|
| 1 | +/* |
| 2 | + * Copyright (C)2009 - SSHJ Contributors |
| 3 | + * |
| 4 | + * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | + * you may not use this file except in compliance with the License. |
| 6 | + * You may obtain a copy of the License at |
| 7 | + * |
| 8 | + * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | + * |
| 10 | + * Unless required by applicable law or agreed to in writing, software |
| 11 | + * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | + * See the License for the specific language governing permissions and |
| 14 | + * limitations under the License. |
| 15 | + */ |
| 16 | +package com.hierynomus.sshj.signature; |
| 17 | + |
| 18 | +import com.hierynomus.sshj.userauth.fido.SecurityKeyPrivateKey; |
| 19 | +import com.hierynomus.sshj.userauth.fido.SecurityKeyPublicKey; |
| 20 | +import com.hierynomus.sshj.userauth.fido.SecurityKeySignatureData; |
| 21 | +import com.hierynomus.sshj.userauth.fido.SecurityKeySigner; |
| 22 | +import com.hierynomus.sshj.userauth.fido.SecurityKeySigningRequest; |
| 23 | +import net.schmizz.sshj.common.Buffer; |
| 24 | +import net.schmizz.sshj.common.SSHRuntimeException; |
| 25 | +import net.schmizz.sshj.signature.AbstractSignatureDSA; |
| 26 | + |
| 27 | +import java.io.ByteArrayOutputStream; |
| 28 | +import java.io.IOException; |
| 29 | +import java.nio.charset.StandardCharsets; |
| 30 | +import java.security.MessageDigest; |
| 31 | +import java.security.NoSuchAlgorithmException; |
| 32 | +import java.security.PrivateKey; |
| 33 | +import java.security.PublicKey; |
| 34 | +import java.security.SignatureException; |
| 35 | + |
| 36 | +/** |
| 37 | + * Base class for the OpenSSH FIDO/U2F security key signatures |
| 38 | + * ({@code sk-ecdsa-sha2-nistp256@openssh.com} and {@code sk-ssh-ed25519@openssh.com}). |
| 39 | + * <p> |
| 40 | + * The difference from an ordinary SSH signature is what actually gets signed. A FIDO authenticator |
| 41 | + * never sees the SSH payload directly; instead it signs a small fixed structure (WebAuthn calls it |
| 42 | + * the authenticator data plus the client-data hash): |
| 43 | + * |
| 44 | + * <pre> |
| 45 | + * signed = SHA256(application) || flags || counter || SHA256(sshData) |
| 46 | + * </pre> |
| 47 | + * |
| 48 | + * and the wire signature carries the {@code flags} and {@code counter} so the verifier can rebuild |
| 49 | + * that structure: |
| 50 | + * |
| 51 | + * <pre> |
| 52 | + * string key type |
| 53 | + * string raw signature (ECDSA r||s as two mpints, or 64-byte Ed25519 signature) |
| 54 | + * byte flags |
| 55 | + * uint32 counter |
| 56 | + * </pre> |
| 57 | + * |
| 58 | + * Verification rebuilds {@code signed} and checks it with the underlying ECDSA/Ed25519 key. Signing |
| 59 | + * is delegated to a {@link SecurityKeySigner} (the hardware bridge); this class only hashes the SSH |
| 60 | + * payload, hands the challenge to the signer and assembles the wire format from what comes back. |
| 61 | + * |
| 62 | + * @see <a href="https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f">PROTOCOL.u2f</a> |
| 63 | + */ |
| 64 | +public abstract class AbstractSecurityKeySignature extends AbstractSignatureDSA { |
| 65 | + |
| 66 | + private final ByteArrayOutputStream sshData = new ByteArrayOutputStream(); |
| 67 | + private String application; |
| 68 | + private SecurityKeyPrivateKey signingKey; |
| 69 | + private byte signedFlags; |
| 70 | + private long signedCounter; |
| 71 | + |
| 72 | + protected AbstractSecurityKeySignature(String algorithm, String keyTypeName) { |
| 73 | + super(algorithm, keyTypeName); |
| 74 | + } |
| 75 | + |
| 76 | + @Override |
| 77 | + public boolean isSignaturePreEncoded() { |
| 78 | + return true; |
| 79 | + } |
| 80 | + |
| 81 | + @Override |
| 82 | + public void initVerify(PublicKey publicKey) { |
| 83 | + if (!(publicKey instanceof SecurityKeyPublicKey)) { |
| 84 | + throw new SSHRuntimeException("Expected a SecurityKeyPublicKey but got: " + publicKey); |
| 85 | + } |
| 86 | + SecurityKeyPublicKey sk = (SecurityKeyPublicKey) publicKey; |
| 87 | + this.application = sk.getApplication(); |
| 88 | + super.initVerify(sk.getDelegate()); |
| 89 | + } |
| 90 | + |
| 91 | + @Override |
| 92 | + public void initSign(PrivateKey privateKey) { |
| 93 | + if (!(privateKey instanceof SecurityKeyPrivateKey)) { |
| 94 | + throw new SSHRuntimeException("Expected a SecurityKeyPrivateKey but got: " + privateKey); |
| 95 | + } |
