPxt7AY" \
+      + "dfybgtAR1ow3Qkb9GPQ6wkFHQqcFDe6faKCxH6iDRteo4D8L8B" \
+      + "xwzN42uZSB0nfmjkIxFTcEU3mFSXEbWByg78aoddMrAAjatyrh" \
+      + "H1pON6P0= ojarva@ojar-laptop")
+  print(ssh.bits) # 768
+  print(ssh.hash()) # 56:84:1e:90:08:3b:60:c7:29:70:5f:5e:25:a6:3b:86
+
+
+Exceptions
+----------
+
+- NotImplementedError if invalid ecdsa curve or unknown key type is encountered.
+- InvalidKeyException if any other error is encountered:
+    - TooShortKeyException if key is too short (<768 bits for RSA, <1024 for DSA)
+    - InvalidTypeException if key type ("ssh-rsa" in above example) does not match to what is included in base64 encoded data.
+    - MalformedDataException if decoding and extracting the data fails.
+
+Tests
+-----
+
+See "tests/" folder for unit tests. Use
+
+::
+
+  python setup.py test
+
+or
+
+::
+
+  python3 setup.py test
+
+to run test suite. If you have keys that are not parsed properly, or malformed keys that raise incorrect exception, please send your *public key* to [email protected], and I'll include it. Alternatively, open issue or make a pull request in github.

requirements.txt

@@ -0,0 +1,2 @@
+ecdsa==0.11
+pycrypto==2.6.1

setup.cfg

@@ -0,0 +1,2 @@
+[bdist_wheel]
+universal=1

setup.py

@@ -0,0 +1,42 @@
+from setuptools import setup, find_packages
+from codecs import open
+from os import path
+
+here = path.abspath(path.dirname(__file__))
+
+with open(path.join(here, 'README.rst'), encoding='utf-8') as f:
+    long_description = f.read()
+
+setup(
+    name='sshpubkeys',
+    version='1.0.1',
+    description='SSH public key parser',
+    long_description=long_description,
+    url='https://github.com/ojarva/sshpubkeys',
+    author='Olli Jarva',
+    author_email='[email protected]',
+    license='BSD',
+
+    classifiers=[
+        'Development Status :: 4 - Beta',
+
+        'Intended Audience :: Developers',
+        'Intended Audience :: System Administrators',
+        'Topic :: Security',
+        'License :: OSI Approved :: BSD License',
+
+        'Programming Language :: Python :: 2.7',
+        'Programming Language :: Python :: 3',
+        'Programming Language :: Python :: 3.2',
+        'Programming Language :: Python :: 3.3',
+        'Programming Language :: Python :: 3.4',
+    ],
+    keywords='ssh pubkey public key openssh ssh-rsa ssh-dss',
+    packages=["sshpubkeys"],
+    test_suite="tests",
+    install_requires=['pycrypto>=2.6', 'ecdsa>=0.11'],
+
+    extras_require = {
+        'dev': ['twine', 'wheel'],
+    },
+)

