242 lines
		
	
	
		
			5.3 KiB
		
	
	
	
		
			Go
		
	
	
	
		
			Vendored
		
	
	
	
			
		
		
	
	
			242 lines
		
	
	
		
			5.3 KiB
		
	
	
	
		
			Go
		
	
	
	
		
			Vendored
		
	
	
	
| // Copyright 2014 The Go Authors. All rights reserved.
 | |
| // Use of this source code is governed by a BSD-style
 | |
| // license that can be found in the LICENSE file.
 | |
| 
 | |
| package agent
 | |
| 
 | |
| import (
 | |
| 	"bytes"
 | |
| 	"crypto/rand"
 | |
| 	"crypto/subtle"
 | |
| 	"errors"
 | |
| 	"fmt"
 | |
| 	"sync"
 | |
| 	"time"
 | |
| 
 | |
| 	"golang.org/x/crypto/ssh"
 | |
| )
 | |
| 
 | |
| type privKey struct {
 | |
| 	signer  ssh.Signer
 | |
| 	comment string
 | |
| 	expire  *time.Time
 | |
| }
 | |
| 
 | |
| type keyring struct {
 | |
| 	mu   sync.Mutex
 | |
| 	keys []privKey
 | |
| 
 | |
| 	locked     bool
 | |
| 	passphrase []byte
 | |
| }
 | |
| 
 | |
| var errLocked = errors.New("agent: locked")
 | |
| 
 | |
| // NewKeyring returns an Agent that holds keys in memory.  It is safe
 | |
| // for concurrent use by multiple goroutines.
 | |
| func NewKeyring() Agent {
 | |
| 	return &keyring{}
 | |
| }
 | |
| 
 | |
| // RemoveAll removes all identities.
 | |
| func (r *keyring) RemoveAll() error {
 | |
| 	r.mu.Lock()
 | |
| 	defer r.mu.Unlock()
 | |
| 	if r.locked {
 | |
| 		return errLocked
 | |
| 	}
 | |
| 
 | |
| 	r.keys = nil
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // removeLocked does the actual key removal. The caller must already be holding the
 | |
| // keyring mutex.
 | |
| func (r *keyring) removeLocked(want []byte) error {
 | |
| 	found := false
 | |
| 	for i := 0; i < len(r.keys); {
 | |
| 		if bytes.Equal(r.keys[i].signer.PublicKey().Marshal(), want) {
 | |
| 			found = true
 | |
| 			r.keys[i] = r.keys[len(r.keys)-1]
 | |
| 			r.keys = r.keys[:len(r.keys)-1]
 | |
| 			continue
 | |
| 		} else {
 | |
| 			i++
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if !found {
 | |
| 		return errors.New("agent: key not found")
 | |
| 	}
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // Remove removes all identities with the given public key.
 | |
| func (r *keyring) Remove(key ssh.PublicKey) error {
 | |
| 	r.mu.Lock()
 | |
| 	defer r.mu.Unlock()
 | |
| 	if r.locked {
 | |
| 		return errLocked
 | |
| 	}
 | |
| 
 | |
| 	return r.removeLocked(key.Marshal())
 | |
| }
 | |
| 
 | |
| // Lock locks the agent. Sign and Remove will fail, and List will return an empty list.
 | |
| func (r *keyring) Lock(passphrase []byte) error {
 | |
| 	r.mu.Lock()
 | |
| 	defer r.mu.Unlock()
 | |
| 	if r.locked {
 | |
| 		return errLocked
 | |
| 	}
 | |
| 
 | |
| 	r.locked = true
 | |
| 	r.passphrase = passphrase
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // Unlock undoes the effect of Lock
 | |
| func (r *keyring) Unlock(passphrase []byte) error {
 | |
| 	r.mu.Lock()
 | |
| 	defer r.mu.Unlock()
 | |
| 	if !r.locked {
 | |
| 		return errors.New("agent: not locked")
 | |
| 	}
 | |
| 	if 1 != subtle.ConstantTimeCompare(passphrase, r.passphrase) {
 | |
| 		return fmt.Errorf("agent: incorrect passphrase")
 | |
| 	}
 | |
| 
 | |
| 	r.locked = false
 | |
| 	r.passphrase = nil
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // expireKeysLocked removes expired keys from the keyring. If a key was added
 | |
| // with a lifetimesecs contraint and seconds >= lifetimesecs seconds have
 | |
| // ellapsed, it is removed. The caller *must* be holding the keyring mutex.
 | |
| func (r *keyring) expireKeysLocked() {
 | |
| 	for _, k := range r.keys {
 | |
| 		if k.expire != nil && time.Now().After(*k.expire) {
 | |
| 			r.removeLocked(k.signer.PublicKey().Marshal())
 | |
| 		}
