watermanagement-backend-prod/node_modules/sshpk/lib/formats/openssh-cert.js

// Copyright 2017 Joyent, Inc.

module.exports = {
	read: read,
	verify: verify,
	sign: sign,
	signAsync: signAsync,
	write: write,

	/* Internal private API */
	fromBuffer: fromBuffer,
	toBuffer: toBuffer
};

var assert = require('assert-plus');
var SSHBuffer = require('../ssh-buffer');
var crypto = require('crypto');
var Buffer = require('safer-buffer').Buffer;
var algs = require('../algs');
var Key = require('../key');
var PrivateKey = require('../private-key');
var Identity = require('../identity');
var rfc4253 = require('./rfc4253');
var Signature = require('../signature');
var utils = require('../utils');
var Certificate = require('../certificate');

function verify(cert, key) {
	/*
	 * We always give an issuerKey, so if our verify() is being called then
	 * there was no signature. Return false.
	 */
	return (false);
}

var TYPES = {
	'user': 1,
	'host': 2
};
Object.keys(TYPES).forEach(function (k) { TYPES[TYPES[k]] = k; });

var ECDSA_ALGO = /^ecdsa-sha2-([^@-]+)-cert-v01@openssh.com$/;

function read(buf, options) {
	if (Buffer.isBuffer(buf))
		buf = buf.toString('ascii');
	var parts = buf.trim().split(/[ \t\n]+/g);
	if (parts.length < 2 || parts.length > 3)
		throw (new Error('Not a valid SSH certificate line'));

	var algo = parts[0];
	var data = parts[1];

	data = Buffer.from(data, 'base64');
	return (fromBuffer(data, algo));
}

function fromBuffer(data, algo, partial) {
	var sshbuf = new SSHBuffer({ buffer: data });
	var innerAlgo = sshbuf.readString();
	if (algo !== undefined && innerAlgo !== algo)
		throw (new Error('SSH certificate algorithm mismatch'));
	if (algo === undefined)
		algo = innerAlgo;

	var cert = {};
	cert.signatures = {};
	cert.signatures.openssh = {};

	cert.signatures.openssh.nonce = sshbuf.readBuffer();

	var key = {};
	var parts = (key.parts = []);
	key.type = getAlg(algo);

	var partCount = algs.info[key.type].parts.length;
	while (parts.length < partCount)
		parts.push(sshbuf.readPart());
	assert.ok(parts.length >= 1, 'key must have at least one part');

	var algInfo = algs.info[key.type];
	if (key.type === 'ecdsa') {
		var res = ECDSA_ALGO.exec(algo);
		assert.ok(res !== null);
		assert.strictEqual(res[1], parts[0].data.toString());
	}

	for (var i = 0; i < algInfo.parts.length; ++i) {
		parts[i].name = algInfo.parts[i];
		if (parts[i].name !== 'curve' &&
		    algInfo.normalize !== false) {
			var p = parts[i];
			p.data = utils.mpNormalize(p.data);
		}
	}

	cert.subjectKey = new Key(key);

	cert.serial = sshbuf.readInt64();

	var type = TYPES[sshbuf.readInt()];
	assert.string(type, 'valid cert type');

	cert.signatures.openssh.keyId = sshbuf.readString();

	var principals = [];
	var pbuf = sshbuf.readBuffer();
	var psshbuf = new SSHBuffer({ buffer: pbuf });
	while (!psshbuf.atEnd())
		principals.push(psshbuf.readString());
	if (principals.length === 0)
		principals = ['*'];

	cert.subjects = principals.map(function (pr) {
		if (type === 'user')
			return (Identity.forUser(pr));
		else if (type === 'host')
			return (Identity.forHost(pr));
		throw (new Error('Unknown identity type ' + type));
	});

	cert.validFrom = int64ToDate(sshbuf.readInt64());
	cert.validUntil = int64ToDate(sshbuf.readInt64());

	var exts = [];
	var extbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() });
	var ext;
	while (!extbuf.atEnd()) {
		ext = { critical: true };
		ext.name = extbuf.readString();
		ext.data = extbuf.readBuffer();
		exts.push(ext);
	}
	extbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() });
	while (!extbuf.atEnd()) {
		ext = { critical: false };
		ext.name = extbuf.readString();
		ext.data = extbuf.readBuffer();
		exts.push(ext);
	}
	cert.signatures.openssh.exts = exts;

	/* reserved */
	sshbuf.readBuffer();

	var signingKeyBuf = sshbuf.readBuffer();
	cert.issuerKey = rfc4253.read(signingKeyBuf);

