chevah / chevah-keycert Goto Github PK
View Code? Open in Web Editor NEWSSH Keys and SSL certificates handling
Home Page: http://styleguide.chevah.com
License: MIT License
SSH Keys and SSL certificates handling
Home Page: http://styleguide.chevah.com
License: MIT License
right now it depends on chevah.empirical runner
domains are encoded using IDNA but mailbox should be unicode.
Return them as lists
Each CRL object might contain:
Return empty list if CRL distribution point is not set or is empty.
Also update ssh command to generate only key and then a separate method to write key.
in this way you can use OpenSSH tools for that file
there is a code here for doing OpneSSH to putty https://github.com/codexns/putty/blob/master/contrib/kh2reg.py
this ticket only targeted the unix part... when putty stores the key in a file
Loading keys with non-ASCII comments fails for keys generated with puttygen.
This might be two separate bugs, because I get different results if I append "π" or " π" at the end of the comment (which used to be the same as the password).
The diff should be something like this
- Wrong key size "256". Key_size must be at least 512-bits.
+ Failed to generate RSA key. Wrong key size "256". Key_size must be at least 512-bits.
From #40 (comment)
Also tried OpenSSH 8.1 to export my old RSA key in the supported formats for -m
: RFC4716, PKCS8 (both private and public) and PEM public key. The last one failed with Fail to parse key content.
Here's how it looks:
-----BEGIN RSA PUBLIC KEY-----
MIICCAKCAgEA1AzYN7NK5EDX7MMofNJTznMonu+aD8AObCt028pPVt3N2zvsS0i+
oY0E9T6sVX0O029Aghtj9/gM4Z5JpqJJgJ8c9/h+zATtowQ3aZxP8C7C1wjTBtwE
9537Zm2iKSitCFmuFJCq08xn/k21OdqVAaOU5gSuEpR6YxoNwBfvweoxmIcu9qGj
dwUjxLxIjz54lorox14KdCJogjdA/5kc98nxQKh1JytzdX2tcgFzRwqxDYKcFBRs
lGx1jV3PwNZINpZNVVwscxEEq18uDHrKSZsbEx7zD4Jf4TzIL5blCQqi3Kn+iiBW
LzIVn1xOJghJ75KDM87NNwSW/BgMxRN2fyujfiYLe3nExxsvxdKnrmWTFZLBs6pe
LvYUEZek70B40TZjaxfXdpnHpzaCICbM2wRt+rCIlLMFrqob9CFQR3slelmJquX6
ISLavP3nGJhZQJkQkMcko8oSQW2ombc4MiXpoG6Q3ng3RZaoGaZPIEyzCS8OOFZM
B3x4NI0XgGpksYFGocA3zXmh5UuXXIFioxKk7+oKer6hpDu0QRYZGNMEAcUMnOmB
P/NgHaHld7XScph8vBc7Yo7Rdld1DR7cJUDW4XMZ9QFyl6WiClu7tW8R9yMJ507n
ClLHJOqQGfH4lizudMt1l9TrKG2nx6310MPqMpX9Na3UcPlZLThZISUCASM=
-----END RSA PUBLIC KEY-----
Have also tested with Putty for DSA and the supported outputs: public
, public-openssh
, private-openssh
, private-openssh-new
, private-sshcom
. The private-openssh-new
format gave me the error Cannot guess the type for β¦
