Intermediate changes

commit_hash:c229701a8b4f4d9ee57ce1ed763099d862d53fa6
author: robot-piglet <[email protected]> 2024-11-12 07:54:50 +0300
committer: robot-piglet <[email protected]> 2024-11-12 08:05:59 +0300
commit: 55cec9f6b0618fb3570fc8ef66aad151f4932591 (patch)
tree: 9198c2ca0b0305269062c3674ce79f19c4990e65 /contrib/python/Twisted/py3/twisted/conch/ssh
parent: b77b1fbf262ea4f40e33a60ce32c4db4e5e49015 (diff)
2 files changed, 71 insertions, 32 deletions
diff --git a/contrib/python/Twisted/py3/twisted/conch/ssh/keys.py b/contrib/python/Twisted/py3/twisted/conch/ssh/keys.py
index e959f022a0b..7d2f1072f47 100644
--- a/contrib/python/Twisted/py3/twisted/conch/ssh/keys.py
+++ b/contrib/python/Twisted/py3/twisted/conch/ssh/keys.py
@@ -256,24 +256,38 @@ class Key:
         if keyType == b"ssh-rsa":
             e, n, rest = common.getMP(rest, 2)
             return cls(rsa.RSAPublicNumbers(e, n).public_key(default_backend()))
-        elif keyType == b"ssh-dss":
+
+        if keyType == b"ssh-dss":
             p, q, g, y, rest = common.getMP(rest, 4)
             return cls(
                 dsa.DSAPublicNumbers(
                     y=y, parameter_numbers=dsa.DSAParameterNumbers(p=p, q=q, g=g)
                 ).public_key(default_backend())
             )
-        elif keyType in _curveTable:
+
+        if keyType in _curveTable:
             return cls(
                 ec.EllipticCurvePublicKey.from_encoded_point(
                     _curveTable[keyType], common.getNS(rest, 2)[1]
                 )
             )
-        elif keyType == b"ssh-ed25519":
+
+        if keyType == b"[email protected]":
+            keyObject = cls._fromECEncodedPoint(
+                encodedPoint=common.getNS(rest, 2)[1],
+                curve=b"ecdsa-sha2-nistp256",
+            )
+            keyObject._sk = True
+            return keyObject
+
+        if keyType in [b"ssh-ed25519", b"[email protected]"]:
             a, rest = common.getNS(rest)
-            return cls._fromEd25519Components(a)
-        else:
-            raise BadKeyError(f"unknown blob type: {keyType}")
+            keyObject = cls._fromEd25519Components(a)
+            if keyType.startswith(b"sk-ssh-"):
+                keyObject._sk = True
+            return keyObject
+
+        raise BadKeyError(f"unknown blob type: {keyType}")
 
     @classmethod
     def _fromString_PRIVATE_BLOB(cls, blob):
@@ -676,16 +690,37 @@ class Key:
         """
         if data.startswith(b"ssh-") or data.startswith(b"ecdsa-sha2-"):
             return "public_openssh"
-        elif data.startswith(b"-----BEGIN"):
+
+        # Twisted doesn't support certificate based keys yet.
+        # https://github.com/openssh/openssh-portable/blob/05f2b141cfcc60c7cdedf9450d2b9d390c19eaad/PROTOCOL.u2f#L96C1-L97C31
+        if data.startswith(b"sk-ecdsa-sha2-nistp256-cert-v01") or data.startswith(
+            b"sk-ssh-ed25519-cert-v01"
+        ):
+            raise BadKeyError("certificate based keys are not supported")
+
+        if data.startswith(b"sk-ecdsa-sha2-nistp256") or data.startswith(
+            b"sk-ssh-ed25519"
+        ):
+            # OpenSSH FIDO2 security keys have similar public format.
+            # They have the extra "application" string,
+            # which for now is ignored.
+            return "public_openssh"
+
+        if data.startswith(b"-----BEGIN"):
             return "private_openssh"
-        elif data.startswith(b"{"):
+
+        if data.startswith(b"{"):
             return "public_lsh"
-        elif data.startswith(b"("):
+
+        if data.startswith(b"("):
             return "private_lsh"
-        elif (
+
+        if (
             data.startswith(b"\x00\x00\x00\x07ssh-")
             or data.startswith(b"\x00\x00\x00\x13ecdsa-")
             or data.startswith(b"\x00\x00\x00\x0bssh-ed25519")
+            or data.startswith(b'\x00\x00\x00"[email protected]')
+            or data.startswith(b"\x00\x00\x00\[email protected]")
         ):
             ignored, rest = common.getNS(data)
             count = 0
@@ -869,6 +904,7 @@ class Key:
         @type keyObject: C{cryptography.hazmat.primitives.asymmetric} key.
         """
         self._keyObject = keyObject
+        self._sk = False
 
