chevah / chevah-keycert Goto Github PK
View Code? Open in Web Editor NEWSSH Keys and SSL certificates handling
Home Page: http://styleguide.chevah.com
License: MIT License
chevah-keycert's People
Contributors
Stargazers
Watchers
chevah-keycert's Issues
Run tests using standard runner
right now it depends on chevah.empirical runner
Support unicode in email name
domains are encoded using IDNA but mailbox should be unicode.
Sync with latest code from chevah-server
Get the CRL distribution point values from a certificate
Return them as lists
Each CRL object might contain:
- type
- value
- refresh interval
Return empty list if CRL distribution point is not set or is empty.
Move ssh exceptions into a common module
Also update ssh command to generate only key and then a separate method to write key.
Extract ~/.putty/sshhostkeys to the OpenSSH format
in this way you can use OpenSSH tools for that file
there is a code here for doing OpneSSH to putty https://github.com/codexns/putty/blob/master/contrib/kh2reg.py
this ticket only targeted the unix part... when putty stores the key in a file
Fix loading and saving keys with non-ascii comments.
-
Loading keys with non-ASCII comments fails for keys generated with puttygen.
-
This might be two separate bugs, because I get different results if I append "π" or " π" at the end of the comment (which used to be the same as the password).
Show the key type in the error message produce by a key generation error.
The diff should be something like this
- Wrong key size "256". Key_size must be at least 512-bits.
+ Failed to generate RSA key. Wrong key size "256". Key_size must be at least 512-bits.Add support for OpenSSH new key format
From #40 (comment)
Also tried OpenSSH 8.1 to export my old RSA key in the supported formats for -m: RFC4716, PKCS8 (both private and public) and PEM public key. The last one failed with Fail to parse key content. Here's how it looks:
-----BEGIN RSA PUBLIC KEY-----
MIICCAKCAgEA1AzYN7NK5EDX7MMofNJTznMonu+aD8AObCt028pPVt3N2zvsS0i+
oY0E9T6sVX0O029Aghtj9/gM4Z5JpqJJgJ8c9/h+zATtowQ3aZxP8C7C1wjTBtwE
9537Zm2iKSitCFmuFJCq08xn/k21OdqVAaOU5gSuEpR6YxoNwBfvweoxmIcu9qGj
dwUjxLxIjz54lorox14KdCJogjdA/5kc98nxQKh1JytzdX2tcgFzRwqxDYKcFBRs
lGx1jV3PwNZINpZNVVwscxEEq18uDHrKSZsbEx7zD4Jf4TzIL5blCQqi3Kn+iiBW
LzIVn1xOJghJ75KDM87NNwSW/BgMxRN2fyujfiYLe3nExxsvxdKnrmWTFZLBs6pe
LvYUEZek70B40TZjaxfXdpnHpzaCICbM2wRt+rCIlLMFrqob9CFQR3slelmJquX6
ISLavP3nGJhZQJkQkMcko8oSQW2ombc4MiXpoG6Q3ng3RZaoGaZPIEyzCS8OOFZM
B3x4NI0XgGpksYFGocA3zXmh5UuXXIFioxKk7+oKer6hpDu0QRYZGNMEAcUMnOmB
P/NgHaHld7XScph8vBc7Yo7Rdld1DR7cJUDW4XMZ9QFyl6WiClu7tW8R9yMJ507n
