[Private Key] Add support for PuTTY private key

Author: scott-xu

Directory.Packages.props

@@ -6,7 +6,7 @@
   <ItemGroup>
     <PackageVersion Include="Appveyor.TestLogger" Version="2.0.0" />
     <PackageVersion Include="BenchmarkDotNet" Version="0.14.0" />
-    <PackageVersion Include="BouncyCastle.Cryptography" Version="2.4.0" />
+    <PackageVersion Include="BouncyCastle.Cryptography" Version="2.5.0-beta.105" />
     <PackageVersion Include="coverlet.collector" Version="6.0.2" />
     <PackageVersion Include="coverlet.msbuild" Version="6.0.2" />
     <PackageVersion Include="LiquidTestReports.Markdown" Version="1.0.9" />

src/Renci.SshNet/PrivateKeyFile.PuTTY.cs

@@ -0,0 +1,276 @@
+#nullable enable
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+
+using Org.BouncyCastle.Crypto.Generators;
+using Org.BouncyCastle.Crypto.Parameters;
+
+using Renci.SshNet.Abstractions;
+using Renci.SshNet.Common;
+using Renci.SshNet.Security;
+using Renci.SshNet.Security.Cryptography.Ciphers;
+
+namespace Renci.SshNet
+{
+    public partial class PrivateKeyFile
+    {
+        private sealed class PuTTY : IPrivateKeyParser
+        {
+            private readonly string _version;
+            private readonly string _algorithmName;
+            private readonly string _encryptionType;
+            private readonly string _comment;
+            private readonly byte[] _publicKey;
+            private readonly string? _argon2Type;
+            private readonly string? _argon2Salt;
+            private readonly string? _argon2Iterations;
+            private readonly string? _argon2Memory;
+            private readonly string? _argon2Parallelism;
+            private readonly byte[] _data;
+            private readonly string _mac;
+            private readonly string? _passPhrase;
+
+            public PuTTY(string version, string algorithmName, string encryptionType, string comment, byte[] publicKey, string? argon2Type, string? argon2Salt, string? argon2Iterations, string? argon2Memory, string? argon2Parallelism, byte[] data, string mac, string? passPhrase)
+            {
+                _version = version;
+                _algorithmName = algorithmName;
+                _encryptionType = encryptionType;
+                _comment = comment;
+                _publicKey = publicKey;
+                _argon2Type = argon2Type;
+                _argon2Salt = argon2Salt;
+                _argon2Iterations = argon2Iterations;
+                _argon2Memory = argon2Memory;
+                _argon2Parallelism = argon2Parallelism;
+                _data = data;
+                _mac = mac;
+                _passPhrase = passPhrase;
+            }
+
+            /// <summary>
+            /// Parses an PuTTY PPK key file.
+            /// <see href="https://tartarus.org/~simon/putty-snapshots/htmldoc/AppendixC.html"/>.
+            /// </summary>
+            public Key Parse()
+            {
+                byte[] privateKey;
+                HMAC hmac;
+                switch (_encryptionType)
+                {
+                    case "aes256-cbc":
+                        if (string.IsNullOrEmpty(_passPhrase))
+                        {
+                            throw new SshPassPhraseNullOrEmptyException("Private key is encrypted but passphrase is empty.");
+                        }
+
+                        byte[] cipherKey;
+                        byte[] cipherIV;
+                        switch (_version)
+                        {
+                            case "3":
+                                ThrowHelper.ThrowIfNullOrEmpty(_argon2Type);
+                                ThrowHelper.ThrowIfNullOrEmpty(_argon2Iterations);
+                                ThrowHelper.ThrowIfNullOrEmpty(_argon2Memory);
+                                ThrowHelper.ThrowIfNullOrEmpty(_argon2Parallelism);
+                                ThrowHelper.ThrowIfNullOrEmpty(_argon2Salt);
+
+                                var keyData = Argon2(
+                                    _argon2Type,
+                                    Convert.ToInt32(_argon2Iterations),
+                                    Convert.ToInt32(_argon2Memory),
+                                    Convert.ToInt32(_argon2Parallelism),
+#if NET
+                                    Convert.FromHexString(_argon2Salt),
+#else
+                                    Org.BouncyCastle.Utilities.Encoders.Hex.Decode(_argon2Salt),
+#endif
+                                    _passPhrase);
+
+                                cipherKey = keyData.Take(32);
+                                cipherIV = keyData.Take(32, 16);
+
+                                hmac = new HMACSHA256(keyData.Take(48, 32));
+
+                                break;
+                            case "2":
+                                keyData = V2KDF(_passPhrase);
+
+                                cipherKey = keyData.Take(32);
+                                cipherIV = new byte[16];
+
+                                using (var sha1 = SHA1.Create())
+                                {
+                                    var part1 = Encoding.UTF8.GetBytes("putty-private-key-file-mac-key");
+                                    var part2 = Encoding.UTF8.GetBytes(_passPhrase);
+                                    _ = sha1.TransformBlock(part1, 0, part1.Length, outputBuffer: null, 0);
+                                    _ = sha1.TransformFinalBlock(part2, 0, part2.Length);
+                                    hmac = new HMACSHA1(sha1.Hash.Take(20));
+                                }
+
+                                break;
+                            default:
+                                throw new SshException("PuTTY key file version " + _version + " is not supported");
+                        }
+
+                        var cipher = new AesCipher(cipherKey, cipherIV, AesCipherMode.CBC, pkcs7Padding: false);
+                        privateKey = cipher.Decrypt(_data);
+
+                        break;
+                    case "none":
+                        switch (_version)
+                        {
+                            case "3":
+                                hmac = new HMACSHA256(Array.Empty<byte>());
+                                break;
+                            case "2":
+                                var hash = CryptoAbstraction.HashSHA1(Encoding.UTF8.GetBytes("putty-private-key-file-mac-key"));