	/*
	 * OpenSSH certs don't give the identity of the issuer, just their
	 * public key. So, we use an Identity that matches anything. The
	 * isSignedBy() function will later tell you if the key matches.
	 */
	cert.issuer = Identity.forHost('**');

	var sigBuf = sshbuf.readBuffer();
	cert.signatures.openssh.signature =
	    Signature.parse(sigBuf, cert.issuerKey.type, 'ssh');

	if (partial !== undefined) {
		partial.remainder = sshbuf.remainder();
		partial.consumed = sshbuf._offset;
	}

	return (new Certificate(cert));
}

function int64ToDate(buf) {
	var i = buf.readUInt32BE(0) * 4294967296;
	i += buf.readUInt32BE(4);
	var d = new Date();
	d.setTime(i * 1000);
	d.sourceInt64 = buf;
	return (d);
}

function dateToInt64(date) {
	if (date.sourceInt64 !== undefined)
		return (date.sourceInt64);
	var i = Math.round(date.getTime() / 1000);
	var upper = Math.floor(i / 4294967296);
	var lower = Math.floor(i % 4294967296);
	var buf = Buffer.alloc(8);
	buf.writeUInt32BE(upper, 0);
	buf.writeUInt32BE(lower, 4);
	return (buf);
}

function sign(cert, key) {
	if (cert.signatures.openssh === undefined)
		cert.signatures.openssh = {};
	try {
		var blob = toBuffer(cert, true);
	} catch (e) {
		delete (cert.signatures.openssh);
		return (false);
	}
	var sig = cert.signatures.openssh;
	var hashAlgo = undefined;
	if (key.type === 'rsa' || key.type === 'dsa')
		hashAlgo = 'sha1';
	var signer = key.createSign(hashAlgo);
	signer.write(blob);
	sig.signature = signer.sign();
	return (true);
}

function signAsync(cert, signer, done) {
	if (cert.signatures.openssh === undefined)
		cert.signatures.openssh = {};
	try {
		var blob = toBuffer(cert, true);
	} catch (e) {
		delete (cert.signatures.openssh);
		done(e);
		return;
	}
	var sig = cert.signatures.openssh;

	signer(blob, function (err, signature) {
		if (err) {
			done(err);
			return;
		}
		try {
			/*
			 * This will throw if the signature isn't of a
			 * type/algo that can be used for SSH.
			 */
			signature.toBuffer('ssh');
		} catch (e) {
			done(e);
			return;
		}
		sig.signature = signature;
		done();
	});
}

function write(cert, options) {
	if (options === undefined)
		options = {};

	var blob = toBuffer(cert);
	var out = getCertType(cert.subjectKey) + ' ' + blob.toString('base64');
	if (options.comment)
		out = out + ' ' + options.comment;
	return (out);
}


function toBuffer(cert, noSig) {
	assert.object(cert.signatures.openssh, 'signature for openssh format');
	var sig = cert.signatures.openssh;

	if (sig.nonce === undefined)
		sig.nonce = crypto.randomBytes(16);
	var buf = new SSHBuffer({});
	buf.writeString(getCertType(cert.subjectKey));
	buf.writeBuffer(sig.nonce);

	var key = cert.subjectKey;
	var algInfo = algs.info[key.type];
	algInfo.parts.forEach(function (part) {
		buf.writePart(key.part[part]);
	});

	buf.writeInt64(cert.serial);

	var type = cert.subjects[0].type;
	assert.notStrictEqual(type, 'unknown');
	cert.subjects.forEach(function (id) {
		assert.strictEqual(id.type, type);
	});
	type = TYPES[type];
	buf.writeInt(type);

	if (sig.keyId === undefined) {
		sig.keyId = cert.subjects[0].type + '_' +
		    (cert.subjects[0].uid || cert.subjects[0].hostname);
	}
	buf.writeString(sig.keyId);

	var sub = new SSHBuffer({});
	cert.subjects.forEach(function (id) {
		if (type === TYPES.host)
			sub.writeString(id.hostname);
		else if (type === TYPES.user)
			sub.writeString(id.uid);
	});
	buf.writeBuffer(sub.toBuffer());

	buf.writeInt64(dateToInt64(cert.validFrom));
	buf.writeInt64(dateToInt64(cert.validUntil));

	var exts = sig.exts;
	if (exts === undefined)
		exts = [];

	var extbuf = new SSHBuffer({});
	exts.forEach(function (ext) {
		if (ext.critical !== true)
			return;
		extbuf.writeString(ext.name);
		extbuf.writeBuffer(ext.data);
	});
	buf.writeBuffer(extbuf.toBuffer());

	extbuf = new SSHBuffer({});
	exts.forEach(function (ext) {
		if (ext.critical === true)
			return;
		extbuf.writeString(ext.name);
		extbuf.writeBuffer(ext.data);
	});
	buf.writeBuffer(extbuf.toBuffer());