ClLHJOqQGfH4lizudMt1l9TrKG2nx6310MPqMpX9Na3UcPlZLThZISUCASM=
-----END RSA PUBLIC KEY-----
Have also tested with Putty for DSA and the supported outputs: public, public-openssh, private-openssh, private-openssh-new, private-sshcom. The private-openssh-new format gave me the error Cannot guess the type for β¦. Here's how it looks:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAADMQAAAAdz
c2gtZHNzAAABAQC4F7foIgqqwN+g1LpPOXBOXwpf89Ma9qvdtr6RndJPN0UGzDGk
npS/+YbgcbWTcAAVXhYkWF5jkY06mtASVXWhT8uhXFyetkzHslaUNYUTNnwSRhBq
kDJxYQVevPKK0wILrum8Ht+3vHk/Qpbm5NODum2xP9962/gni7y1t31bTgzGK33q
x3XVOCEsxuzFf1hsQZtL1uXxu9PiOCRQ614MmC9if5jBJjXg/3k327rRr0V6V+jJ
RnQAfTbRnjXjzlOziHkZKIrjbV0hJAl9UZZ5HnieecJoGAGsJOd6u0QyOvUcNS9V
94+rYdFXhqdk68Fm/jEr0LENjLtNaolYcUvdAAAAFQDCIWU5lka0opn3OK1JttE3
/c3hUwAAAQAPTtfPAZVAUMUsUTzMhfRQmR85WZeZiweqlC0ZfoqxBQrqydT3DqZW
XgPmwkipdC5DzzDWZDuFnyMUfIMOrw51KOIUn02jq6AKCDU8KvQ/95HkLn1LrxsJ
YxpezYhNM1G1y7A5hCnGBpPNZTmCJKWVRm2pOSx1NwpWKquUdPaJXR9hdKVMSE8E
+Pfng3FmQC6B5X7RUR7YGaTZKi5ippj9nbwQiIgdMgMTfNzureeTcCWhxv0Btfvb
MmKnZ3eG5rHc/ZahpegYKEsBWqM53AkmtHKn2RneJcW9xHRD7tEsarsovg7o3L9G
Kq6NVDWXQNOBIQFhLV8mq/magkdNM4QTAAABADxSSTVLNaZOmZ16C9xO9lPQwxcO
0mNAWg4JAO5kbrHFVsTjdfjrm8NshQNi/Ax6GFsIL0utnheVcpCV0zIlFlFG6aTS
Ii9y0u6IMtZE7Lb6FYvg9zTab0/49VjdUxv/xg7NPKyOtJPR+Y/sa/Sv+j65mBmK
H2rHuA5bCvzaZcUUCRo8axMmig9t9kejr/wBYHx3FsRGQzJXMTqCICIvj/oCjN31
+vk6nS/saPsLVEQn19z6S1AVL9Ae3e83s9+vUOEJBCWp2yCNXr8iimXbd2tpMBy4
tfkKdubXlwpP59N9UB4by0+SWGKB+nSyVyruAVCZfUeRtgRjwR99PtKqFB8AAANw
1iKq8tYiqvIAAAAHc3NoLWRzcwAAAQEAuBe36CIKqsDfoNS6TzlwTl8KX/PTGvar
3ba+kZ3STzdFBswxpJ6Uv/mG4HG1k3AAFV4WJFheY5GNOprQElV1oU/LoVxcnrZM
x7JWlDWFEzZ8EkYQapAycWEFXrzyitMCC67pvB7ft7x5P0KW5uTTg7ptsT/fetv4
J4u8tbd9W04Mxit96sd11TghLMbsxX9YbEGbS9bl8bvT4jgkUOteDJgvYn+YwSY1
4P95N9u60a9FelfoyUZ0AH020Z41485Ts4h5GSiK421dISQJfVGWeR54nnnCaBgB
rCTnertEMjr1HDUvVfePq2HRV4anZOvBZv4xK9CxDYy7TWqJWHFL3QAAABUAwiFl
OZZGtKKZ9zitSbbRN/3N4VMAAAEAD07XzwGVQFDFLFE8zIX0UJkfOVmXmYsHqpQt
GX6KsQUK6snU9w6mVl4D5sJIqXQuQ88w1mQ7hZ8jFHyDDq8OdSjiFJ9No6ugCgg1
PCr0P/eR5C59S68bCWMaXs2ITTNRtcuwOYQpxgaTzWU5giSllUZtqTksdTcKViqr
lHT2iV0fYXSlTEhPBPj354NxZkAugeV+0VEe2Bmk2SouYqaY/Z28EIiIHTIDE3zc
7q3nk3Alocb9AbX72zJip2d3huax3P2WoaXoGChLAVqjOdwJJrRyp9kZ3iXFvcR0
Q+7RLGq7KL4O6Ny/RiqujVQ1l0DTgSEBYS1fJqv5moJHTTOEEwAAAQA8Ukk1SzWm
TpmdegvcTvZT0MMXDtJjQFoOCQDuZG6xxVbE43X465vDbIUDYvwMehhbCC9LrZ4X
lXKQldMyJRZRRumk0iIvctLuiDLWROy2+hWL4Pc02m9P+PVY3VMb/8YOzTysjrST
0fmP7Gv0r/o+uZgZih9qx7gOWwr82mXFFAkaPGsTJooPbfZHo6/8AWB8dxbERkMy
VzE6giAiL4/6Aozd9fr5Op0v7Gj7C1REJ9fc+ktQFS/QHt3vN7Pfr1DhCQQlqdsg
