Viewing file:  Identity.php (8.86 KB) -rw-r--r--
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
<?php
/**
* Pure-PHP ssh-agent client.
*
* {@internal See http://api.libssh.org/rfc/PROTOCOL.agent}
*
* PHP version 5
*
* @category System
* @package SSH\Agent
* @author Jim Wigginton <terrafrost@php.net>
* @copyright 2009 Jim Wigginton
* @license http://www.opensource.org/licenses/mit-license.html MIT License
* @link http://phpseclib.sourceforge.net
*/
namespace phpseclib3\System\SSH\Agent;
use phpseclib3\Crypt\RSA;
use phpseclib3\Crypt\DSA;
use phpseclib3\Crypt\EC;
use phpseclib3\Exception\UnsupportedAlgorithmException;
use phpseclib3\System\SSH\Agent;
use phpseclib3\Common\Functions\Strings;
use phpseclib3\Crypt\Common\PrivateKey;
/**
* Pure-PHP ssh-agent client identity object
*
* Instantiation should only be performed by \phpseclib3\System\SSH\Agent class.
* This could be thought of as implementing an interface that phpseclib3\Crypt\RSA
* implements. ie. maybe a Net_SSH_Auth_PublicKey interface or something.
* The methods in this interface would be getPublicKey and sign since those are the
* methods phpseclib looks for to perform public key authentication.
*
* @package SSH\Agent
* @author Jim Wigginton <terrafrost@php.net>
* @access internal
*/
class Identity implements PrivateKey
{
use \phpseclib3\System\SSH\Common\Traits\ReadBytes;
// Signature Flags
// See https://tools.ietf.org/html/draft-miller-ssh-agent-00#section-5.3
const SSH_AGENT_RSA2_256 = 2;
const SSH_AGENT_RSA2_512 = 4;
/**
* Key Object
*
* @var \phpseclib3\Crypt\RSA
* @access private
* @see self::getPublicKey()
*/
private $key;
/**
* Key Blob
*
* @var string
* @access private
* @see self::sign()
*/
private $key_blob;
/**
* Socket Resource
*
* @var resource
* @access private
* @see self::sign()
*/
private $fsock;
/**
* Signature flags
*
* @var int
* @access private
* @see self::sign()
* @see self::setHash()
*/
private $flags = 0;
/**
* Curve Aliases
*
* @var array
* @access private
*/
private static $curveAliases = [
'secp256r1' => 'nistp256',
'secp384r1' => 'nistp384',
'secp521r1' => 'nistp521',
'Ed25519' => 'Ed25519'
];
/**
* Default Constructor.
*
* @param resource $fsock
* @return \phpseclib3\System\SSH\Agent\Identity
* @access private
*/
public function __construct($fsock)
{
$this->fsock = $fsock;
}
/**
* Set Public Key
*
* Called by \phpseclib3\System\SSH\Agent::requestIdentities()
*
* @param \phpseclib3\Crypt\Common\PublicKey $key
* @access private
*/
public function withPublicKey($key)
{
if ($key instanceof EC) {
if (is_array($key->getCurve()) || !isset(self::$curveAliases[$key->getCurve()])) {
throw new UnsupportedAlgorithmException('The only supported curves are nistp256, nistp384, nistp512 and Ed25519');
}
}
$new = clone $this;
$new->key = $key;
return $new;
}
/**
* Set Public Key
*
* Called by \phpseclib3\System\SSH\Agent::requestIdentities(). The key blob could be extracted from $this->key
* but this saves a small amount of computation.
