Implement ecdsa-sha2-nistp{256,384,521}

* Moved ECDSA into `ec` module. * Added support and tests for these algorithms.
Eugeny · Apr 15, 2024 · b4233de · b4233de
1 parent a375283
commit b4233de
Show file tree

Hide file tree

Showing 11 changed files with 853 additions and 178 deletions.
diff --git a/README.md b/README.md
@@ -40,6 +40,9 @@ This is a fork of [Thrussh](https://nest.pijul.com/pijul/thrussh) by Pierre-Éti
   * `rsa-sha2-256`
   * `rsa-sha2-512`
   * `ssh-rsa` ✨
+  * `ecdsa-sha2-nistp256` ✨
+  * `ecdsa-sha2-nistp384` ✨
+  * `ecdsa-sha2-nistp521` ✨
 * Dependency updates
 * OpenSSH keepalive request handling ✨
 * OpenSSH agent forwarding channels ✨

diff --git a/russh-keys/Cargo.toml b/russh-keys/Cargo.toml
@@ -13,6 +13,7 @@ include = [
   "src/agent/client.rs",
   "src/bcrypt_pbkdf.rs",
   "src/blowfish.rs",
+  "src/ec.rs",
   "src/encoding.rs",
   "src/format/mod.rs",
   "src/format/openssh.rs",
@@ -39,7 +40,9 @@ block-padding = { version = "0.3", features = ["std"] }
 byteorder = "1.4"
 data-encoding = "2.3"
 dirs = "5.0"
+ecdsa = "0.16"
 ed25519-dalek = { version= "2.0", features = ["rand_core"] }
+elliptic-curve = "0.13"
 futures = "0.3"
 hmac = "0.12"
 inout = { version = "0.1", features = ["std"] }
@@ -49,9 +52,10 @@ num-bigint = "0.4"
 num-integer = "0.1"
 openssl = { version = "0.10", optional = true }
 p256 = "0.13"
+p384 = "0.13"
 p521 = "0.13"
 pbkdf2 = "0.11"
-rand = "0.7"
+rand = "0.8"
 rand_core = { version = "0.6.4", features = ["std"] }
 russh-cryptovec = { version = "0.7.0", path = "../cryptovec" }
 serde = { version = "1.0", features = ["derive"] }
@@ -65,6 +69,7 @@ tokio = { version = "1.17.0", features = [
   "net",
 ] }
 tokio-stream = { version = "0.1", features = ["net"] }
+typenum = "1.17"
 yasna = { version = "0.5.0", features = ["bit-vec", "num-bigint"] }
 
 [features]

diff --git a/russh-keys/src/agent/client.rs b/russh-keys/src/agent/client.rs
@@ -103,6 +103,8 @@ impl<S: AsyncRead + AsyncWrite + Unpin> AgentClient<S> {
         key: &key::KeyPair,
         constraints: &[Constraint],
     ) -> Result<(), Error> {
+        // See IETF draft-miller-ssh-agent-13, section 3.2 for format.
+        // https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent
         self.buf.clear();
         self.buf.resize(4);
         if constraints.is_empty() {
@@ -138,6 +140,13 @@ impl<S: AsyncRead + AsyncWrite + Unpin> AgentClient<S> {
                 self.buf.extend_ssh_mpint(&key.q().unwrap().to_vec());
                 self.buf.extend_ssh_string(b"");
             }
+            key::KeyPair::EC { ref key } => {
+                self.buf.extend_ssh_string(key.algorithm().as_bytes());
+                self.buf.extend_ssh_string(key.ident().as_bytes());
+                self.buf.extend_ssh_string(&key.to_public_key().to_sec1_bytes());
+                self.buf.extend_ssh_mpint(&key.to_secret_bytes());
+                self.buf.extend_ssh_string(b""); // comment
+            }
         }
         if !constraints.is_empty() {
             for cons in constraints {
@@ -275,21 +284,17 @@ impl<S: AsyncRead + AsyncWrite + Unpin> AgentClient<S> {
                     b"ssh-ed25519" => keys.push(PublicKey::Ed25519(
                         ed25519_dalek::VerifyingKey::try_from(r.read_string()?)?,
                     )),
-                    b"ecdsa-sha2-nistp256" => {
+                    crate::KEYTYPE_ECDSA_SHA2_NISTP256
+                    | crate::KEYTYPE_ECDSA_SHA2_NISTP384
+                    | crate::KEYTYPE_ECDSA_SHA2_NISTP521 => {
                         let curve = r.read_string()?;
-                        if curve != b"nistp256" {
-                            return Err(Error::EcdsaKeyError(p256::elliptic_curve::Error));
+                        let sec1_bytes = r.read_string()?;
+                        let key = crate::ec::PublicKey::from_sec1_bytes(t, sec1_bytes)?;
+                        if curve != key.ident().as_bytes() {
+                            return Err(Error::CouldNotReadKey);
                         }
-                        let key = r.read_string()?;
-                        keys.push(PublicKey::P256(p256::PublicKey::from_sec1_bytes(key)?));
-                    }
-                    b"ecdsa-sha2-nistp512" => {
-                        let curve = r.read_string()?;
-                        if curve != b"nistp521" {
-                            return Err(Error::EcdsaKeyError(p521::elliptic_curve::Error));
-                        }
-                        let key = r.read_string()?;
-                        keys.push(PublicKey::P521(p521::PublicKey::from_sec1_bytes(key)?));
+                        keys.push(PublicKey::EC { key })
+
                     }
                     t => {
                         info!("Unsupported key type: {:?}", std::str::from_utf8(t))
@@ -550,7 +555,7 @@ fn key_blob(public: &key::PublicKey, buf: &mut CryptoVec) -> Result<(), Error> {
             #[allow(clippy::indexing_slicing)] // length is known
             BigEndian::write_u32(&mut buf[5..], (len1 - len0) as u32);
         }
-        PublicKey::P256(_) | PublicKey::P521(_) => {
+        PublicKey::EC { .. } => {
             buf.extend_ssh_string(&public.public_key_bytes());
         }
     }