jV6/Iopl23draTAcuLX5Cnbm15cKT+fTfVAeG8tPklhigfp0slcq7gFQmX1HkbYE
Y8EffT7SqhQfAAAAFFa/3XoeuX+RoRm0x4DhXwFCfzceAAAAEGRzYS1rZXktMjAy
MDA0MDcBAgMEBQYHCAkKCw==
-----END OPENSSH PRIVATE KEY-----
Generate from CLI private SSH keys with a password
Allow generating DSA key greater than 1024
Port to py3
we can do this on travis-ci
Support EC keys in SSH.com and Putty format
and all the other format that we support... both reading but also writing
Add support for Putty v3 key file format
There is a new format.
Ubuntu 21.02 putty still generated v2
Example
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20211214
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCQWPBUsyVmi5vl8myEQ91IP2JroWP1N2NR
xvFeIcGgtPSwq/7MIq2Vis8s2JlpBjFY2aDDGSlrWrh4Ryqs9NnvueLgeWjgD8wv
3qnYgv4pdu6k7HLrE5J22vQ6M8tFjpPDAVS+mfFIe9+RutO1eimhuh824ErTPKPT
LdBrheuZpUIaWl45Kd529V6CO0+b0/U/7zVfC/uKcHxDZ4RK2AkKOYMROb93B0qY
6n4t0tjkzFDJvqgMa7FoIwLkczyGSbpmKh39pvoMOyQB50WFSXbPuNscubGcOJAa
1SARXLLQh6UB9AiJqt+bk6r4OQyiXeKkk5u9lXNnxk1aMQQW46hh
Private-Lines: 14
AAABACnnyA2u3ILCsQW2tU5IrWsWC6qXdf9wjwLksJnVTvMq1YacyCHXR3GMlMy+
LPtScu0KcSNyoJWsBrXUY01G4CY6XuUwGgRCUdLr338duE+tWWbDxjD8w56BvjlP
ZAnTdI4+Sq3y3xtd6u/RvziGOKPc9sblopNknWLngARXIqi94TVawRHNyrnCNNn2
gWfi62ZxY2rLOHD5hJv2xFh84eNEdf94nnWkbaJ/aZmR6d8VdBcJCiK/60CgKYlO
ZuRHdEC3QCqa/S1Ya8m9egT90jUf6vmxb/GkK4Y0VigVLFdtaT7cJ8W6gbCmTaa2
4iax3M6y9AR2sQLpNNhB1gf3oAEAAACBAO04zQFxbgozu7m58RIc87pm8NeQ5UmF
hCV/K8Ja9QpUzztmoouo6r43itW+6DWmIYLqjlcV7zK6W4aTQ4/fSREiDHPhG7wG
NloXL+jsyAuu7FqfQVKVbh8aIg4uvKpg+nUV+YYgOKcucriKMwdpP8dy1D2Ti5jn
rVZNfmCAtLLhAAAAgQCbxhO4l2rtzodMnwSTyt3s17D5PPXPKSU03cDFsAnSYo2K
6q7pVxMBPYqo4KWlhM4fN0ByY3kobFc2cAbLbck+x12C559LJr9RP3DHUQ9oxjB5
JhYLgjN1JFS3dc7THi1nTM+NO0OQuytbeY+aNJ+UXW0zRtK/bwiGpsdGiFslgQAA
AIAeH7hALcDaAiZs0Jsb4/39zuGlb27r+KesxkYgIy7DaAOvQyZaT3X0JrAwqRqs
UJl+AS39VpL7XQFIbICJyhPbHHO3IGCUKhOz0BCqpHjnn9/ViRuNnrr1UTgDS0qc
tw/JH+KlK94nGmMEjBUUJpXJqjAXR7x8feoTqjtvijQtjA==
Private-MAC: a172468747b16c488815cb90b4359fe61d262c9a9329f60cabf6763deb638d8e
When loading SSH keys from X509 certificates ignore things outside of the armor
RIght now, when loading SSH key from X509 cert, the PEM should contain a single object and the armor should be the first thing in the file.
We should relax this to allow for "PEM comments" for example
BagAttribute=bla
---- BEGIN CERTIFICATE ---
TRALA
Generate keys with non-ascii password and comments.
- Generating keys with non-ASCII passwords or comments is not possible (known limitation?).
Keep SSH key metadata, comment, subject
When a SSH key is loaded its comment , subject and other header are lost.
