Test various security key options

Author: vcsjones

lib/ssh_data/public_key/skecdsa.rb

@@ -37,8 +37,9 @@ def rfc4253
 
       def verify(signed_data, signature, **opts)
         opts = DEFAULT_SK_VERIFY_OPTS.merge(opts)
+        unknown_opts = opts.keys - DEFAULT_SK_VERIFY_OPTS.keys
+        raise UnsupportedError, "Verification options #{unknown_opts.inspect} are not supported." unless unknown_opts.empty?
 
-        read = 0
         sig_algo, raw_sig, sk_flags, blob = build_signing_blob(application, signed_data, signature)
         self.class.check_algorithm!(sig_algo, curve)
 

lib/ssh_data/public_key/sked25519.rb

@@ -27,6 +27,9 @@ def rfc4253
       def verify(signed_data, signature, **opts)
         self.class.ed25519_gem_required!
         opts = DEFAULT_SK_VERIFY_OPTS.merge(opts)
+        unknown_opts = opts.keys - DEFAULT_SK_VERIFY_OPTS.keys
+        raise UnsupportedError, "Verification options #{unknown_opts.inspect} are not supported." unless unknown_opts.empty?
+
         sig_algo, raw_sig, sk_flags, blob = build_signing_blob(application, signed_data, signature)
 
         if sig_algo != self.class.algorithm_identifier

spec/fixtures/signatures/create-signatures.sh

@@ -12,9 +12,18 @@ fi
 create_key_and_sign() {
     local alg=$1
     local keysize=$2
-    local key=$filedir/$alg-$keysize.key
+    local key=$filedir/$alg-$keysize-no-options.key
     yes | ssh-keygen -q -N "" -t $alg -b $keysize -C "" -f $key
-    cat $message | ssh-keygen -Y sign -n file -f $key > $message.$alg-$keysize.sig
+    cat $message | ssh-keygen -Y sign -n file -f $key > $message.$alg-$keysize-no-options.sig
+}
+
+create_key_and_sign_options() {
+    local alg=$1
+    local keysize=$2
+    local options=$3
+    local key=$filedir/$alg-$keysize-$options.key
+    yes | ssh-keygen -q -O $options -N "" -t $alg -b $keysize -C "" -f $key
+    cat $message | ssh-keygen -Y sign -n file -f $key > $message.$alg-$keysize-$options.sig
 }
 
 create_key_and_sign "rsa" 2048
@@ -30,6 +39,12 @@ if [[ $REPLY =~ ^[Yy]$ ]]
 then
     create_key_and_sign "ed25519-sk" 256
     create_key_and_sign "ecdsa-sk" 256
+
+    create_key_and_sign_options "ed25519-sk" 256 "no-touch-required"
+    create_key_and_sign_options "ecdsa-sk" 256 "no-touch-required"
+
+    create_key_and_sign_options "ed25519-sk" 256 "verify-required"
+    create_key_and_sign_options "ecdsa-sk" 256 "verify-required"
 fi
 
 popd

spec/fixtures/signatures/ecdsa-256-no-options.key

@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQTu7bLmPHQJ1883rJnsHgr3BqmdsFrv
+4c2U1NN6yGFCqhQQFAsPI2bn14Bm573qZ8Q4YGn++RdyGDXYK7WYEwnXAAAAoHNCEUZzQh
+FGAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO7tsuY8dAnXzzes
+meweCvcGqZ2wWu/hzZTU03rIYUKqFBAUCw8jZufXgGbnvepnxDhgaf75F3IYNdgrtZgTCd
+cAAAAhANbn8yJTkseH4y/zFcbMkSsxDpE+rb46YeyLEGh2KqVdAAAAAAECAwQFBgc=
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/signatures/ecdsa-256-no-options.key.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO7tsuY8dAnXzzesmeweCvcGqZ2wWu/hzZTU03rIYUKqFBAUCw8jZufXgGbnvepnxDhgaf75F3IYNdgrtZgTCdc= 

spec/fixtures/signatures/ecdsa-256.key

@@ -0,0 +1,10 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAiAAAABNlY2RzYS
+1zaGEyLW5pc3RwMzg0AAAACG5pc3RwMzg0AAAAYQQ2IoaL8jZJ7QH7ROay4U0Q/8nz6/Dl
+/3alJnyyt2XrzzyPa8fK+ukG19oTggTLz13ypcJucrXvr8JqkmS5CFbQDAl5qJLJoCuSbt
+QeJWRLJb4X2gNYhjpcdkc35jqN/KIAAADQvMiFzrzIhc4AAAATZWNkc2Etc2hhMi1uaXN0
+cDM4NAAAAAhuaXN0cDM4NAAAAGEENiKGi/I2Se0B+0TmsuFNEP/J8+vw5f92pSZ8srdl68
+88j2vHyvrpBtfaE4IEy89d8qXCbnK176/CapJkuQhW0AwJeaiSyaArkm7UHiVkSyW+F9oD
+WIY6XHZHN+Y6jfyiAAAAMQDfv4v4pwrMXvwOR5jG6f81ecedO/oW+nhioCRwOyjaKO7iOS
+hu0xMdcAdtoE1twGIAAAAAAQIDBAUGBw==
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/signatures/ecdsa-256.key.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDYihovyNkntAftE5rLhTRD/yfPr8OX/dqUmfLK3ZevPPI9rx8r66QbX2hOCBMvPXfKlwm5yte+vwmqSZLkIVtAMCXmoksmgK5Ju1B4lZEslvhfaA1iGOlx2RzfmOo38og==