diff --git a/const.go b/const.go index cd61d9d..05f8dda 100644 --- a/const.go +++ b/const.go @@ -1,7 +1,14 @@ package sshsecure +import ( + "git.square-r00t.net/sshsecure/sshkeys" +) + const ( - RoundsDefUser uint = 100 - RoundsDefHost uint = 0 // 0 = Default rounds - RSABitSize uint = 4096 -) \ No newline at end of file + RoundsDefUser uint = 100 + RoundsDefHost uint = 100 + RSABitSize uint = 4096 + DefKeyType string = sshkeys.KEY_ED25519 + DefCipher string = sshkeys.CIPHER_AES256_CTR + DefKDF string = sshkeys.KDF_BCRYPT +) diff --git a/sshkeys/const.go b/sshkeys/const.go index 696accf..04117fc 100644 --- a/sshkeys/const.go +++ b/sshkeys/const.go @@ -7,16 +7,24 @@ const ( // Cipher names. I believe only AES256-CTR is supported upstream currently. const ( - CIPHER_AES256_CTR = "aes256-ctr" + CIPHER_NULL string = "none" + CIPHER_AES256_CTR string = "aes256-ctr" ) +var allowed_ciphers = [...]string{CIPHER_NULL, CIPHER_AES256_CTR} + // Key types. const ( KEY_ED25519 string = "ssh-ed25519" KEY_RSA string = "ssh-rsa" ) +var allowed_keytypes = [...]string{KEY_ED25519, KEY_RSA} + // KDF names. I believe only bcrypt is supported upstream currently. const ( + KDF_NULL string = "none" KDF_BCRYPT string = "bcrypt" ) + +var allowed_kdfnames = [...]string{KDF_NULL, KDF_BCRYPT} diff --git a/sshkeys/func.go b/sshkeys/func.go index ac045d6..3102e8b 100644 --- a/sshkeys/func.go +++ b/sshkeys/func.go @@ -1,22 +1,47 @@ package sshkeys -func (k *EncryptedSSHKeyV1) GeneratePrivate(keyType uint8) error { +import ( + "errors" +) + +func genPrivKey(cipherAlgo string, kdf string, salt []byte, rounds uint32) ([]byte, error) { + + return nil, nil +} + +func genPubKey(privKey *[]byte) ([]byte, error) { + + return nil, nil +} + +func (k *EncryptedSSHKeyV1) GeneratePrivate(force bool) error { + if k.Passphrase == "" { + return errors.New("cannot use encrypted key with empty passphrase") + } + if k.PrivateKeys != nil && !force { + return nil // Already generated. + } + return nil } -func (k *EncryptedSSHKeyV1) GeneratePublic(keyType uint8) error { - if err := k.GeneratePrivate(keyType); err != nil { +func (k *EncryptedSSHKeyV1) GeneratePublic(force bool) error { + if err := k.GeneratePrivate(force); err != nil { return err } + + return nil +} + +func (k *SSHKeyV1) GeneratePrivate(force bool) error { + if k.PrivateKeys != nil && !force { + return nil // Already generated. + } return nil } -func (k *SSHKeyV1) GeneratePrivate(keyType uint8) error { - return nil -} - -func (k *SSHKeyV1) GeneratePublic(keyType uint8) error { - if err := k.GeneratePrivate(keyType); err != nil { +func (k *SSHKeyV1) GeneratePublic(force bool) error { + if err := k.GeneratePrivate(force); err != nil { return err } return nil diff --git a/sshkeys/ref/encrypted/private b/sshkeys/ref/encrypted/private index 1ab0f63..61d8307 100644 --- a/sshkeys/ref/encrypted/private +++ b/sshkeys/ref/encrypted/private @@ -1,4 +1,4 @@ -The following uses the bcrypt encryption. The passphrase is "test". +The following uses the aes256-ctr/bcrypt encryption. The passphrase is "test". The new "v1" format contains the header "-----BEGIN OPENSSH PRIVATE KEY-----" and the footer "-----END OPENSSH PRIVATE KEY-----". @@ -54,7 +54,7 @@ ANNOTATED HEX: 4.0.0.1 00000020 (32) 4.0.0.1.0 bfa2031aa5463113e40e16896af503c5299ead76b09cb63846f41cc4de1740f6 (bytes) 4.0.1 000000a0 (160) - 4.0.1 (AES256-CBC encrypted block) (bytes) + 4.0.1 (AES256-CTR encrypted block) (bytes) c49777cd0d1a7d37db77a1814991278f8ce99d57 2e2c666b93b99867425c60da4652fddb85550985 32b51beeee2959f9db5cf5a0905052720c5de25f diff --git a/sshkeys/struct.go b/sshkeys/struct.go index ac8d35e..2ccac0f 100644 --- a/sshkeys/struct.go +++ b/sshkeys/struct.go @@ -3,6 +3,8 @@ package sshkeys // EncryptedSSHKeyV1 represents an encrypted private key. type EncryptedSSHKeyV1 struct { SSHKeyV1 + CipherName string + KDFName string KDFOpts SSHKDFOpts Passphrase string } @@ -18,9 +20,6 @@ type SSHKDFOpts struct { // Patch your shit. type SSHKeyV1 struct { Magic string - CipherName string - KDFName string - KDFOpts SSHKDFOpts PublicKeys []SSHPubKey PrivateKeys []SSHPrivKey } @@ -34,4 +33,6 @@ type SSHPubKey struct { // SSHPrivKey contains the Private key of an SSH Keypair. type SSHPrivKey struct { PublicKey *SSHPubKey + Checksum uint32 + Comment string }