node-sshpk#93 sha384 certificate signatures can't be used

Author: arekinath

lib/signature.js

@@ -33,37 +33,40 @@ function Signature(opts) {
 }
 
 Signature.prototype.toBuffer = function (format) {
-	if (format === undefined)
-		format = 'asn1';
-	assert.string(format, 'format');
+	if (format !== undefined)
+		assert.string(format, 'format');
 
 	var buf;
 	var stype = 'ssh-' + this.type;
 
 	switch (this.type) {
 	case 'rsa':
-		switch (this.hashAlgorithm) {
-		case 'sha256':
-			stype = 'rsa-sha2-256';
-			break;
-		case 'sha512':
-			stype = 'rsa-sha2-512';
-			break;
-		case 'sha1':
-		case undefined:
-			break;
-		default:
-			throw (new Error('SSH signature ' +
-			    'format does not support hash ' +
-			    'algorithm ' + this.hashAlgorithm));
-		}
 		if (format === 'ssh') {
+			switch (this.hashAlgorithm) {
+			case 'sha256':
+				stype = 'rsa-sha2-256';
+				break;
+			case 'sha512':
+				stype = 'rsa-sha2-512';
+				break;
+			case 'sha1':
+			case undefined:
+				break;
+			default:
+				throw (new Error('SSH signature format does ' +
+				    'not support RSA with hash algorithm ' +
+				    this.hashAlgorithm));
+			}
 			buf = new SSHBuffer({});
 			buf.writeString(stype);
 			buf.writePart(this.part.sig);
 			return (buf.toBuffer());
-		} else {
+		} else if (format === 'asn1' || format === 'raw' ||
+		    format === undefined) {
 			return (this.part.sig.data);
+		} else {
+			throw (new Error('Unsupported signature format: ' +
+			    format));
 		}
 		break;
 
@@ -73,15 +76,19 @@ Signature.prototype.toBuffer = function (format) {
 			buf.writeString(stype);
 			buf.writePart(this.part.sig);
 			return (buf.toBuffer());
-		} else {
+		} else if (format === 'asn1' || format === 'raw' ||
+		    format === undefined) {
 			return (this.part.sig.data);
+		} else {
+			throw (new Error('Unsupported signature format: ' +
+			    format));
 		}
 		break;
 
 	case 'dsa':
 	case 'ecdsa':
 		var r, s;
-		if (format === 'asn1') {
+		if (format === 'asn1' || format === undefined) {
 			var der = new asn1.BerWriter();
 			der.startSequence();
 			r = utils.mpNormalize(this.part.r.data);
@@ -129,7 +136,7 @@ Signature.prototype.toBuffer = function (format) {
 			buf.writeBuffer(inner.toBuffer());
 			return (buf.toBuffer());
 		}
-		throw (new Error('Invalid signature format'));
+		throw (new Error('Invalid signature format: ' + format));
 	default:
 		throw (new Error('Invalid signature data'));
 	}

test/assets/sha384test-cert.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZsCFCvhb5Lx45XMZk54N2L49kMRQgoEMA0GCSqGSIb3DQEBDAUAMBYx
+FDASBgNVBAMMC3NoYTM4NCB0ZXN0MB4XDTIzMTIxOTA0MTE1OFoXDTI0MDExODA0
+MTE1OFowFjEUMBIGA1UEAwwLc2hhMzg0IHRlc3QwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDnSjZEEGZ0015lc/3I1HvyP13GmVqTZz1xspVWYqGj5A3N
+sQsjRZyI9xeQp1jl/5f2VUdnjvxlpq2z6s3g6vq8tNlBnOhSSBEofD6X0A3uq9Jc
+Q/KyMlClxBRoOE4sETXd13cUy5mrb3NymtNEwMGIgUNxrjrkZ4twT1I0EOdnImVV
+WNpY6xsdpS2Aoz3R1scd2dbwpLosXTwqNfD11wVkrWjYG/VflYQEVSOzRbggRdNF
+8aTUfJjsvaGByBMF+Ke47/nS4WrwnvyLnmSOXs7rMSwl//AlDKq8yIs0Qmrnahp8
+qD8MBqYdL5ohfBtZwIKeXt23IiuKJ65kHLJ2NsxfAgMBAAEwDQYJKoZIhvcNAQEM
+BQADggEBAKaE5I4CHunzUPaRC/2v9LGwdfbedCYttO57VaTpGf+G2iiuV8q1Dnw0
+AKGP44NFNJ9bQved8OfhM0E7HlbRW6c1qGmsLtwJB9A8LKdslJAzZtXgBduwcPdH
+IjDSRfpSwiO48hre7wJGrJnxUaBl+QKFkiEYl4URglpjq887ma72ol7wG+Qqmy6w
+YsxUzerDm7ubvptms7Y2y53UFz9LQstxsJOIKXdLlN009BI6B6FIT/vgWAruykXf
+WsO0pIO5xWhk5zqIEEHQDKmPVbEceQTnsYKWjvdb8XFmJn38sWgtf0iuPgJkqEd/
+yEGTp0vsRBx6+l8c7OgFCbsQsP8hqFY=
+-----END CERTIFICATE-----