sshpubkeys/__init__.py

@@ -0,0 +1,146 @@
+import base64
+import binascii
+import hashlib
+import struct
+import ecdsa
+import sys
+
+from Crypto.PublicKey import RSA, DSA
+
+INT_LEN = 4
+
+class InvalidKeyException(Exception):
+    pass
+
+class TooShortKeyException(InvalidKeyException):
+    pass
+
+class InvalidTypeException(InvalidKeyException):
+    pass
+
+class MalformedDataException(InvalidKeyException):
+    pass
+
+class SSHKey:
+    def __init__(self, keydata):
+        self.keydata = keydata
+        self.current_position = 0
+        self.decoded_key = None
+        self.parse()
+
+    def hash(self):
+        """ Calculates fingerprint hash.
+
+        Shamelessly copied from http://stackoverflow.com/questions/6682815/deriving-an-ssh-fingerprint-from-a-public-key-in-python
+        """
+        fp_plain = hashlib.md5(self.decoded_key).hexdigest()
+        return ':'.join(a+b for a, b in zip(fp_plain[::2], fp_plain[1::2]))
+
+    def unpack_by_int(self):
+        """ Returns next data field. """
+        # Unpack length of data field
+        try:
+            requested_data_length = struct.unpack('>I', self.decoded_key[self.current_position:self.current_position+INT_LEN])[0]
+        except struct.error:
+            raise MalformedDataException("Unable to unpack %s bytes from the data" % INT_LEN)
+
+        # Move pointer to the beginning of the data field
+        self.current_position += INT_LEN
+        remaining_data_length = len(self.decoded_key[self.current_position:])
+
+        if remaining_data_length < requested_data_length:
+            raise MalformedDataException("Requested %s bytes, but only %s bytes available." % (requested_data_length, remaining_data_length))
+
+        next_data = self.decoded_key[self.current_position:self.current_position+requested_data_length]
+        # Move pointer to the end of the data field
+        self.current_position += requested_data_length
+        return next_data
+
+    @classmethod
+    def parse_long(cls, data):
+        """ Calculate two's complement """
+        if sys.version < '3':
+            ret = long(0)
+            for byte in data:
+                ret = (ret << 8) + ord(byte)
+            return ret
+        ret = 0
+        for byte in data:
+            ret = (ret << 8) + byte
+        return ret
+
+
+    @classmethod
+    def split_key(cls, data):
+        key_parts = data.strip().split(None, 3)
+        if len(key_parts) < 2: # Key type and content are mandatory fields.
+          raise InvalidKeyException("Unexpected key format: at least type and base64 encoded value is required")
+        return key_parts       
+
+    @classmethod
+    def decode_key(cls, pubkey_content):
+        # Decode base64 coded part.
+        try:
+            decoded_key = base64.b64decode(pubkey_content.encode("ascii"))
+        except (TypeError, binascii.Error):
+            raise InvalidKeyException("Unable to decode the key")
+        return decoded_key
+
+    def parse(self):
+        self.current_position = 0
+        key_parts = self.split_key(self.keydata)
+
+        key_type = key_parts[0]
+        pubkey_content = key_parts[1]
+
+        self.decoded_key = self.decode_key(pubkey_content)
+
+        # Check key type
+        unpacked_key_type = self.unpack_by_int()
+        if key_type != unpacked_key_type.decode():
+          raise InvalidTypeException("Keytype mismatch: %s != %s" % (key_type, unpacked_key_type))
+
+        self.key_type = unpacked_key_type
+
+        if self.key_type == b"ssh-rsa":
+
+            raw_e = self.unpack_by_int()
+            raw_n = self.unpack_by_int()
+
+            unpacked_e = self.parse_long(raw_e)
+            unpacked_n = self.parse_long(raw_n)
+
+            self.rsa = RSA.construct((unpacked_n, unpacked_e))
+            self.bits = self.rsa.size() + 1
+
+        elif self.key_type == b"ssh-dss":
+            data_fields = {}
+            for expected_length, item in [(309, "p"), (48, "q"), (309, "g"), (309, "y")]:
+                data_fields[item] = self.parse_long(self.unpack_by_int())
+                item_length = len(str(data_fields[item]))
+                if item_length != expected_length:
+                    raise MalformedDataException("DSA parameter %s has invalid length (%s, expected %s)" % (item, item_length, expected_length))
+
+            self.dsa = DSA.construct((data_fields["y"], data_fields["g"], data_fields["p"], data_fields["q"]))
+            self.bits = self.dsa.size() + 1
+            if self.bits != 1024:
+                raise InvalidKeyException("ssh-dss keys must be 1024 bits (was %s)" % self.bits)
+
+        elif self.key_type.strip().startswith(b"ecdsa-sha"):
+            curve_information = self.unpack_by_int()
+            curve_data = {b"nistp256": (ecdsa.curves.NIST256p, hashlib.sha256),
+                          b"nistp192": (ecdsa.curves.NIST192p, hashlib.sha256),
+                          b"nistp224": (ecdsa.curves.NIST224p, hashlib.sha256),
+                          b"nistp384": (ecdsa.curves.NIST384p, hashlib.sha384),
+                          b"nistp521": (ecdsa.curves.NIST521p, hashlib.sha512)}
+            if curve_information not in curve_data:
+                raise NotImplementedError("Invalid curve type: %s" % curve_information)
+            curve, hash_algorithm = curve_data[curve_information]
+
+            data = self.unpack_by_int()
+
+            key = ecdsa.VerifyingKey.from_string(data[1:], curve, hash_algorithm)
+            self.bits = int(curve_information.replace(b"nistp", b"")) # TODO
+            self.ecdsa = ecdsa
+        else:
+            raise NotImplementedError("Invalid key type: %s" % self.key_type)