. Here's how it looks:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAADMQAAAAdz
c2gtZHNzAAABAQC4F7foIgqqwN+g1LpPOXBOXwpf89Ma9qvdtr6RndJPN0UGzDGk
npS/+YbgcbWTcAAVXhYkWF5jkY06mtASVXWhT8uhXFyetkzHslaUNYUTNnwSRhBq
kDJxYQVevPKK0wILrum8Ht+3vHk/Qpbm5NODum2xP9962/gni7y1t31bTgzGK33q
x3XVOCEsxuzFf1hsQZtL1uXxu9PiOCRQ614MmC9if5jBJjXg/3k327rRr0V6V+jJ
RnQAfTbRnjXjzlOziHkZKIrjbV0hJAl9UZZ5HnieecJoGAGsJOd6u0QyOvUcNS9V
94+rYdFXhqdk68Fm/jEr0LENjLtNaolYcUvdAAAAFQDCIWU5lka0opn3OK1JttE3
/c3hUwAAAQAPTtfPAZVAUMUsUTzMhfRQmR85WZeZiweqlC0ZfoqxBQrqydT3DqZW
XgPmwkipdC5DzzDWZDuFnyMUfIMOrw51KOIUn02jq6AKCDU8KvQ/95HkLn1LrxsJ
YxpezYhNM1G1y7A5hCnGBpPNZTmCJKWVRm2pOSx1NwpWKquUdPaJXR9hdKVMSE8E
+Pfng3FmQC6B5X7RUR7YGaTZKi5ippj9nbwQiIgdMgMTfNzureeTcCWhxv0Btfvb
MmKnZ3eG5rHc/ZahpegYKEsBWqM53AkmtHKn2RneJcW9xHRD7tEsarsovg7o3L9G
Kq6NVDWXQNOBIQFhLV8mq/magkdNM4QTAAABADxSSTVLNaZOmZ16C9xO9lPQwxcO
0mNAWg4JAO5kbrHFVsTjdfjrm8NshQNi/Ax6GFsIL0utnheVcpCV0zIlFlFG6aTS
Ii9y0u6IMtZE7Lb6FYvg9zTab0/49VjdUxv/xg7NPKyOtJPR+Y/sa/Sv+j65mBmK
H2rHuA5bCvzaZcUUCRo8axMmig9t9kejr/wBYHx3FsRGQzJXMTqCICIvj/oCjN31
+vk6nS/saPsLVEQn19z6S1AVL9Ae3e83s9+vUOEJBCWp2yCNXr8iimXbd2tpMBy4
tfkKdubXlwpP59N9UB4by0+SWGKB+nSyVyruAVCZfUeRtgRjwR99PtKqFB8AAANw
1iKq8tYiqvIAAAAHc3NoLWRzcwAAAQEAuBe36CIKqsDfoNS6TzlwTl8KX/PTGvar
3ba+kZ3STzdFBswxpJ6Uv/mG4HG1k3AAFV4WJFheY5GNOprQElV1oU/LoVxcnrZM
x7JWlDWFEzZ8EkYQapAycWEFXrzyitMCC67pvB7ft7x5P0KW5uTTg7ptsT/fetv4
J4u8tbd9W04Mxit96sd11TghLMbsxX9YbEGbS9bl8bvT4jgkUOteDJgvYn+YwSY1
4P95N9u60a9FelfoyUZ0AH020Z41485Ts4h5GSiK421dISQJfVGWeR54nnnCaBgB
rCTnertEMjr1HDUvVfePq2HRV4anZOvBZv4xK9CxDYy7TWqJWHFL3QAAABUAwiFl
OZZGtKKZ9zitSbbRN/3N4VMAAAEAD07XzwGVQFDFLFE8zIX0UJkfOVmXmYsHqpQt
GX6KsQUK6snU9w6mVl4D5sJIqXQuQ88w1mQ7hZ8jFHyDDq8OdSjiFJ9No6ugCgg1
PCr0P/eR5C59S68bCWMaXs2ITTNRtcuwOYQpxgaTzWU5giSllUZtqTksdTcKViqr
lHT2iV0fYXSlTEhPBPj354NxZkAugeV+0VEe2Bmk2SouYqaY/Z28EIiIHTIDE3zc
7q3nk3Alocb9AbX72zJip2d3huax3P2WoaXoGChLAVqjOdwJJrRyp9kZ3iXFvcR0
Q+7RLGq7KL4O6Ny/RiqujVQ1l0DTgSEBYS1fJqv5moJHTTOEEwAAAQA8Ukk1SzWm
TpmdegvcTvZT0MMXDtJjQFoOCQDuZG6xxVbE43X465vDbIUDYvwMehhbCC9LrZ4X
lXKQldMyJRZRRumk0iIvctLuiDLWROy2+hWL4Pc02m9P+PVY3VMb/8YOzTysjrST
0fmP7Gv0r/o+uZgZih9qx7gOWwr82mXFFAkaPGsTJooPbfZHo6/8AWB8dxbERkMy
VzE6giAiL4/6Aozd9fr5Op0v7Gj7C1REJ9fc+ktQFS/QHt3vN7Pfr1DhCQQlqdsg
jV6/Iopl23draTAcuLX5Cnbm15cKT+fTfVAeG8tPklhigfp0slcq7gFQmX1HkbYE
Y8EffT7SqhQfAAAAFFa/3XoeuX+RoRm0x4DhXwFCfzceAAAAEGRzYS1rZXktMjAy
MDA0MDcBAgMEBQYHCAkKCw==
-----END OPENSSH PRIVATE KEY-----
we can do this on travis-ci
and all the other format that we support... both reading but also writing
There is a new format.