Beside data a key should also have metadata which should be used when exporting the key.
Not all key formats support metadata and for those, we can ignore it.
Add support to sign a certificate
Set version when generating CSR
looks like this break compatibiltity with older win 2003 and 2008 servers
we should use
http://www.pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.X509Req.set_version
The first part, ASN.1 type CertificationRequestInfo, consists of a version number (which is 0 for all known versions, 1.0, 1.5, and 1.7 of the specifications)
just set it to 0
Generate a self signed certificate with custom input values
right now, the self signed certificate is generated with standard vales...
we can still keep those values as default
Fix loading keys with comments starting with a space.
$ echo 'password' > pass_file
$ puttygen -t ed25519 -C " comment" --new-passphrase pass_file -o putty_ed25519_private.key
$ ./build-keycert/bin/python keycert-demo.py ssh-load-key --file putty_ed25519_private.key --type putty --password $(cat pass_file)
EXPECTED ERROR
Bad password or HMAC mismatch.
Interestingly, this generated an expected errorβ¦
Read ECDSA OpenSSH public/private keys
The format of a ECDSA public key blob is::
string 'ecdsa-sha2-nistpNNN'
string generator_name
integer point
Generate SSH keys using OpenSSL
this should be faster than pycrypo and hope we will have access to ecdsa keys
Validate a certificate based on a CRL distribution points
This depends on #22
It will receive a list of CRL distribution points.
Will raise an error if list is empty
Will return true or false
We need to see how to pass callbacks for getting the new content based on each CRL DP type.
CRL should be cached... so we need to see how to cache them and how to retrieve them from the cache.
Add interoptesting for Tectia SSH keys.
Ditto, enable testing loading SSH keys generated by Tectia's ssh-keygen-g3.
The Tectia tests are written, but not executed, as there's no Tectia on GitHub's own runners.
P.S. Actually only loading Tectia-generated keys tests are written, not loading our keys with Tectia.
Add support for ED keys
generate, read in OpenSSH format, sing , verify
Add code coverage
Add support for EC keys
See code from here https://cryptography.io/en/latest/_modules/cryptography/hazmat/primitives/asymmetric/ec/?highlight=generate_private_key
I guess that we can have all curve types supported by Python cryptography.
@dumol do you have any suggestion for the default curve type?
Generate , read in OpenSSH format, sign / verify
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.