tests/__init__.py

@@ -0,0 +1,55 @@
+""" Creates tests from lists of both valid and invalid keys.
+
+New test is generated for each key so that running unittests gives out meaningful errors.
+
+"""
+
+import unittest
+from sshpubkeys import *
+from .test_rsa_keys_lengths import keys as rsa_keys_l
+from .test_rsa_keys_failing import keys as rsa_keys_f
+from .test_dsa_keys import keys as dsa_keys
+from .test_ecdsa_keys import keys as ecdsa_keys
+
+class TestKeys(unittest.TestCase):
+    def check_key(self, pubkey, bits, fingerprint):
+        """ Checks valid key """
+        ssh = SSHKey(pubkey)
+        self.assertEqual(ssh.bits, bits)
+        self.assertEqual(ssh.hash(), fingerprint)
+
+    def check_fail(self, pubkey, expected_error):
+        """ Checks that key check raises specified exception """
+        with self.assertRaises(expected_error):
+            ssh = SSHKey(pubkey)
+ 
+def loop_ok(keyset, prefix):
+    """ Loop over list of valid keys and dynamically create tests """
+
+    for i, items in enumerate(keyset):
+        def ch(pubkey, bits, fingerprint):
+            return lambda self: self.check_key(pubkey, bits, fingerprint)
+        prefix_tmp = "%s_%s" % (prefix, i)
+        if len(items) == 4: # If there is an extra item, use that as test name.
+            prefix_tmp = items.pop()
+        pubkey, bits, fingerprint = items
+        setattr(TestKeys, "test_%s" % prefix_tmp, ch(pubkey, bits, fingerprint))
+
+def loop_failing(keyset, prefix):
+    """ Loop over list of invalid keys and dynamically create tests """
+    for i, items in enumerate(keyset):
+        def ch(pubkey, expected_error):
+            return lambda self: self.check_fail(pubkey, expected_error)
+        prefix_tmp = "%s_%s" % (prefix, i)
+        if len(items) == 3: # If there is an extra item, use that as test name.
+            prefix_tmp = items.pop()
+        pubkey, expected_error = items
+        setattr(TestKeys, "test_%s" % prefix_tmp, ch(pubkey, expected_error))
+
+loop_ok(ecdsa_keys, "ecdsa_ok")
+loop_ok(rsa_keys_l, "rsa_ok")
+loop_ok(dsa_keys, "dsa_ok")
+loop_failing(rsa_keys_f, "rsa_failing")
+
+if __name__ == '__main__':
+    unittest.main()

tests/test_dsa_keys.py

@@ -0,0 +1,4 @@
+
+keys = [
+ ["ssh-dss AAAAB3NzaC1kc3MAAACBAPlHIP5sD+T8/Sx1DGEiCzCXqpl7ww40jBg7wTkxu44OH6pNog5PjJt5M4NBULhKva/i+bhIM3ba+H1Or+aHWWFHACV6W2FCGk/k37ApRF8sIa4hsnN0P9qn6VfhbJKee+DBxa21WjjY/MZiljmJz7IQHx5RTxX9I/hJ7cL+aNmrAAAAFQCKteqc4IkgIrjpcpStsxYAhb3MqQAAAIEA+SfIKuTr7QPcinsZQDdmZOXqcg+u9TLzHA4c47y0Kns3T3BVPr9rWdmuh6eImzLO4wMLxLvcg3ecrqFuiCp1IHvXENkGlpB17S+uOXlVDY+sTdXyvYKRKirg5IZefIAP/m08c0QGkhFDbo4ysr9D5gXgH3LB2rMPIAbvMWm/HZQAAACBAKWtAE3hXRQX5KtI4AoIWVTly/6T4JNBt4u24ZRqV7X//CZEZ0cS5YpR/frlpUDI3WKoMtS+VmT3cBFZINashIxZyfBF8+0UX3s34HwNfp0hDW3ZdgZJU56GC2eclMantYGeVrMxgTQd80pxZFgByEhoXGeZaAwUzN8ULo9jHQqM [email protected]", 1024, "76:66:08:8c:86:81:7e:f0:7b:cd:fa:c3:8c:8b:83:c0", "dsa_basic"],
+]