	/* reserved */
	buf.writeBuffer(Buffer.alloc(0));

	sub = rfc4253.write(cert.issuerKey);
	buf.writeBuffer(sub);

	if (!noSig)
		buf.writeBuffer(sig.signature.toBuffer('ssh'));

	return (buf.toBuffer());
}

function getAlg(certType) {
	if (certType === 'ssh-rsa-cert-v01@openssh.com')
		return ('rsa');
	if (certType === 'ssh-dss-cert-v01@openssh.com')
		return ('dsa');
	if (certType.match(ECDSA_ALGO))
		return ('ecdsa');
	if (certType === 'ssh-ed25519-cert-v01@openssh.com')
		return ('ed25519');
	throw (new Error('Unsupported cert type ' + certType));
}

function getCertType(key) {
	if (key.type === 'rsa')
		return ('ssh-rsa-cert-v01@openssh.com');
	if (key.type === 'dsa')
		return ('ssh-dss-cert-v01@openssh.com');
	if (key.type === 'ecdsa')
		return ('ecdsa-sha2-' + key.curve + '-cert-v01@openssh.com');
	if (key.type === 'ed25519')
		return ('ssh-ed25519-cert-v01@openssh.com');
	throw (new Error('Unsupported key type ' + key.type));
}
Removed multer 3 years ago			`// Copyright 2017 Joyent, Inc.`

			`module.exports = {`
			`read: read,`
			`verify: verify,`
			`sign: sign,`
			`signAsync: signAsync,`
			`write: write,`

			`/* Internal private API */`
			`fromBuffer: fromBuffer,`
			`toBuffer: toBuffer`
			`};`

			`var assert = require('assert-plus');`
			`var SSHBuffer = require('../ssh-buffer');`
			`var crypto = require('crypto');`
			`var Buffer = require('safer-buffer').Buffer;`
			`var algs = require('../algs');`
			`var Key = require('../key');`
			`var PrivateKey = require('../private-key');`
			`var Identity = require('../identity');`
			`var rfc4253 = require('./rfc4253');`
			`var Signature = require('../signature');`
			`var utils = require('../utils');`
			`var Certificate = require('../certificate');`

			`function verify(cert, key) {`
			`/*`
			`* We always give an issuerKey, so if our verify() is being called then`
			`* there was no signature. Return false.`
			`*/`
			`return (false);`
			`}`

			`var TYPES = {`
			`'user': 1,`
			`'host': 2`
			`};`
			`Object.keys(TYPES).forEach(function (k) { TYPES[TYPES[k]] = k; });`

			`var ECDSA_ALGO = /^ecdsa-sha2-([^@-]+)-cert-v01@openssh.com$/;`

			`function read(buf, options) {`
			`if (Buffer.isBuffer(buf))`
			`buf = buf.toString('ascii');`
			`var parts = buf.trim().split(/[ \t\n]+/g);`
			`if (parts.length < 2 \|\| parts.length > 3)`
			`throw (new Error('Not a valid SSH certificate line'));`

			`var algo = parts[0];`
			`var data = parts[1];`

			`data = Buffer.from(data, 'base64');`
			`return (fromBuffer(data, algo));`
			`}`

			`function fromBuffer(data, algo, partial) {`
			`var sshbuf = new SSHBuffer({ buffer: data });`
			`var innerAlgo = sshbuf.readString();`
			`if (algo !== undefined && innerAlgo !== algo)`
			`throw (new Error('SSH certificate algorithm mismatch'));`
			`if (algo === undefined)`
			`algo = innerAlgo;`

			`var cert = {};`
			`cert.signatures = {};`
			`cert.signatures.openssh = {};`

			`cert.signatures.openssh.nonce = sshbuf.readBuffer();`

			`var key = {};`
			`var parts = (key.parts = []);`
			`key.type = getAlg(algo);`

			`var partCount = algs.info[key.type].parts.length;`
			`while (parts.length < partCount)`
			`parts.push(sshbuf.readPart());`
			`assert.ok(parts.length >= 1, 'key must have at least one part');`

			`var algInfo = algs.info[key.type];`
			`if (key.type === 'ecdsa') {`
			`var res = ECDSA_ALGO.exec(algo);`
			`assert.ok(res !== null);`
			`assert.strictEqual(res[1], parts[0].data.toString());`
			`}`