test/assets/sha384test-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDnSjZEEGZ0015l
+c/3I1HvyP13GmVqTZz1xspVWYqGj5A3NsQsjRZyI9xeQp1jl/5f2VUdnjvxlpq2z
+6s3g6vq8tNlBnOhSSBEofD6X0A3uq9JcQ/KyMlClxBRoOE4sETXd13cUy5mrb3Ny
+mtNEwMGIgUNxrjrkZ4twT1I0EOdnImVVWNpY6xsdpS2Aoz3R1scd2dbwpLosXTwq
+NfD11wVkrWjYG/VflYQEVSOzRbggRdNF8aTUfJjsvaGByBMF+Ke47/nS4WrwnvyL
+nmSOXs7rMSwl//AlDKq8yIs0Qmrnahp8qD8MBqYdL5ohfBtZwIKeXt23IiuKJ65k
+HLJ2NsxfAgMBAAECggEAQiqQWKtqbBx1wkdLAHONG9G15ZVEfKvJv6eLomFoBYc9
+zazK12XYMLSjaK3/OBkFI6Lk4QLeQMRMqA5RpHkEjwybpHIbYkKcqfzVOT/7ZF6C
+OQP1P7Y2LR3piqEk9+VaiCLWPbw7M3iYSd5x9xa/pun33eMulN3sXY5LoXp+gJmi
+rqcqKQ0Z8EC6lEgNfSXCx1lJ3vYpeMLMtCz6F1w/raZJ3m0Yw6DpQGRjiJJmWAQ7
+kHe8awnrO1WjZ7FPF5JRFIjX/vjn0Wz9LsDvVX16Vbxe5XT+GK2lUGO4sobICf1u
+VN9DCDR67zXPOdywaGjdn2tkI6zDKJ3l/4Lb/+bFTQKBgQD3RGIMT9t/xBMk6QJ7
+vy/RIuom/4BqTuMpzgMbQ4ow2ZaE8ToQypaPUj9gFFKSjI+E/8p1SFs1Ozk1reJK
+hvB/cCzUiZP8fJen7lv1AJ1EfK7ThPDdMAtmTVPW/znKucD3jPJEhF7W+pzEgzjK
+3jnv5WG4+94gxG2tA4iv0lAvPQKBgQDvdV+929j7gZ+YPljBLr4lpzTYDGVH2B7f
+0ZHN8Wf+xWFvsyVwUX4s/troYs9OGP+u/FAKlMMi1NmRIkjj08JCHtShNae0J5EF
+MKTO0JqUijRQ8a0W02Qqm4gpCbHg1A+NzjAeaEjHfGjXVFpKhWFkRe+76ZN8XXzo
+NqB7xZwjywKBgQDp+KYCWmorqqAm0+kKqS0Y6r2/6xJbBYyEGTDtUmpnsOxxnUTB
+cMEomr3nLzO3AhQn2FZ9xdqwMvr+ZSv0M11MaRuyfQAv8MEcITqYSV2G2agf8/Jq
+ibSvt8n2bYkE3+HNHGx+Evce2wMOG9DYfZE7A8UFYiacwOG6zdY/8HT5TQKBgBTq
+D36poP32iFXnvCDDUGBBhmAIVSA9RBUQXMe7+fVKkAQNhYuV0otjhwMc/jY4ALzr
+1KHX9GMqbAY9FFixuhnET5X09bzKZ+QoJ3zYw2eN2pvnP9Lqi6kdBHtxGVQlsWYV
+SCafvRuPRijoeSphE+yKHzIuaG9ISwyNGN82lziZAoGAMxAvsE4WxJDqveyY6jMx
+WShFY5lU6W7rRRN5ZYkX1tvaBcEF7tWyku76LCki7vYySqRHcwbXXJI2i8aAODEl
+jyVzmMywzFrQ9SdWKzFmbzb/pN0Q8PmYUWn2tDkiSVe+eL+2NO1PfYn+uTgOL2xX
+sNbIamzBjAZ/yynumJzte/A=
+-----END PRIVATE KEY-----

test/certs.js

@@ -452,3 +452,24 @@ test('example cert: openssh extensions', function (t) {
 
 	t.end();
 });
+
+test('example cert: sha384 rsa', function (t) {
+	var cert = sshpk.parseCertificate(
+	    fs.readFileSync(path.join(testDir, 'sha384test-cert.pem')),
+	    'pem');
+	t.strictEqual(cert.subjectKey.type, 'rsa');
+	t.strictEqual(cert.subjects[0].cn, 'sha384 test');
+
+	var key = sshpk.parsePrivateKey(
+	    fs.readFileSync(path.join(testDir, 'sha384test-key.pem')),
+	    'pem');
+	t.strictEqual(key.type, 'rsa');
+
+	t.ok(cert.isSignedByKey(key));
+	t.ok(cert.subjectKey.fingerprint().matches(key));
+
+	t.strictEqual(cert.fingerprint('sha1').toString(),
+	    'SHA1:BITz0TaHh9R5H1NNyidAPcJ1yIs');
+
+	t.end();
+});