tests/test_ecdsa_keys.py

@@ -0,0 +1,5 @@
+keys = [
+ ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE2gqbAChP2h3fTPx3Jy2KdOJUiBGEiqBUwoosfzllw+KrqmGiDEWlufSxdiSOFuLd4a8PSwhoWbdQRVFrZAvFE= joku@vps91201", 256, "7a:16:d1:e9:9d:11:45:a7:7e:64:a0:f0:9b:f1:2e:f3"],
+ ["ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBCCfGmR4U8uiCQ6atu74i19/R3We8vQzcKpvSw/T54lJhIZov3NNLJNnB+BvOV+HvgIwHHjzC95UwWm+YgEsQdZxT2eZOLvPQNw5lOZ4OKjbRmROxyDnF2BptAS/og+rZg== joku@vps91201", 384, "19:f6:7e:f9:da:68:88:4a:bf:1d:4b:07:8a:70:65:f7"],
+ ["ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAF9QpvUneTvt8lu0ePSuzr7iLE9ZMPu2DFTmqh7BVn89IHuQ5dfg9pArxfHZWgu9lMdlOykVx0I6OXkE35A/mFqwwApyiPmiwnojmRnN//pApl6QQFINHzV/PGOSi599F1Y2tHQwcdb44CPOhkUmHtC9wKazSvw/ivbxNjcMzhhHsWGnA== joku@vps91201", 521, "c2:c0:14:36:ad:f8:7e:f1:b3:7f:ad:f2:cd:2a:30:3f"],
+]