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // List returns the identities known to the agent.
 | |
| func (r *keyring) List() ([]*Key, error) {
 | |
| 	r.mu.Lock()
 | |
| 	defer r.mu.Unlock()
 | |
| 	if r.locked {
 | |
| 		// section 2.7: locked agents return empty.
 | |
| 		return nil, nil
 | |
| 	}
 | |
| 
 | |
| 	r.expireKeysLocked()
 | |
| 	var ids []*Key
 | |
| 	for _, k := range r.keys {
 | |
| 		pub := k.signer.PublicKey()
 | |
| 		ids = append(ids, &Key{
 | |
| 			Format:  pub.Type(),
 | |
| 			Blob:    pub.Marshal(),
 | |
| 			Comment: k.comment})
 | |
| 	}
 | |
| 	return ids, nil
 | |
| }
 | |
| 
 | |
| // Insert adds a private key to the keyring. If a certificate
 | |
| // is given, that certificate is added as public key. Note that
 | |
| // any constraints given are ignored.
 | |
| func (r *keyring) Add(key AddedKey) error {
 | |
| 	r.mu.Lock()
 | |
| 	defer r.mu.Unlock()
 | |
| 	if r.locked {
 | |
| 		return errLocked
 | |
| 	}
 | |
| 	signer, err := ssh.NewSignerFromKey(key.PrivateKey)
 | |
| 
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	if cert := key.Certificate; cert != nil {
 | |
| 		signer, err = ssh.NewCertSigner(cert, signer)
 | |
| 		if err != nil {
 | |
| 			return err
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	p := privKey{
 | |
| 		signer:  signer,
 | |
| 		comment: key.Comment,
 | |
| 	}
 | |
| 
 | |
| 	if key.LifetimeSecs > 0 {
 | |
| 		t := time.Now().Add(time.Duration(key.LifetimeSecs) * time.Second)
 | |
| 		p.expire = &t
 | |
| 	}
 | |
| 
 | |
| 	r.keys = append(r.keys, p)
 | |
| 
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // Sign returns a signature for the data.
 | |
| func (r *keyring) Sign(key ssh.PublicKey, data []byte) (*ssh.Signature, error) {
 | |
| 	return r.SignWithFlags(key, data, 0)
 | |
| }
 | |
| 
 | |
| func (r *keyring) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFlags) (*ssh.Signature, error) {
 | |
| 	r.mu.Lock()
 | |
| 	defer r.mu.Unlock()
 | |
| 	if r.locked {
 | |
| 		return nil, errLocked
 | |
| 	}
 | |
| 
 | |
| 	r.expireKeysLocked()
 | |
| 	wanted := key.Marshal()
 | |
| 	for _, k := range r.keys {
 | |
| 		if bytes.Equal(k.signer.PublicKey().Marshal(), wanted) {
 | |
| 			if flags == 0 {
 | |
| 				return k.signer.Sign(rand.Reader, data)
 | |
| 			} else {
 | |
| 				if algorithmSigner, ok := k.signer.(ssh.AlgorithmSigner); !ok {
 | |
| 					return nil, fmt.Errorf("agent: signature does not support non-default signature algorithm: %T", k.signer)
 | |
| 				} else {
 | |
| 					var algorithm string
 | |
| 					switch flags {
 | |
| 					case SignatureFlagRsaSha256:
 | |
| 						algorithm = ssh.SigAlgoRSASHA2256
 | |
| 					case SignatureFlagRsaSha512:
 | |
| 						algorithm = ssh.SigAlgoRSASHA2512
 | |
| 					default:
 | |
| 						return nil, fmt.Errorf("agent: unsupported signature flags: %d", flags)
 | |
| 					}
 | |
| 					return algorithmSigner.SignWithAlgorithm(rand.Reader, data, algorithm)
 | |
| 				}
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 	return nil, errors.New("not found")
 | |
| }
 | |
| 
 | |
| // Signers returns signers for all the known keys.
 | |
| func (r *keyring) Signers() ([]ssh.Signer, error) {
 | |
| 	r.mu.Lock()
 | |
| 	defer r.mu.Unlock()
 | |
| 	if r.locked {
 | |
| 		return nil, errLocked
 | |
| 	}
 | |
| 
 | |
| 	r.expireKeysLocked()
 | |
| 	s := make([]ssh.Signer, 0, len(r.keys))
 | |
| 	for _, k := range r.keys {
 | |
| 		s = append(s, k.signer)
 | |
| 	}
 | |
| 	return s, nil
 | |
| }
 | |
| 
 | |
| // The keyring does not support any extensions
 | |
| func (r *keyring) Extension(extensionType string, contents []byte) ([]byte, error) {
 | |
| 	return nil, ErrExtensionUnsupported
 | |
| }
 |