diff --git a/russh-keys/src/ec.rs b/russh-keys/src/ec.rs
@@ -0,0 +1,262 @@
+use crate::key::safe_rng;
+use crate::Error;
+use elliptic_curve::{Curve, CurveArithmetic, FieldBytes, FieldBytesSize};
+
+// p521::{SigningKey, VerifyingKey} are wrapped versions and do not provide PartialEq and Eq, hence
+// we make our own type alias here.
+mod local_p521 {
+    use rand_core::CryptoRngCore;
+    use sha2::{Digest, Sha512};
+
+    pub type NistP521 = p521::NistP521;
+    pub type VerifyingKey = ecdsa::VerifyingKey<NistP521>;
+    pub type SigningKey = ecdsa::SigningKey<NistP521>;
+    pub type Signature = ecdsa::Signature<NistP521>;
+    pub type Result<T> = ecdsa::Result<T>;
+
+    // Implement signing because p521::NistP521 does not implement DigestPrimitive trait.
+    pub fn try_sign_with_rng(
+        key: &SigningKey,
+        rng: &mut impl CryptoRngCore,
+        msg: &[u8],
+    ) -> Result<Signature> {
+        use ecdsa::hazmat::{bits2field, sign_prehashed};
+        use elliptic_curve::Field;
+        let prehash = Sha512::digest(msg);
+        let z = bits2field::<NistP521>(&prehash)?;
+        let k = p521::Scalar::random(rng);
+        sign_prehashed(key.as_nonzero_scalar().as_ref(), k, &z).map(|sig| sig.0)
+    }
+
+    // Implement verifying because ecdsa::VerifyingKey<p521::NistP521> does not satisfy the trait
+    // bound requirements of the DigestVerifier's implementation in ecdsa crate.
+    pub fn verify(key: &VerifyingKey, msg: &[u8], signature: &Signature) -> Result<()> {
+        use ecdsa::signature::hazmat::PrehashVerifier;
+        key.verify_prehash(&Sha512::digest(msg), signature)
+    }
+}
+
+const CURVE_NISTP256: &str = "nistp256";
+const CURVE_NISTP384: &str = "nistp384";
+const CURVE_NISTP521: &str = "nistp521";
+
+/// An ECC public key.
+#[derive(Clone, Eq, PartialEq)]
+pub enum PublicKey {
+    P256(p256::ecdsa::VerifyingKey),
+    P384(p384::ecdsa::VerifyingKey),
+    P521(local_p521::VerifyingKey),
+}
+
+impl PublicKey {
+    /// Returns the elliptic curve domain parameter identifiers defined in RFC 5656 section 6.1.
+    pub fn ident(&self) -> &'static str {
+        match self {
+            Self::P256(_) => CURVE_NISTP256,
+            Self::P384(_) => CURVE_NISTP384,
+            Self::P521(_) => CURVE_NISTP521,
+        }
+    }
+
+    /// Returns the ECC public key algorithm name defined in RFC 5656 section 6.2, in the form of
+    /// `"ecdsa-sha2-[identifier]"`.
+    pub fn algorithm(&self) -> &'static str {
+        match self {
+            Self::P256(_) => crate::ECDSA_SHA2_NISTP256,
+            Self::P384(_) => crate::ECDSA_SHA2_NISTP384,
+            Self::P521(_) => crate::ECDSA_SHA2_NISTP521,
+        }
+    }
+
+    /// Creates a `PrivateKey` from algorithm name and SEC1-encoded point on curve.
+    pub fn from_sec1_bytes(algorithm: &[u8], bytes: &[u8]) -> Result<Self, Error> {
+        match algorithm {
+            crate::KEYTYPE_ECDSA_SHA2_NISTP256 => Ok(Self::P256(
+                p256::ecdsa::VerifyingKey::from_sec1_bytes(bytes)?,
+            )),
+            crate::KEYTYPE_ECDSA_SHA2_NISTP384 => Ok(Self::P384(
+                p384::ecdsa::VerifyingKey::from_sec1_bytes(bytes)?,
+            )),
+            crate::KEYTYPE_ECDSA_SHA2_NISTP521 => Ok(Self::P521(
+                local_p521::VerifyingKey::from_sec1_bytes(bytes)?,