     def __eq__(self, other: object) -> bool:
         """
@@ -1029,16 +1065,25 @@ class Key:
         @return: The key type format.
         @rtype: L{bytes}
         """
+        if self._sk:
+            if self.type() == "EC":
+                return b"[email protected]"
+            # FIXME: https://github.com/twisted/twisted/issues/12304
+            # We only support 2 key types,
+            # so if the key was loaded with success and it's
+            # not ECDSA, it must be an ED25519 key.
+            return b"[email protected]"
+
         if self.type() == "EC":
             return (
                 b"ecdsa-sha2-" + _secToNist[self._keyObject.curve.name.encode("ascii")]
             )
-        else:
-            return {
-                "RSA": b"ssh-rsa",
-                "DSA": b"ssh-dss",
-                "Ed25519": b"ssh-ed25519",
-            }[self.type()]
+
+        return {
+            "RSA": b"ssh-rsa",
+            "DSA": b"ssh-dss",
+            "Ed25519": b"ssh-ed25519",
+        }[self.type()]
 
     def supportedSignatureAlgorithms(self):
         """
@@ -1070,14 +1115,16 @@ class Key:
                     return hashes.SHA512()
             else:
                 return None
-        else:
-            return {
-                ("RSA", b"ssh-rsa"): hashes.SHA1(),
-                ("RSA", b"rsa-sha2-256"): hashes.SHA256(),
-                ("RSA", b"rsa-sha2-512"): hashes.SHA512(),
-                ("DSA", b"ssh-dss"): hashes.SHA1(),
-                ("Ed25519", b"ssh-ed25519"): hashes.SHA512(),
-            }.get((self.type(), signatureType))
+
+        if self.type() == "Ed25519":
+            return hashes.SHA512()
+
+        return {
+            ("RSA", b"ssh-rsa"): hashes.SHA1(),
+            ("RSA", b"rsa-sha2-256"): hashes.SHA256(),
+            ("RSA", b"rsa-sha2-512"): hashes.SHA512(),
+            ("DSA", b"ssh-dss"): hashes.SHA1(),
+        }.get((self.type(), signatureType))
 
     def size(self):
         """
diff --git a/contrib/python/Twisted/py3/twisted/conch/ssh/transport.py b/contrib/python/Twisted/py3/twisted/conch/ssh/transport.py
index d46f093dff9..545c010f76e 100644
--- a/contrib/python/Twisted/py3/twisted/conch/ssh/transport.py
+++ b/contrib/python/Twisted/py3/twisted/conch/ssh/transport.py
@@ -103,17 +103,13 @@ class SSHCiphers:
 
     cipherMap = {
         b"3des-cbc": (algorithms.TripleDES, 24, modes.CBC),
-        b"blowfish-cbc": (algorithms.Blowfish, 16, modes.CBC),
         b"aes256-cbc": (algorithms.AES, 32, modes.CBC),
         b"aes192-cbc": (algorithms.AES, 24, modes.CBC),
         b"aes128-cbc": (algorithms.AES, 16, modes.CBC),
-        b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC),
         b"aes128-ctr": (algorithms.AES, 16, modes.CTR),
         b"aes192-ctr": (algorithms.AES, 24, modes.CTR),
         b"aes256-ctr": (algorithms.AES, 32, modes.CTR),
         b"3des-ctr": (algorithms.TripleDES, 24, modes.CTR),
-        b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR),
-        b"cast128-ctr": (algorithms.CAST5, 16, modes.CTR),
         b"none": (None, 0, modes.CBC),
     }
     macMap = {
@@ -295,10 +291,6 @@ def _getSupportedCiphers():
         b"aes192-cbc",
         b"aes128-ctr",
         b"aes128-cbc",
-        b"cast128-ctr",
-        b"cast128-cbc",
-        b"blowfish-ctr",
-        b"blowfish-cbc",
         b"3des-ctr",
         b"3des-cbc",
     ]
author	robot-piglet <[email protected]>	2024-11-12 07:54:50 +0300
committer	robot-piglet <[email protected]>	2024-11-12 08:05:59 +0300
commit	55cec9f6b0618fb3570fc8ef66aad151f4932591 (patch)
tree	9198c2ca0b0305269062c3674ce79f19c4990e65 /contrib/python/Twisted/py3/twisted/conch/ssh
parent	b77b1fbf262ea4f40e33a60ce32c4db4e5e49015 (diff)