Ubuntu 21.02 putty still generated v2
Example
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20211214
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCQWPBUsyVmi5vl8myEQ91IP2JroWP1N2NR
xvFeIcGgtPSwq/7MIq2Vis8s2JlpBjFY2aDDGSlrWrh4Ryqs9NnvueLgeWjgD8wv
3qnYgv4pdu6k7HLrE5J22vQ6M8tFjpPDAVS+mfFIe9+RutO1eimhuh824ErTPKPT
LdBrheuZpUIaWl45Kd529V6CO0+b0/U/7zVfC/uKcHxDZ4RK2AkKOYMROb93B0qY
6n4t0tjkzFDJvqgMa7FoIwLkczyGSbpmKh39pvoMOyQB50WFSXbPuNscubGcOJAa
1SARXLLQh6UB9AiJqt+bk6r4OQyiXeKkk5u9lXNnxk1aMQQW46hh
Private-Lines: 14
AAABACnnyA2u3ILCsQW2tU5IrWsWC6qXdf9wjwLksJnVTvMq1YacyCHXR3GMlMy+
LPtScu0KcSNyoJWsBrXUY01G4CY6XuUwGgRCUdLr338duE+tWWbDxjD8w56BvjlP
ZAnTdI4+Sq3y3xtd6u/RvziGOKPc9sblopNknWLngARXIqi94TVawRHNyrnCNNn2
gWfi62ZxY2rLOHD5hJv2xFh84eNEdf94nnWkbaJ/aZmR6d8VdBcJCiK/60CgKYlO
ZuRHdEC3QCqa/S1Ya8m9egT90jUf6vmxb/GkK4Y0VigVLFdtaT7cJ8W6gbCmTaa2
4iax3M6y9AR2sQLpNNhB1gf3oAEAAACBAO04zQFxbgozu7m58RIc87pm8NeQ5UmF
hCV/K8Ja9QpUzztmoouo6r43itW+6DWmIYLqjlcV7zK6W4aTQ4/fSREiDHPhG7wG
NloXL+jsyAuu7FqfQVKVbh8aIg4uvKpg+nUV+YYgOKcucriKMwdpP8dy1D2Ti5jn
rVZNfmCAtLLhAAAAgQCbxhO4l2rtzodMnwSTyt3s17D5PPXPKSU03cDFsAnSYo2K
6q7pVxMBPYqo4KWlhM4fN0ByY3kobFc2cAbLbck+x12C559LJr9RP3DHUQ9oxjB5
JhYLgjN1JFS3dc7THi1nTM+NO0OQuytbeY+aNJ+UXW0zRtK/bwiGpsdGiFslgQAA
AIAeH7hALcDaAiZs0Jsb4/39zuGlb27r+KesxkYgIy7DaAOvQyZaT3X0JrAwqRqs
UJl+AS39VpL7XQFIbICJyhPbHHO3IGCUKhOz0BCqpHjnn9/ViRuNnrr1UTgDS0qc
tw/JH+KlK94nGmMEjBUUJpXJqjAXR7x8feoTqjtvijQtjA==
Private-MAC: a172468747b16c488815cb90b4359fe61d262c9a9329f60cabf6763deb638d8e
RIght now, when loading SSH key from X509 cert, the PEM should contain a single object and the armor should be the first thing in the file.
We should relax this to allow for "PEM comments" for example
BagAttribute=bla
---- BEGIN CERTIFICATE ---
TRALA
When a SSH key is loaded its comment , subject and other header are lost.
Beside data
a key should also have metadata
which should be used when exporting the key.
Not all key formats support metadata and for those, we can ignore it.
looks like this break compatibiltity with older win 2003 and 2008 servers
we should use
http://www.pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.X509Req.set_version
The first part, ASN.1 type CertificationRequestInfo, consists of a version number (which is 0 for all known versions, 1.0, 1.5, and 1.7 of the specifications)
just set it to 0
right now, the self signed certificate is generated with standard vales...
we can still keep those values as default
$ echo 'password' > pass_file
$ puttygen -t ed25519 -C " comment" --new-passphrase pass_file -o putty_ed25519_private.key
$ ./build-keycert/bin/python keycert-demo.py ssh-load-key --file putty_ed25519_private.key --type putty --password $(cat pass_file)
EXPECTED ERROR
Bad password or HMAC mismatch.
Interestingly, this generated an expected errorβ¦
The format of a ECDSA public key blob is::
string 'ecdsa-sha2-nistpNNN'
string generator_name
integer point
this should be faster than pycrypo and hope we will have access to ecdsa keys
This depends on #22
It will receive a list of CRL distribution points.
Will raise an error if list is empty
Will return true or false
We need to see how to pass callbacks for getting the new content based on each CRL DP type.
CRL should be cached... so we need to see how to cache them and how to retrieve them from the cache.
Ditto, enable testing loading SSH keys generated by Tectia's ssh-keygen-g3
.
The Tectia tests are written, but not executed, as there's no Tectia on GitHub's own runners.
P.S. Actually only loading Tectia-generated keys tests are written, not loading our keys with Tectia.
generate, read in OpenSSH format, sing , verify
See code from here https://cryptography.io/en/latest/_modules/cryptography/hazmat/primitives/asymmetric/ec/?highlight=generate_private_key
I guess that we can have all curve types supported by Python cryptography.
@dumol do you have any suggestion for the default curve type?
Generate , read in OpenSSH format, sign / verify
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.