+            )),
+            _ => Err(Error::UnsupportedKeyType {
+                key_type_string: String::from_utf8(algorithm.to_vec())
+                    .unwrap_or_else(|_| format!("{algorithm:?}")),
+                key_type_raw: algorithm.to_vec(),
+            }),
+        }
+    }
+
+    /// Returns the SEC1-encoded public curve point.
+    pub fn to_sec1_bytes(&self) -> Vec<u8> {
+        match self {
+            Self::P256(key) => key.to_encoded_point(false).as_bytes().to_vec(),
+            Self::P384(key) => key.to_encoded_point(false).as_bytes().to_vec(),
+            Self::P521(key) => key.to_encoded_point(false).as_bytes().to_vec(),
+        }
+    }
+
+    /// Verifies message against signature `(r, s)` using the associated digest algorithm.
+    pub fn verify(&self, msg: &[u8], r: &[u8], s: &[u8]) -> Result<(), Error> {
+        use ecdsa::signature::Verifier;
+        match self {
+            Self::P256(key) => {
+                key.verify(msg, &signature_from_scalar_bytes::<p256::NistP256>(r, s)?)
+            }
+            Self::P384(key) => {
+                key.verify(msg, &signature_from_scalar_bytes::<p384::NistP384>(r, s)?)
+            }
+            Self::P521(key) => local_p521::verify(
+                key,
+                msg,
+                &signature_from_scalar_bytes::<p521::NistP521>(r, s)?,
+            ),
+        }
+        .map_err(Error::from)
+    }
+}
+
+impl std::fmt::Debug for PublicKey {
+    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+        match *self {
+            Self::P256(_) => write!(f, "P256"),
+            Self::P384(_) => write!(f, "P384"),
+            Self::P521(_) => write!(f, "P521"),
+        }
+    }
+}
+
+/// An ECC private key.
+#[derive(Clone, Eq, PartialEq)]
+pub enum PrivateKey {
+    P256(p256::ecdsa::SigningKey),
+    P384(p384::ecdsa::SigningKey),
+    P521(local_p521::SigningKey),
+}
+
+impl PrivateKey {
+    /// Creates a `PrivateKey` with algorithm name and scalar.
+    pub fn new_from_secret_scalar(algorithm: &[u8], scalar: &[u8]) -> Result<Self, Error> {
+        match algorithm {
+            crate::KEYTYPE_ECDSA_SHA2_NISTP256 => {
+                Ok(Self::P256(p256::ecdsa::SigningKey::from_slice(scalar)?))
+            }
+            crate::KEYTYPE_ECDSA_SHA2_NISTP384 => {
+                Ok(Self::P384(p384::ecdsa::SigningKey::from_slice(scalar)?))
+            }
+            crate::KEYTYPE_ECDSA_SHA2_NISTP521 => {
+                Ok(Self::P521(local_p521::SigningKey::from_slice(scalar)?))
+            }
+            _ => Err(Error::UnsupportedKeyType {
+                key_type_string: String::from_utf8(algorithm.to_vec())
+                    .unwrap_or_else(|_| format!("{algorithm:?}")),
+                key_type_raw: algorithm.to_vec(),
+            }),
+        }
+    }
+
+    /// Returns the elliptic curve domain parameter identifiers defined in RFC 5656 section 6.1.
+    pub fn ident(&self) -> &'static str {
+        match self {
+            Self::P256(_) => CURVE_NISTP256,
+            Self::P384(_) => CURVE_NISTP384,
+            Self::P521(_) => CURVE_NISTP521,
+        }
+    }
+
+    /// Returns the ECC public key algorithm name defined in RFC 5656 section 6.2, in the form of
+    /// `"ecdsa-sha2-[identifier]"`.
