2018-08-27 10:13:15 -04:00
|
|
|
package ssh
|
2015-06-13 18:05:10 -04:00
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/pem"
|
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
|
|
|
"os"
|
2020-07-02 03:10:48 -04:00
|
|
|
"time"
|
2015-06-13 18:05:10 -04:00
|
|
|
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
)
|
|
|
|
|
2020-07-02 03:10:48 -04:00
|
|
|
func parseKeyFile(path string) ([]byte, error) {
|
2015-06-13 18:05:10 -04:00
|
|
|
f, err := os.Open(path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer f.Close()
|
|
|
|
|
|
|
|
keyBytes, err := ioutil.ReadAll(f)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// We parse the private key on our own first so that we can
|
|
|
|
// show a nicer error if the private key has a password.
|
|
|
|
block, _ := pem.Decode(keyBytes)
|
|
|
|
if block == nil {
|
|
|
|
return nil, fmt.Errorf(
|
|
|
|
"Failed to read key '%s': no key found", path)
|
|
|
|
}
|
|
|
|
if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
|
|
|
|
return nil, fmt.Errorf(
|
|
|
|
"Failed to read key '%s': password protected keys are\n"+
|
|
|
|
"not supported. Please decrypt the key prior to use.", path)
|
|
|
|
}
|
2020-07-02 03:10:48 -04:00
|
|
|
return keyBytes, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// FileSigner returns an ssh.Signer for a key file.
|
|
|
|
func FileSigner(path string) (ssh.Signer, error) {
|
|
|
|
|
|
|
|
keyBytes, err := parseKeyFile(path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Error setting up SSH config: %s", err)
|
|
|
|
}
|
2015-06-13 18:05:10 -04:00
|
|
|
|
|
|
|
signer, err := ssh.ParsePrivateKey(keyBytes)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Error setting up SSH config: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return signer, nil
|
|
|
|
}
|
2020-07-02 03:10:48 -04:00
|
|
|
|
|
|
|
func ReadCertificate(certificatePath string, keySigner ssh.Signer) (ssh.Signer, error) {
|
|
|
|
|
|
|
|
if certificatePath == "" {
|
|
|
|
return keySigner, fmt.Errorf("no certificate file provided")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Load the certificate
|
|
|
|
cert, err := ioutil.ReadFile(certificatePath)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("unable to read certificate file: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
pk, _, _, _, err := ssh.ParseAuthorizedKey(cert)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("unable to parse public key: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
certificate, ok := pk.(*ssh.Certificate)
|
|
|
|
|
|
|
|
if !ok {
|
|
|
|
return nil, fmt.Errorf("Error loading certificate")
|
|
|
|
}
|
|
|
|
|
|
|
|
err = checkValidCert(certificate)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("%s not a valid cert: %v", certificatePath, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
certSigner, err := ssh.NewCertSigner(certificate, keySigner)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to create cert signer: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return certSigner, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// FileSigner returns an ssh.Signer for a key file.
|
|
|
|
func FileSignerWithCert(path string, certificatePath string) (ssh.Signer, error) {
|
|
|
|
|
|
|
|
keySigner, err := FileSigner(path)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return ReadCertificate(certificatePath, keySigner)
|
|
|
|
}
|
|
|
|
|
|
|
|
func checkValidCert(cert *ssh.Certificate) error {
|
|
|
|
const CertTimeInfinity = 1<<64 - 1
|
|
|
|
unixNow := time.Now().Unix()
|
|
|
|
|
|
|
|
if after := int64(cert.ValidAfter); after < 0 || unixNow < int64(cert.ValidAfter) {
|
|
|
|
return fmt.Errorf("ssh: cert is not yet valid")
|
|
|
|
}
|
|
|
|
if before := int64(cert.ValidBefore); cert.ValidBefore != uint64(CertTimeInfinity) && (unixNow >= before || before < 0) {
|
|
|
|
return fmt.Errorf("ssh: cert has expired")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|