+                                hmac = new HMACSHA1(hash);
+                                break;
+                            default:
+                                throw new SshException("PuTTY key file version " + _version + " is not supported");
+                        }
+
+                        privateKey = _data;
+                        break;
+                    default:
+                        throw new SshException("encryption " + _encryptionType + " is not supported for PuTTY key file");
+                }
+
+                using (var macData = new SshDataStream(256))
+                {
+                    macData.Write(_algorithmName, Encoding.UTF8);
+                    macData.Write(_encryptionType, Encoding.UTF8);
+                    macData.Write(_comment, Encoding.UTF8);
+                    macData.WriteBinary(_publicKey);
+                    macData.WriteBinary(privateKey);
+                    try
+                    {
+                        var encoded = hmac.ComputeHash(macData.ToArray());
+#if NET
+                        var reference = Convert.FromHexString(_mac);
+#else
+                        var reference = Org.BouncyCastle.Utilities.Encoders.Hex.Decode(_mac);
+#endif
+                        if (!encoded.SequenceEqual(reference))
+                        {
+                            throw new SshException("MAC verification failed for PuTTY key file");
+                        }
+                    }
+                    finally
+                    {
+                        hmac.Dispose();
+                    }
+                }
+
+                var publicKeyReader = new SshDataReader(_publicKey);
+                var keyType = publicKeyReader.ReadString(Encoding.UTF8);
+                Debug.Assert(keyType == _algorithmName, $"{nameof(keyType)} is not the same with {nameof(_algorithmName)}");
+
+                var privateKeyReader = new SshDataReader(privateKey);
+
+                Key parsedKey;
+
+                switch (keyType)
+                {
+                    case "ssh-ed25519":
+                        parsedKey = new ED25519Key(privateKeyReader.ReadBignum2());
+                        break;
+                    case "ecdsa-sha2-nistp256":
+                    case "ecdsa-sha2-nistp384":
+                    case "ecdsa-sha2-nistp512":
+                        var curve = publicKeyReader.ReadString(Encoding.ASCII);
+                        var pub = publicKeyReader.ReadBignum2();
+                        var prv = privateKeyReader.ReadBignum2();
+                        parsedKey = new EcdsaKey(curve, pub, prv);
+                        break;
+                    case "ssh-dss":
+                        var p = publicKeyReader.ReadBignum();
+                        var q = publicKeyReader.ReadBignum();
+                        var g = publicKeyReader.ReadBignum();
+                        var y = publicKeyReader.ReadBignum();
+                        var x = privateKeyReader.ReadBignum();
+                        parsedKey = new DsaKey(p, q, g, y, x);
+                        break;
+                    case "ssh-rsa":
+                        var exponent = publicKeyReader.ReadBignum(); // e
+                        var modulus = publicKeyReader.ReadBignum(); // n
+                        var d = privateKeyReader.ReadBignum(); // d
+                        p = privateKeyReader.ReadBignum(); // p
+                        q = privateKeyReader.ReadBignum(); // q
+                        var inverseQ = privateKeyReader.ReadBignum(); // iqmp
+                        parsedKey = new RsaKey(modulus, exponent, d, p, q, inverseQ);
+                        break;
+                    default:
+                        throw new SshException("key type " + keyType + " is not supported for PuTTY key file");
+                }
+
+                parsedKey.Comment = _comment;
+                return parsedKey;
+            }
+
+            private static byte[] Argon2(string type, int iterations, int memory, int parallelism, byte[] salt, string passPhrase)
+            {
+                int param;
+                switch (type)
+                {
+                    case "Argon2i":
+                        param = Argon2Parameters.Argon2i;
+                        break;
+                    case "Argon2d":
+                        param = Argon2Parameters.Argon2d;
+                        break;
+                    case "Argon2id":
+                        param = Argon2Parameters.Argon2id;
+                        break;
+                    default:
+                        throw new SshException("kdf " + type + " is not supported for PuTTY key file");
+                }
+
+                var a2p = new Argon2Parameters.Builder(param)
+                    .WithVersion(Argon2Parameters.Version13)
+                    .WithIterations(iterations)
+                    .WithMemoryAsKB(memory)
+                    .WithParallelism(parallelism)
+                    .WithSalt(salt).Build();
+
+                var generator = new Argon2BytesGenerator();
+
+                generator.Init(a2p);
+
+                var output = new byte[80];
+                var bytes = generator.GenerateBytes(passPhrase.ToCharArray(), output);
+
+                if (bytes != output.Length)
+                {
+                    throw new SshException("Failed to generate key via Argon2");
+                }
+
+                return output;
+            }
+
+            private static byte[] V2KDF(string passphrase)
+            {
+                var cipherKey = new List<byte>();
+
+                var passwordBytes = Encoding.UTF8.GetBytes(passphrase);
+                for (var sequenceNumber = 0; sequenceNumber < 2; sequenceNumber++)
+                {
+                    using (var sha1 = SHA1.Create())
+                    {
+                        var sequence = new byte[] { 0, 0, 0, (byte)sequenceNumber };
+                        _ = sha1.TransformBlock(sequence, 0, 4, outputBuffer: null, 0);
+                        _ = sha1.TransformFinalBlock(passwordBytes, 0, passwordBytes.Length);
+                        Debug.Assert(sha1.Hash != null, "Hash is null");
+                        cipherKey.AddRange(sha1.Hash);
+                    }
+                }
+
+                return cipherKey.ToArray();
+            }
+        }
+    }
+}