			`for (var i = 0; i < algInfo.parts.length; ++i) {`
			`parts[i].name = algInfo.parts[i];`
			`if (parts[i].name !== 'curve' &&`
			`algInfo.normalize !== false) {`
			`var p = parts[i];`
			`p.data = utils.mpNormalize(p.data);`
			`}`
			`}`

			`cert.subjectKey = new Key(key);`

			`cert.serial = sshbuf.readInt64();`

			`var type = TYPES[sshbuf.readInt()];`
			`assert.string(type, 'valid cert type');`

			`cert.signatures.openssh.keyId = sshbuf.readString();`

			`var principals = [];`
			`var pbuf = sshbuf.readBuffer();`
			`var psshbuf = new SSHBuffer({ buffer: pbuf });`
			`while (!psshbuf.atEnd())`
			`principals.push(psshbuf.readString());`
			`if (principals.length === 0)`
			`principals = ['*'];`

			`cert.subjects = principals.map(function (pr) {`
			`if (type === 'user')`
			`return (Identity.forUser(pr));`
			`else if (type === 'host')`
			`return (Identity.forHost(pr));`
			`throw (new Error('Unknown identity type ' + type));`
			`});`

			`cert.validFrom = int64ToDate(sshbuf.readInt64());`
			`cert.validUntil = int64ToDate(sshbuf.readInt64());`

			`var exts = [];`
			`var extbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() });`
			`var ext;`
			`while (!extbuf.atEnd()) {`
			`ext = { critical: true };`
			`ext.name = extbuf.readString();`
			`ext.data = extbuf.readBuffer();`
			`exts.push(ext);`
			`}`
			`extbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() });`
			`while (!extbuf.atEnd()) {`
			`ext = { critical: false };`
			`ext.name = extbuf.readString();`
			`ext.data = extbuf.readBuffer();`
			`exts.push(ext);`
			`}`
			`cert.signatures.openssh.exts = exts;`

			`/* reserved */`
			`sshbuf.readBuffer();`

			`var signingKeyBuf = sshbuf.readBuffer();`
			`cert.issuerKey = rfc4253.read(signingKeyBuf);`

			`/*`
			`* OpenSSH certs don't give the identity of the issuer, just their`
			`* public key. So, we use an Identity that matches anything. The`
			`* isSignedBy() function will later tell you if the key matches.`
			`*/`
			`cert.issuer = Identity.forHost('**');`

			`var sigBuf = sshbuf.readBuffer();`
			`cert.signatures.openssh.signature =`
			`Signature.parse(sigBuf, cert.issuerKey.type, 'ssh');`

			`if (partial !== undefined) {`
			`partial.remainder = sshbuf.remainder();`
			`partial.consumed = sshbuf._offset;`
			`}`

			`return (new Certificate(cert));`
			`}`

			`function int64ToDate(buf) {`
			`var i = buf.readUInt32BE(0) * 4294967296;`
			`i += buf.readUInt32BE(4);`
			`var d = new Date();`
			`d.setTime(i * 1000);`
			`d.sourceInt64 = buf;`
			`return (d);`
			`}`

			`function dateToInt64(date) {`
			`if (date.sourceInt64 !== undefined)`
			`return (date.sourceInt64);`
			`var i = Math.round(date.getTime() / 1000);`
			`var upper = Math.floor(i / 4294967296);`
			`var lower = Math.floor(i % 4294967296);`
			`var buf = Buffer.alloc(8);`
			`buf.writeUInt32BE(upper, 0);`
			`buf.writeUInt32BE(lower, 4);`
			`return (buf);`
			`}`

			`function sign(cert, key) {`
			`if (cert.signatures.openssh === undefined)`
			`cert.signatures.openssh = {};`
			`try {`
			`var blob = toBuffer(cert, true);`
			`} catch (e) {`
			`delete (cert.signatures.openssh);`
			`return (false);`
			`}`
			`var sig = cert.signatures.openssh;`
			`var hashAlgo = undefined;`
			`if (key.type === 'rsa' \|\| key.type === 'dsa')`
			`hashAlgo = 'sha1';`
			`var signer = key.createSign(hashAlgo);`
			`signer.write(blob);`
			`sig.signature = signer.sign();`
			`return (true);`
			`}`

			`function signAsync(cert, signer, done) {`
			`if (cert.signatures.openssh === undefined)`
			`cert.signatures.openssh = {};`
			`try {`
			`var blob = toBuffer(cert, true);`
			`} catch (e) {`
			`delete (cert.signatures.openssh);`
			`done(e);`
			`return;`
			`}`
			`var sig = cert.signatures.openssh;`