*
* @param string $key_blob
* @access private
*/
public function withPublicKeyBlob($key_blob)
{
$new = clone $this;
$new->key_blob = $key_blob;
return $new;
}
/**
* Get Public Key
*
* Wrapper for $this->key->getPublicKey()
*
* @param string $type optional
* @return mixed
* @access public
*/
public function getPublicKey($type = 'PKCS8')
{
return $this->key;
}
/**
* Sets the hash
*
* @param string $hash
* @access public
*/
public function withHash($hash)
{
$new = clone $this;
$hash = strtolower($hash);
if ($this->key instanceof RSA) {
$new->flags = 0;
switch ($hash) {
case 'sha1':
break;
case 'sha256':
$new->flags = self::SSH_AGENT_RSA2_256;
break;
case 'sha512':
$new->flags = self::SSH_AGENT_RSA2_512;
break;
default:
throw new UnsupportedAlgorithmException('The only supported hashes for RSA are sha1, sha256 and sha512');
}
}
if ($this->key instanceof EC) {
switch ($this->key->getCurve()) {
case 'secp256r1':
$expectedHash = 'sha256';
break;
case 'secp384r1':
$expectedHash = 'sha384';
break;
//case 'secp521r1':
//case 'Ed25519':
default:
$expectedHash = 'sha512';
}
if ($hash != $expectedHash) {
throw new UnsupportedAlgorithmException('The only supported hash for ' . self::$curveAliases[$key->getCurve()] . ' is ' . $expectedHash);
}
}
if ($this->key instanceof DSA) {
if ($hash != 'sha1') {
throw new UnsupportedAlgorithmException('The only supported hash for DSA is sha1');
}
}
return $new;
}
/**
* Sets the padding
*
* Only PKCS1 padding is supported
*
* @param string $padding
* @access public
*/
public function withPadding($padding)
{
if (!$this->key instanceof RSA) {
throw new UnsupportedAlgorithmException('Only RSA keys support padding');
}
if ($padding != RSA::SIGNATURE_PKCS1 && $padding != RSA::SIGNATURE_RELAXED_PKCS1) {
throw new UnsupportedAlgorithmException('ssh-agent can only create PKCS1 signatures');
}
return $this;
}
/**
* Determines the signature padding mode
*
* Valid values are: ASN1, SSH2, Raw
*
* @access public
* @param string $format
*/
public function withSignatureFormat($format)
{
if ($this->key instanceof RSA) {
throw new UnsupportedAlgorithmException('Only DSA and EC keys support signature format setting');
}
if ($format != 'SSH2') {
throw new UnsupportedAlgorithmException('Only SSH2-formatted signatures are currently supported');
}
return $this;
}
/**
* Returns the curve
*
* Returns a string if it's a named curve, an array if not
*
* @access public
* @return string|array
*/
public function getCurve()
{
if (!$this->key instanceof EC) {
throw new UnsupportedAlgorithmException('Only EC keys have curves');
}
return $this->key->getCurve();
}
/**
* Create a signature
*
* See "2.6.2 Protocol 2 private key signature request"
*
* @param string $message
* @return string
* @throws \RuntimeException on connection errors
* @throws \phpseclib3\Exception\UnsupportedAlgorithmException if the algorithm is unsupported
* @access public
*/
public function sign($message)
{
// the last parameter (currently 0) is for flags and ssh-agent only defines one flag (for ssh-dss): SSH_AGENT_OLD_SIGNATURE
$packet = Strings::packSSH2(
'CssN',
Agent::SSH_AGENTC_SIGN_REQUEST,
$this->key_blob,
$message,
$this->flags
);
$packet = Strings::packSSH2('s', $packet);
if (strlen($packet) != fputs($this->fsock, $packet)) {
throw new \RuntimeException('Connection closed during signing');
}
$length = current(unpack('N', $this->readBytes(4)));
$packet = $this->readBytes($length);
list($type, $signature_blob) = Strings::unpackSSH2('Cs', $packet);
if ($type != Agent::SSH_AGENT_SIGN_RESPONSE) {
throw new \RuntimeException('Unable to retrieve signature');
}
if (!$this->key instanceof RSA) {
return $signature_blob;
}
list($type, $signature_blob) = Strings::unpackSSH2('ss', $signature_blob);
return $signature_blob;
}
/**
* Returns the private key
*
* @param string $type
* @param array $options optional
* @return string
*/
public function toString($type, array $options = [])
{
throw new \RuntimeException('ssh-agent does not provide a mechanism to get the private key');
}
/**
* Sets the password
*
* @access public
* @param string|boolean $password
*/
public function withPassword($password = false)
{
throw new \RuntimeException('ssh-agent does not provide a mechanism to get the private key');
}
}
|