src/Renci.SshNet/PrivateKeyFile.cs

@@ -111,19 +111,25 @@ namespace Renci.SshNet
     public partial class PrivateKeyFile : IPrivateKeySource, IDisposable
     {
         private const string PrivateKeyPattern = @"^-+ *BEGIN (?<keyName>\w+( \w+)*) *-+\r?\n((Proc-Type: 4,ENCRYPTED\r?\nDEK-Info: (?<cipherName>[A-Z0-9-]+),(?<salt>[a-fA-F0-9]+)\r?\n\r?\n)|(Comment: ""?[^\r\n]*""?\r?\n))?(?<data>([a-zA-Z0-9/+=]{1,80}\r?\n)+)(\r?\n)?-+ *END \k<keyName> *-+";
+        private const string PrivateKeyPuTTYPattern = @"^(?<keyName>PuTTY-User-Key-File)-(?<version>\d+): (?<algorithmName>[\w-]+)\r?\nEncryption: (?<encryptionType>[\w-]+)\nComment: (?<comment>.*)\r?\nPublic-Lines: \d+\r?\n(?<publicKey>(([a-zA-Z0-9/+=]{1,64})\r?\n)+)(Key-Derivation: (?<argon2Type>\w+)\r?\nArgon2-Memory: (?<argon2Memory>\d+)\r?\nArgon2-Passes: (?<argon2Passes>\d+)\r?\nArgon2-Parallelism: (?<argon2Parallelism>\d+)\r?\nArgon2-Salt: (?<argon2Salt>[\w\d]+)\r?\n)?Private-Lines: \d+\r?\n(?<data>(([a-zA-Z0-9/+=]{1,64})\r?\n)+)+Private-MAC: (?<mac>[\w\d]+)";
         private const string CertificatePattern = @"(?<type>[-\w]+@openssh\.com)\s(?<data>[a-zA-Z0-9\/+=]*)(\s+(?<comment>.*))?";
 
 #if NET7_0_OR_GREATER
         private static readonly Regex PrivateKeyRegex = GetPrivateKeyRegex();
+        private static readonly Regex PrivateKeyPuTTYRegex = GetPrivateKeyPuTTYRegex();
         private static readonly Regex CertificateRegex = GetCertificateRegex();
 
         [GeneratedRegex(PrivateKeyPattern, RegexOptions.Multiline | RegexOptions.ExplicitCapture)]
         private static partial Regex GetPrivateKeyRegex();
 