			`signer(blob, function (err, signature) {`
			`if (err) {`
			`done(err);`
			`return;`
			`}`
			`try {`
			`/*`
			`* This will throw if the signature isn't of a`
			`* type/algo that can be used for SSH.`
			`*/`
			`signature.toBuffer('ssh');`
			`} catch (e) {`
			`done(e);`
			`return;`
			`}`
			`sig.signature = signature;`
			`done();`
			`});`
			`}`

			`function write(cert, options) {`
			`if (options === undefined)`
			`options = {};`

			`var blob = toBuffer(cert);`
			`var out = getCertType(cert.subjectKey) + ' ' + blob.toString('base64');`
			`if (options.comment)`
			`out = out + ' ' + options.comment;`
			`return (out);`
			`}`


			`function toBuffer(cert, noSig) {`
			`assert.object(cert.signatures.openssh, 'signature for openssh format');`
			`var sig = cert.signatures.openssh;`

			`if (sig.nonce === undefined)`
			`sig.nonce = crypto.randomBytes(16);`
			`var buf = new SSHBuffer({});`
			`buf.writeString(getCertType(cert.subjectKey));`
			`buf.writeBuffer(sig.nonce);`

			`var key = cert.subjectKey;`
			`var algInfo = algs.info[key.type];`
			`algInfo.parts.forEach(function (part) {`
			`buf.writePart(key.part[part]);`
			`});`

			`buf.writeInt64(cert.serial);`

			`var type = cert.subjects[0].type;`
			`assert.notStrictEqual(type, 'unknown');`
			`cert.subjects.forEach(function (id) {`
			`assert.strictEqual(id.type, type);`
			`});`
			`type = TYPES[type];`
			`buf.writeInt(type);`

			`if (sig.keyId === undefined) {`
			`sig.keyId = cert.subjects[0].type + '_' +`
			`(cert.subjects[0].uid \|\| cert.subjects[0].hostname);`
			`}`
			`buf.writeString(sig.keyId);`

			`var sub = new SSHBuffer({});`
			`cert.subjects.forEach(function (id) {`
			`if (type === TYPES.host)`
			`sub.writeString(id.hostname);`
			`else if (type === TYPES.user)`
			`sub.writeString(id.uid);`
			`});`
			`buf.writeBuffer(sub.toBuffer());`

			`buf.writeInt64(dateToInt64(cert.validFrom));`
			`buf.writeInt64(dateToInt64(cert.validUntil));`

			`var exts = sig.exts;`
			`if (exts === undefined)`
			`exts = [];`

			`var extbuf = new SSHBuffer({});`
			`exts.forEach(function (ext) {`
			`if (ext.critical !== true)`
			`return;`
			`extbuf.writeString(ext.name);`
			`extbuf.writeBuffer(ext.data);`
			`});`
			`buf.writeBuffer(extbuf.toBuffer());`

			`extbuf = new SSHBuffer({});`
			`exts.forEach(function (ext) {`
			`if (ext.critical === true)`
			`return;`
			`extbuf.writeString(ext.name);`
			`extbuf.writeBuffer(ext.data);`
			`});`
			`buf.writeBuffer(extbuf.toBuffer());`

			`/* reserved */`
			`buf.writeBuffer(Buffer.alloc(0));`

			`sub = rfc4253.write(cert.issuerKey);`
			`buf.writeBuffer(sub);`

			`if (!noSig)`
			`buf.writeBuffer(sig.signature.toBuffer('ssh'));`

			`return (buf.toBuffer());`
			`}`

			`function getAlg(certType) {`
			`if (certType === 'ssh-rsa-cert-v01@openssh.com')`
			`return ('rsa');`
			`if (certType === 'ssh-dss-cert-v01@openssh.com')`
			`return ('dsa');`
			`if (certType.match(ECDSA_ALGO))`
			`return ('ecdsa');`
			`if (certType === 'ssh-ed25519-cert-v01@openssh.com')`
			`return ('ed25519');`
			`throw (new Error('Unsupported cert type ' + certType));`
			`}`

			`function getCertType(key) {`
			`if (key.type === 'rsa')`
			`return ('ssh-rsa-cert-v01@openssh.com');`
			`if (key.type === 'dsa')`
			`return ('ssh-dss-cert-v01@openssh.com');`
			`if (key.type === 'ecdsa')`
			`return ('ecdsa-sha2-' + key.curve + '-cert-v01@openssh.com');`
			`if (key.type === 'ed25519')`
			`return ('ssh-ed25519-cert-v01@openssh.com');`
			`throw (new Error('Unsupported key type ' + key.type));`
			`}`