+    pub fn algorithm(&self) -> &'static str {
+        match self {
+            Self::P256(_) => crate::ECDSA_SHA2_NISTP256,
+            Self::P384(_) => crate::ECDSA_SHA2_NISTP384,
+            Self::P521(_) => crate::ECDSA_SHA2_NISTP521,
+        }
+    }
+
+    /// Returns the public key.
+    pub fn to_public_key(&self) -> PublicKey {
+        match self {
+            Self::P256(key) => PublicKey::P256(*key.verifying_key()),
+            Self::P384(key) => PublicKey::P384(*key.verifying_key()),
+            Self::P521(key) => PublicKey::P521(*key.verifying_key()),
+        }
+    }
+
+    /// Returns the secret scalar in bytes.
+    pub fn to_secret_bytes(&self) -> Vec<u8> {
+        match self {
+            Self::P256(key) => key.to_bytes().to_vec(),
+            Self::P384(key) => key.to_bytes().to_vec(),
+            Self::P521(key) => key.to_bytes().to_vec(),
+        }
+    }
+
+    /// Sign the message with associated digest algorithm.
+    pub fn try_sign(&self, msg: &[u8]) -> Result<(Vec<u8>, Vec<u8>), Error> {
+        use ecdsa::signature::RandomizedSigner;
+        Ok(match self {
+            Self::P256(key) => {
+                signature_to_scalar_bytes(key.try_sign_with_rng(&mut safe_rng(), msg)?)
+            }
+            Self::P384(key) => {
+                signature_to_scalar_bytes(key.try_sign_with_rng(&mut safe_rng(), msg)?)
+            }
+            Self::P521(key) => {
+                signature_to_scalar_bytes(local_p521::try_sign_with_rng(key, &mut safe_rng(), msg)?)
+            }
+        })
+    }
+}
+
+impl std::fmt::Debug for PrivateKey {
+    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+        match *self {
+            Self::P256(_) => write!(f, "P256 {{ (hidden) }}"),
+            Self::P384(_) => write!(f, "P384 {{ (hidden) }}"),
+            Self::P521(_) => write!(f, "P521 {{ (hidden) }}"),
+        }
+    }
+}
+
+fn try_field_bytes_from_mpint<C>(b: &[u8]) -> Option<FieldBytes<C>>
+where
+    C: Curve + CurveArithmetic,
+{
+    use typenum::Unsigned;
+    let size = FieldBytesSize::<C>::to_usize();
+    assert!(size > 0);
+    #[allow(clippy::indexing_slicing)] // Length checked
+    if b.len() == size + 1 && b[0] == 0 {
+        Some(FieldBytes::<C>::clone_from_slice(&b[1..]))
+    } else if b.len() == size {
+        Some(FieldBytes::<C>::clone_from_slice(b))
+    } else if b.len() < size {
+        let mut fb: FieldBytes<C> = Default::default();
+        fb.as_mut_slice()[size - b.len()..].clone_from_slice(b);
+        Some(fb)
+    } else {
+        None
+    }
+}
+
+fn signature_from_scalar_bytes<C>(r: &[u8], s: &[u8]) -> Result<ecdsa::Signature<C>, Error>
+where
+    C: Curve + CurveArithmetic + elliptic_curve::PrimeCurve,
+    ecdsa::SignatureSize<C>: elliptic_curve::generic_array::ArrayLength<u8>,
+{
+    Ok(ecdsa::Signature::<C>::from_scalars(
+        try_field_bytes_from_mpint::<C>(r).ok_or(Error::InvalidSignature)?,
+        try_field_bytes_from_mpint::<C>(s).ok_or(Error::InvalidSignature)?,
+    )?)
+}
+
+fn signature_to_scalar_bytes<C>(sig: ecdsa::Signature<C>) -> (Vec<u8>, Vec<u8>)
+where
+    C: Curve + CurveArithmetic + elliptic_curve::PrimeCurve,
+    ecdsa::SignatureSize<C>: elliptic_curve::generic_array::ArrayLength<u8>,
+{
+    let (r, s) = sig.split_bytes();
+    (r.to_vec(), s.to_vec())
+}