+        [GeneratedRegex(PrivateKeyPuTTYPattern, RegexOptions.Multiline | RegexOptions.ExplicitCapture)]
+        private static partial Regex GetPrivateKeyPuTTYRegex();
+
         [GeneratedRegex(CertificatePattern, RegexOptions.ExplicitCapture)]
         private static partial Regex GetCertificateRegex();
 #else
         private static readonly Regex PrivateKeyRegex = new Regex(PrivateKeyPattern, RegexOptions.Compiled | RegexOptions.Multiline | RegexOptions.ExplicitCapture);
+        private static readonly Regex PrivateKeyPuTTYRegex = new Regex(PrivateKeyPuTTYPattern, RegexOptions.Compiled | RegexOptions.Multiline | RegexOptions.ExplicitCapture);
         private static readonly Regex CertificateRegex = new Regex(CertificatePattern, RegexOptions.Compiled | RegexOptions.ExplicitCapture);
 #endif
 
@@ -287,7 +293,14 @@ private void Open(Stream privateKey, string? passPhrase)
             using (var sr = new StreamReader(privateKey))
             {
                 var text = sr.ReadToEnd();
-                privateKeyMatch = PrivateKeyRegex.Match(text);
+                if (text.StartsWith("PuTTY-User-Key-File", StringComparison.Ordinal))
+                {
+                    privateKeyMatch = PrivateKeyPuTTYRegex.Match(text);
+                }
+                else
+                {
+                    privateKeyMatch = PrivateKeyRegex.Match(text);
+                }
             }
 
             if (!privateKeyMatch.Success)
@@ -321,6 +334,34 @@ private void Open(Stream privateKey, string? passPhrase)
                 case "SSH2 ENCRYPTED PRIVATE KEY":
                     parser = new SSHCOM(binaryData, passPhrase);
                     break;
+                case "PuTTY-User-Key-File":
+                    var version = privateKeyMatch.Result("${version}");
+                    var algorithmName = privateKeyMatch.Result("${algorithmName}");
+                    var encryptionType = privateKeyMatch.Result("${encryptionType}");
+                    var comment = privateKeyMatch.Result("${comment}");
+                    var publicKey = privateKeyMatch.Result("${publicKey}");
+                    var argon2Type = privateKeyMatch.Result("${argon2Type}");
+                    var argon2Memory = privateKeyMatch.Result("${argon2Memory}");
+                    var argon2Passes = privateKeyMatch.Result("${argon2Passes}");
+                    var argon2Parallelism = privateKeyMatch.Result("${argon2Parallelism}");
+                    var argon2Salt = privateKeyMatch.Result("${argon2Salt}");
+                    var mac = privateKeyMatch.Result("${mac}");
+
+                    parser = new PuTTY(
+                        version,
+                        algorithmName,
+                        encryptionType,
+                        comment,
+                        Convert.FromBase64String(publicKey),
+                        argon2Type,
+                        argon2Salt,
+                        argon2Passes,
+                        argon2Memory,
+                        argon2Parallelism,
+                        binaryData,
+                        mac,
+                        passPhrase);
+                    break;
                 default:
                     throw new NotSupportedException(string.Format(CultureInfo.CurrentCulture, "Key '{0}' is not supported.", keyName));
             }

test/Data/Key.PuTTY2.Ed25519.Encrypted.12345.ppk

@@ -0,0 +1,9 @@
+PuTTY-User-Key-File-2: ssh-ed25519
+Encryption: aes256-cbc
+Comment: Key.OPENSSH.ED25519
+Public-Lines: 2
+AAAAC3NzaC1lZDI1NTE5AAAAIA0JZnDQrxQZcNALfZYG7LPAW1MYEGvVW5nje7Ol
+MGMi
+Private-Lines: 1
+f3N2/AkwbgVeXdK155h+JCbWgBXyEk3qEyx+ChUqm4tOUQGiJ95/mTo4RbIjWn+2
+Private-MAC: 823817b8364ce7f52e278e252fd10e2f51ac8554

test/Data/Key.PuTTY2.Ed25519.ppk

@@ -0,0 +1,9 @@
+PuTTY-User-Key-File-2: ssh-ed25519
+Encryption: none
+Comment: Key.OPENSSH.ED25519
+Public-Lines: 2
+AAAAC3NzaC1lZDI1NTE5AAAAIA0JZnDQrxQZcNALfZYG7LPAW1MYEGvVW5nje7Ol
+MGMi
+Private-Lines: 1
+AAAAIADMEXUw9TGuz7JykmHbzPOj8XebpZwo76iuxJtHkvAp
+Private-MAC: 6a1329739932b5caaaf48d7fcd61392d498b8f5f