tests/test_rsa_keys_failing.py

@@ -0,0 +1,9 @@
+from sshpubkeys import *
+
+keys = [
+ ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAgDGrGaNv7i+sGSelzf+7JsCECa9a0sqSg8q4foGkjeV6RkS2tWvKXoT9rICjEdXXodj0CCVhe/V7dmAO0AK8KM0mcvPfTSC8zH1ZBsqaFFTWwmBD01fbH9axrrg3hM0f+AL4bMMWUdxdNrVo90s8PKU6k/HmUNLVx4gC6uQ4A6YczvOVZkuJ4f7HDYK/v1LNTRNeAkw94YpSIZVAoTOZN943+fRCE9cm155pwmFsS+wfzK9+jjhGXNEK0xooiVBRwQM7qetN076vV5FiiM0LO1qYi5JrIqK/70ske86x2mMhMkOe6jqQQbt32PFVmYqYJWcAYXz+bhcQw6oru0c6gNq53aGOnuqI0uh/zV2XH+cN4c8ABcOplzH5YQEUepNVzxylkvpWxdg/ZzR1pvyu5C8RkJWrE3AlCwpix1ak2xTDzgc3rwTTggNSYqvzmYq0mYJhZk2VWsLVxUgdxfwC3LvIHMXSTU9iU2Aqrlhy7bJAqxQFKWy05wsIOI6raPBLqZnPmJ76Ld9aXTrhBFfIDiigr9ZVsVAdOvmyAGCIj4x3Xnlol/3lN0M2+OSV1SU/5ZrS6dIlXPZDak/OXHU0iIFIODhYU5r8EI1M6BI/jsgQ8HatXmOJkfnIkVP0HxD1KvoAFKjVG5sM9KG12LqsnzfD1KL6PzxpOOgoVgznpOjSzVmPKAkU8N/r6R4VIAmZqxpF8Hlzqg/Gfh5kf6CJXXx8OQt1Z/DAsfnl3LvHFNuE8GgXgrUE022W9pV4oONgojc97JSgBXaFkK885UnJKTceAdGQvChEhsU1j3TiyKPox6ICGpoC2nGONJoDE8VQ8dE/YiZmqkZ1lJWX07EwevrIcnz1UBHFaR72aiAADRYClsitLA5+1mnydVstkQ8XQuuKNOFT7miaWUzRHwj9BYGb7oGhNd9oi1VTVjH/5Yq1UiHHESGaIjeLi5uG2KguDFpcvy2ngtUy3ZbvDj+DVOLL+3vAlycRPjN0nBE4e/J6UqdpLg0DbG56zNj86aU0ZgL8kL8NRkFHyV+5zG5iLFkGklbm4nwCxSW/bVT0PFD1is6JbtIk5i+liS+hiuzSF6NGouSuxDy95yWSG8/84fgPDFtvXtOD7Kl4P7EpEAL+VBZnremT9I8tRl1wOHxJKe7jbEcWC2zkuHNlju0Nv5SFijF9c+krRbHDYEzsxPpdqlI4gPtDFdkKwaKN6BrsxBsz9u+PhS1AloUYcxKRqWbqHuDBrKmxnhOgFqJ9ITX0RajtrApt1LfkSBXcFrVEx2nhQkGa6VwjcX/zw2I2iuJFOCQmc9udHIlyaCCSe1PqOIbOlOk5h/Gl1QvRNwSIgf9dZ05lZr6dc+VX8YGdyHsjQ=", InvalidKeyException], # Invalid base64
+ ["ssh-dss AAAAB3NzaC1yc2EAAAADAQABAAAEAgDGrGaNv7i+sGSelzf+7JsCECa9a0sqSg8q4foGkjeV6RkS2tWvKXoT9rICjEdXXodj0CCVhe/V7dmAO0AK8KM0mcvPfTSC8zH1ZBsqaFFTWwmBD01fbH9axrrg3hM0f+AL4bMMWUdxdNrVo90s8PKU6k/HmUNLVx4gC6uQ4A6YczvOVZkuJ4f7HDYK/v1LNTRNeAkw94YpSIZVAoTOZN943+fRCE9cm155pwmFsS+wfzK9+jjhGXNEK0xooiVBRwQM7qetN076vV5FiiM0LO1qYi5JrIqK/70ske86x2mMhMkOe6jqQQbt32PFVmYqYJWcAYXz+bhcQw6oru0c6gNq53aGOnuqI0uh/zV2XH+cN4c8ABcOplzH5YQEUepNVzxylkvpWxdg/ZzR1pvyu5C8RkJWrE3AlCwpix1ak2xTDzgc3rwTTggNSYqvzmYq0mYJhZk2VWsLVxUgdxfwC3LvIHMXSTU9iU2Aqrlhy7bJAqxQFKWy05wsIOI6raPBLqZnPmJ76Ld9aXTrhBFfIDiigr9ZVsVAdOvmyAGCIj4x3Xnlol/3lN0M2+OSV1SU/5ZrS6dIlXPZDak/OXHU0iIFIODhYU5r8EI1M6BI/jsgQ8HatXmOJkfnIkVP0HxD1KvoAFKjVG5sM9KG12LqsnzfD1KL6PzxpOOgoVgznpOjSzVmPKAkU8N/r6R4VIAmZqxpF8Hlzqg/Gfh5kf6CJXXx8OQt1Z/DAsfnl3LvHFNuE8GgXgrUE022W9pV4oONgojc97JSgBXaFkK885UnJKTceAdGQvChEhsU1j3TiyKPox6ICGpoC2nGONJoDE8VQ8dE/YiZmqkZ1lJWX07EwevrIcnz1UBHFaR72aiAADRYClsitLA5+1mnydVstkQ8XQuuKNOFT7miaWUzRHwj9BYGb7oGhNd9oi1VTVjH/5Yq1UiHHESGaIjeLi5uG2KguDFpcvy2ngtUy3ZbvDj+DVOLL+3vAlycRPjN0nBE4e/J6UqdpLg0DbG56zNj86aU0ZgL8kL8NRkFHyV+5zG5iLFkGklbm4nwCxSW/bVT0PFD1is6JbtIk5i+liS+hiuzSF6NGouSuxDy95yWSG8/84fgPDFtvXtOD7Kl4P7EpEAL+VBZnremT9I8tRl1wOHxJKe7jbEcWC2zkuHNlju0Nv5SFijF9c+krRbHDYEzsxPpdqlI4gPtDFdkKwaKN6BrsxBsz9u+PhS1AloUYcxKRqWbqHuDBrKmxnhOgFqJ9ITX0RajtrApt1LfkSBXcFrVEx2nhQkGa6VwjcX/zw2I2iuJFOCQmc9udHIlyaCCSe1PqOIbOlOk5h/Gl1QvRNwSIgf9dZ05lZr6dc+VX8YGdyHsjQ==", InvalidTypeException], # invalid key type
+ ["", InvalidKeyException],
+ ["- -", MalformedDataException],
+]
+