keys: Add cert utilities and polish/cleanup

* Add utility funcs to load ssh certs. * Rename key loading funcs to mirror the ssh package. * Replace the example server key with an unencrypted key.

keys: Add cert utilities and polish/cleanup
39b86be0 · David Cowden · ac1ebcc7 · 39b86be0 · 39b86be0 · 39b86be0
Commit 39b86be0 authored 4 years ago by David Cowden
--- a/example/hostkey/main.go
+++ b/example/hostkey/main.go
@@ -13,7 +13,7 @@ func main() {
 		// initialization to be skipped.
 		Config: sshutil.DefaultServerConfig(),
 	}
-	key, err := sshutil.LoadHostKeyFromFile("example/server.key", "")
+	key, err := sshutil.LoadKeyFromFile("example/server.key")
 	if err != nil {
 		log.Fatalf("error loading key: %v", err)
 	}

--- a/example/server.key
+++ b/example/server.key
-----BEGIN EC PRIVATE KEY-----
+-----BEGIN OPENSSH PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
-DEK-Info: AES-256-CBC,8baf741fa93dda7c63627c9dfd0c27db
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSS676S0EQA8E15kIWgWCxxLHJ9+GOC
+2gfT9WTfcDrugGZclQgcuoTRruw2LdKurR8nWO4bTG92+VJWKPyM8lDMAAAAoKsLCAqrCw
-QR2/pYnAnzkbXY6zLY7FjzTO5YkKPjMad/Sf0vl/SMfWdMf2hNhu5vg6NT33VnJZ
+gKAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJLrvpLQRADwTXmQ
-g2saTuAubdmwlbdwK59Xdid2CNKlFol+sHXfiyOv9/mEHXo5okLt2RykLZn/YqEu
+haBYLHEscn34Y4LaB9P1ZN9wOu6AZlyVCBy6hNGu7DYt0q6tHydY7htMb3b5UlYo/IzyUM
-YkYTwTuRcbZsFdO0RjbzlyBbMFuf/Mugwn+15QUMebM=
+wAAAAgKH54GDXLjYqPfHs1b6nDzJ8dHseFkYjVyojf1qJQ+B8AAAAEbGVhZgECAwQ=
-----END EC PRIVATE KEY-----
+-----END OPENSSH PRIVATE KEY-----
--- a/example/shutdown/main.go
+++ b/example/shutdown/main.go
@@ -22,7 +22,7 @@ func main() {
 		L: log.New(os.Stderr, "", log.LstdFlags),
 	}
 	{ // scope err
-	key, err := sshutil.LoadHostKeyFromFile("example/server.key", "")
+	key, err := sshutil.LoadKeyFromFile("example/server.key")
 	if err != nil {
 		log.Fatalf("error loading key: %v", err)
 	}

--- a/keys.go
+++ b/keys.go
@@ -10,9 +10,58 @@ import (
 	"golang.org/x/crypto/ssh"
 )
-// LoadHostKeyFromFile returns an ssh.Signer from the key stored at the given
+// LoadCertFromKeyFileOpenSSH returns an ssh.Signer from the unencrypted key
-// filesystem path, decrypted using pass.
+// stored at the given filesystem path with a public key that is the ssh
-func LoadHostKeyFromFile(path, pass string) (ssh.Signer, error) {
+// certificate loaded from the file "<path>-cert.pub". This is how ssh-add looks
+// for certs when adding keys to ssh-agent.
+func LoadCertFromKeyFileOpenSSH(keypath string) (ssh.Signer, error) {
+	certpath := keypath + "-cert.pub"
+	return LoadCertFromFiles(keypath, certpath)
+}
+// LoadCertFromFiles returns an ssh.Signer with private key loaded from the
+// unecrypted path keypath and a public cert component loaded from certpath.
+func LoadCertFromFiles(keypath, certpath string) (ssh.Signer, error) {
+	// Read host key from a file, parse using x/crypto/ssh.
+	kb, err := ioutil.ReadFile(keypath)
+	if err != nil {
+		return nil, err
+	}
+	key, err := ssh.ParsePrivateKey(kb)
+	if err != nil {
+		return nil, err
+	}
+	cb, err := ioutil.ReadFile(certpath)
+	if err != nil {
+		return nil, err
+	}
+	pub, err := ssh.ParsePublicKey(cb)
+	if err != nil {
+		return nil, err
+	}
+	cert := pub.(*ssh.Certificate)
+	signer, err := ssh.NewCertSigner(cert, key)
+	return signer, nil
+}
+// LoadKeyFromFile returns an ssh.Signer from the unencrypted key stored
+// at the given filesystem path.
+func LoadKeyFromFile(path string) (ssh.Signer, error) {
+	// Read host key from a file, parse using x/crypto/ssh.
+	bytes, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	key, err := ssh.ParsePrivateKey(bytes)
+	if err != nil {
+		return nil, err
+	}
+	return key, nil
+}
+// LoadKeyFromFileWithPass returns an ssh.Signer from the key stored at the
+// given filesystem path, decrypted using pass.
+func LoadKeyFromFileWithPass(path, pass string) (ssh.Signer, error) {
 	// Read host key from a file, parse using x/crypto/ssh.
 	bytes, err := ioutil.ReadFile(path)
 	if err != nil {