| 96 | + this.signingKey = (SecurityKeyPrivateKey) privateKey; |
| 97 | + this.application = signingKey.getApplication(); |
| 98 | + } |
| 99 | + |
| 100 | + @Override |
| 101 | + public void update(byte[] foo, int off, int len) { |
| 102 | + sshData.write(foo, off, len); |
| 103 | + } |
| 104 | + |
| 105 | + @Override |
| 106 | + public byte[] sign() { |
| 107 | + if (signingKey == null) { |
| 108 | + throw new SSHRuntimeException("initSign was not called with a SecurityKeyPrivateKey"); |
| 109 | + } |
| 110 | + SecurityKeySigner signer = signingKey.getSigner(); |
| 111 | + if (signer == null) { |
| 112 | + throw new SSHRuntimeException("No SecurityKeySigner attached to security key " + signingKey.getKeyTypeName() |
| 113 | + + "; cannot reach the authenticator. Authenticate via ssh-agent or attach a SecurityKeySigner."); |
| 114 | + } |
| 115 | + byte[] challenge = sha256(sshData.toByteArray()); |
| 116 | + SecurityKeySignatureData data; |
| 117 | + try { |
| 118 | + data = signer.sign(new SecurityKeySigningRequest(signingKey.getKeyTypeName(), application, |
| 119 | + signingKey.getKeyHandle(), challenge, signingKey.getFlags())); |
| 120 | + } catch (IOException e) { |
| 121 | + throw new SSHRuntimeException("Security key signing failed", e); |
| 122 | + } |
| 123 | + this.signedFlags = data.getFlags(); |
| 124 | + this.signedCounter = data.getCounter(); |
| 125 | + return deviceSignatureToSsh(data.getSignature()); |
| 126 | + } |
| 127 | + |
| 128 | + /** |
| 129 | + * Assemble the full SSH signature value: {@code string keyType || string rawSig || byte flags || uint32 counter}. |
| 130 | + * Relies on {@link #sign()} having been called first to capture the flags and counter. |
| 131 | + */ |
| 132 | + @Override |
| 133 | + public byte[] encode(byte[] sshRawSignature) { |
| 134 | + return new Buffer.PlainBuffer() |
| 135 | + .putString(getSignatureName()) |
| 136 | + .putBytes(sshRawSignature) |
| 137 | + .putByte(signedFlags) |
| 138 | + .putUInt32(signedCounter) |
| 139 | + .getCompactData(); |
| 140 | + } |
| 141 | + |
| 142 | + @Override |
| 143 | + public boolean verify(byte[] sig) { |
| 144 | + Buffer.PlainBuffer buf = new Buffer.PlainBuffer(sig); |
| 145 | + try { |
| 146 | + String type = buf.readString(); |
| 147 | + if (!getSignatureName().equals(type)) { |
| 148 | + throw new SSHRuntimeException("Expected '" + getSignatureName() + "' signature but got: " + type); |
| 149 | + } |
| 150 | + byte[] sshRawSignature = buf.readBytes(); |
| 151 | + byte flags = buf.readByte(); |
| 152 | + long counter = buf.readUInt32(); |
| 153 | + |
| 154 | + byte[] signedData = buildSignedData(flags, counter, sha256(sshData.toByteArray())); |
| 155 | + signature.update(signedData); |
| 156 | + return signature.verify(sshSignatureToDevice(sshRawSignature)); |
| 157 | + } catch (Buffer.BufferException | SignatureException e) { |
| 158 | + throw new SSHRuntimeException(e); |
| 159 | + } |
| 160 | + } |
| 161 | + |
| 162 | + /** |
| 163 | + * The exact bytes the authenticator signs: {@code SHA256(application) || flags || counter || clientDataHash}. |
| 164 | + */ |
| 165 | + private byte[] buildSignedData(byte flags, long counter, byte[] clientDataHash) { |
| 166 | + byte[] rpIdHash = sha256(application.getBytes(StandardCharsets.UTF_8)); |
| 167 | + return new Buffer.PlainBuffer() |
| 168 | + .putRawBytes(rpIdHash) |
| 169 | + .putByte(flags) |
| 170 | + .putUInt32(counter) |
| 171 | + .putRawBytes(clientDataHash) |
| 172 | + .getCompactData(); |
| 173 | + } |
| 174 | + |
| 175 | + protected static byte[] sha256(byte[] data) { |
| 176 | + try { |
| 177 | + return MessageDigest.getInstance("SHA-256").digest(data); |
| 178 | + } catch (NoSuchAlgorithmException e) { |
| 179 | + throw new SSHRuntimeException(e); |
| 180 | + } |
| 181 | + } |
| 182 | + |
| 183 | + /** |
| 184 | + * Convert the SSH raw-signature encoding read off the wire into the byte format the JCA |
| 185 | + * verification engine expects (DER for ECDSA, unchanged for Ed25519). |
| 186 | + */ |
| 187 | + protected abstract byte[] sshSignatureToDevice(byte[] sshRawSignature) throws Buffer.BufferException; |
| 188 | + |
| 189 | + /** |
| 190 | + * Convert the authenticator's native signature into the SSH raw-signature encoding (r||s as two |
| 191 | + * mpints for ECDSA, unchanged for Ed25519). |
| 192 | + */ |
| 193 | + protected abstract byte[] deviceSignatureToSsh(byte[] deviceSignature); |
| 194 | +} |
0 commit comments