11# Test SSH signatures (SSHSIG format)
22# Tests for signature-specific fields, SSHSignature creation/parsing
33# Tests creating signatures with sshkey-tools and verifying with ssh-keygen, and vice versa
4-
4+ import io
55import os
66import shutil
77import unittest
8+ import subprocess
89
910import src .sshkey_tools .exceptions as _EX
1011import src .sshkey_tools .fields as _FIELD
@@ -183,17 +184,20 @@ def generateFiles(self, folder):
183184 with open (f"tests/{ folder } /testdata.txt" , "w" ) as f :
184185 f .write ("This is test data for SSH signature testing." )
185186
186- os . system (
187- f' ssh-keygen -t rsa -b 2048 -f tests/{ folder } /rsa_key -N "" > /dev/null 2>&1'
187+ subprocess . run (
188+ [ " ssh-keygen" , "-t" , " rsa" , "-b" , " 2048" , "-f" , f" tests/{ folder } /rsa_key" , "-N" , '' ]
188189 )
189- os .system (
190- f'ssh-keygen -t ecdsa -b 256 -f tests/{ folder } /ecdsa_key -N "" > /dev/null 2>&1'
190+
191+ subprocess .run (
192+ ["ssh-keygen" , "-t" , "ecdsa" , "-b" , "256" , "-f" , f"tests/{ folder } /ecdsa_key" , "-N" , '' ]
191193 )
192- os .system (
193- f'ssh-keygen -t ed25519 -f tests/{ folder } /ed25519_key -N "" > /dev/null 2>&1'
194+
195+ subprocess .run (
196+ ["ssh-keygen" , "-t" , "ed25519" , "-f" , f"tests/{ folder } /ed25519_key" , "-N" , '' ]
194197 )
195-
198+
196199 for key_type in KEY_TYPES :
200+ os .chmod (f"tests/{ folder } /{ key_type } _key" , 0o600 )
197201 with open (f"tests/{ folder } /{ key_type } _key.pub" ) as f :
198202 pubkey = f .read ().strip ()
199203 with open (f"tests/{ folder } /{ key_type } _allowed_signers" , "w" ) as f :
@@ -238,12 +242,23 @@ def assertSignAndVerifyWithSshkeygen(self, key_type, namespace="file", hash_alg=
238242 data_path = f"tests/{ self .folder } /{ key_type } _{ namespace } _{ hash_alg } _data.txt"
239243 with open (data_path , "wb" ) as f :
240244 f .write (data )
241-
242- result = os .system (
243- f"ssh-keygen -Y verify -f { allowed_signers_path } -I { PRINCIPAL } "
244- f"-n { namespace } -s { sig_path } < { data_path } > /dev/null 2>&1"
245+
246+
247+ p = subprocess .Popen ([
248+ "ssh-keygen" , "-Y" , "verify" , "-f" , allowed_signers_path , "-I" , PRINCIPAL ,
249+ "-n" , namespace , "-s" , sig_path
250+ ],
251+ stdout = subprocess .PIPE ,
252+ stdin = subprocess .PIPE ,
253+ stderr = subprocess .PIPE ,
254+ text = True
255+ )
256+ stdout_data = p .communicate (input = data .decode ("utf-8" ))
257+
258+ self .assertNotStartsWith (
259+ stdout_data [0 ],
260+ 'Could not verify signature'
245261 )
246- self .assertEqual (result , 0 , f"ssh-keygen failed to verify { key_type } signature" )
247262
248263 def test_rsa_sign_sha512 (self ):
249264 self .assertSignAndVerifyWithSshkeygen ("rsa" , "file" , "sha512" )
@@ -279,11 +294,14 @@ def test_sign_file_method(self):
279294
280295 allowed_signers_path = self .createSshkeyToolsAllowedSigners ("ed25519_file_method" , pubkey )
281296
282- result = os .system (
283- f"ssh-keygen -Y verify -f { allowed_signers_path } -I { PRINCIPAL } "
284- f"-n file -s { sig_path } < tests/{ self .folder } /testdata.txt > /dev/null 2>&1"
297+ result = subprocess .run (
298+ ["bash" , "-c" ,
299+ f"ssh-keygen -Y verify -f { allowed_signers_path } -I { PRINCIPAL } "
300+ f"-n file -s { sig_path } < tests/{ self .folder } /testdata.txt" ,
301+ ],
302+ capture_output = True
285303 )
286- self .assertEqual (result , 0 , "ssh-keygen failed to verify file-signed ed25519 signature" )
304+ self .assertEqual (result . returncode , 0 , "ssh-keygen failed to verify file-signed ed25519 signature" )
287305
288306
289307class TestSshkeygenSignaturesParsedBySshkeyTools (SignatureMethods ):
@@ -298,11 +316,11 @@ def assertParseSshkeygenSignature(self, key_type):
298316 with open (data_path , "wb" ) as f :
299317 f .write (data )
300318
301- ret = os . system (
302- f "ssh-keygen -Y sign -f tests/{ self .folder } /{ key_type } _key "
303- f"-n file { data_path } > /dev/null 2>&1"
319+ ret = subprocess . run (
320+ [ "ssh-keygen" , "-Y" , " sign" , "-f" , f" tests/{ self .folder } /{ key_type } _key" , "-n" , "file" , data_path ],
321+ capture_output = True
304322 )
305- self .assertEqual (ret , 0 , f"ssh-keygen failed to sign { data_path } " )
323+ self .assertEqual (ret . returncode , 0 , f"ssh-keygen failed to sign { data_path } " )
306324
307325 sig = _SIG .SSHSignature .from_file (sig_path )
308326
0 commit comments