Re-implement SSHKey to remove sshkey gem dependency

johha · johha · commit 624fe2dcd5aa · 2025-11-04T10:59:38.000+01:00
Refactor the `VCAP::CloudController::Diego::SSHKey` class to remove the dependency on the `sshkey` gem. This change reduces external dependencies and avoids potential compilation issues related to native extensions.

The class is re-implemented using the standard `openssl` and `digest` libraries. The public interface and output formats of the `private_key`, `authorized_key`, `fingerprint` (SHA1), and `sha256_fingerprint` methods are preserved, ensuring it acts as a transparent, drop-in replacement.

The performance impact is negligible as the most expensive operation, RSA key generation, still relies on OpenSSL, and all derived values are memoized.
diff --git a/Gemfile b/Gemfile
@@ -36,7 +36,6 @@ gem 'sequel', '~> 5.97'
 gem 'sequel_pg', require: 'sequel'
 gem 'sinatra', '~> 3.2'
 gem 'sinatra-contrib'
-gem 'sshkey'
 gem 'statsd-ruby', '~> 1.5.0'
 gem 'steno'
 gem 'talentbox-delayed_job_sequel', '~> 4.3.0'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -578,7 +578,6 @@ GEM
     spring (4.4.0)
     spring-commands-rspec (1.0.4)
       spring (>= 0.9.1)
-    sshkey (3.0.0)
     statsd-ruby (1.5.0)
     steno (1.3.5)
       fluent-logger
@@ -710,7 +709,6 @@ DEPENDENCIES
   spork!
   spring
   spring-commands-rspec
-  sshkey
   statsd-ruby (~> 1.5.0)
   steno
   talentbox-delayed_job_sequel (~> 4.3.0)
diff --git a/lib/cloud_controller/diego/ssh_key.rb b/lib/cloud_controller/diego/ssh_key.rb
@@ -1,5 +1,7 @@
 require 'net/ssh'
-require 'sshkey'
+require 'openssl'
+require 'base64'
+require 'digest'
 
 module VCAP
   module CloudController
@@ -14,27 +16,42 @@ def private_key
         end
 
         def authorized_key
-          @authorized_key ||= begin
-            type = key.ssh_type
-            data = [key.to_blob].pack('m0')
-
-            "#{type} #{data}"
-          end
+          @authorized_key ||= "ssh-rsa #{Base64.strict_encode64(public_key_blob)}"
         end
 
         def fingerprint
-          @fingerprint ||= ::SSHKey.new(key.to_der).sha1_fingerprint
+          @fingerprint ||= Digest::SHA1.hexdigest(public_key_blob).scan(/../).join(':')
         end
 
         def sha256_fingerprint
-          @sha256_fingerprint ||= ::SSHKey.new(key.to_der).sha256_fingerprint
+          @sha256_fingerprint ||= Base64.strict_encode64(Digest::SHA256.digest(public_key_blob))
         end
 
         private
 
         def key
           @key ||= OpenSSL::PKey::RSA.new(@bits)
         end
+
+        def to_ssh_string(value)
+          [value.bytesize].pack('N') + value
+        end
+
+        def to_ssh_mpint(number)
+          return to_ssh_string([0].pack('C')) if number.zero?
+
+          binary = number.to_s(2)
+          binary = "\x00" + binary if binary.getbyte(0) & 0x80 != 0
+          to_ssh_string(binary)
+        end
+
+        def public_key_blob
+          @public_key_blob ||= begin
+            e = key.public_key.e
+            n = key.public_key.n
+            to_ssh_string('ssh-rsa') + to_ssh_mpint(e) + to_ssh_mpint(n)
+          end
+        end
       end
     end
   end
