FEAT: added ppk (PuTTY Private Key) codec (so far only RSA keys)

Author: Oldes

src/mezz/boot-files.r

@@ -56,6 +56,7 @@ REBOL [
 	%codec-pkix.r
 	%codec-der.r
 	%codec-crt.r
+	%codec-ppk.r
 	%codec-ssh-key.r
 	;- compression
 	%codec-gzip.r

src/mezz/codec-ppk.r

@@ -0,0 +1,117 @@
+REBOL [
+	Title:   "REBOL 3 codec: PuTTY Private Key"
+	Author:  "Oldes"
+	Rights:  "Copyright (C) 2020 Oldes. All rights reserved."
+	License: "BSD-3"
+	Test:    %tests/units/rsa-test.r3
+	Note: {
+		* it extract (and inits) only RSA keys so far
+	}
+]
+
+register-codec [
+	name: 'ppk
+	title: "PuTTY Private Key"
+	suffixes: [%.ppk]
+
+	decode: function [
+		"Decodes PuTTY key file"
+		data [binary! string! file!]
+		/password pass [string! binary!] "Optional password for encrypted keys"
+		/local type encr comm line pmac
+		;return: [handle! none!] "RSA private key handle on success"
+	][
+		if file?   data [data: read/string data]
+		if binary? data [data: to string! data]
+		 sp:   charset " ^-^/^M"
+		!sp:   complement sp
+		!crlf: complement charset "^M^/"
+		try/except [
+			parse data [
+				"PuTTY-User-Key-File-" ["1:" (vers: 1) | "2:" (vers: 2)]
+					any sp copy type some !sp some sp
+				"Encryption:"
+					any sp copy encr some !sp some sp
+				"Comment: "
+					any sp copy comm some !crlf some sp
+				"Public-Lines:"
+					any sp copy num some !sp some sp
+				(
+					num: to integer! to string! num
+					pub: make binary! 64 * num
+				)
+				num [ copy line any !crlf some sp (append pub line) ]
+				"Private-Lines:"
+					any sp copy num some !sp some sp
+				(
+					num: to integer! to string! num
+					pri: make binary! 64 * num
+				)
+				num [ copy line any !crlf some sp (append pri line) ]
+				["Private-MAC:" (mac?: true) | "Private-Hash:" (mac?: false)]
+					any sp copy pmac some !sp any sp
+
+				|
+
+				"---- BEGIN SSH2 PUBLIC KEY ----" to end (
+					return codecs/ssh-key/decode/password data pass
+				)
+
+			]
+			pub: debase pub 64
+			pri: debase pri 64
+
+			if encr = "aes256-cbc" [
+				try/except [
+					pass: either password [copy pass][
+						ask/hide ajoin ["Key password for " mold comm ": "]
+					]
+					key: join checksum/secure join #{00000000} pass
+					          checksum/secure join #{00000001} pass
+					key: aes/decrypt/key copy/part key 32 none
+					pri: aes/decrypt/stream key pri
+				][
+					;clean pass data in memory
+					forall pass [pass/1: random 255]
+					print "Failed to decrypt private key!"
+					return none
+				]
+			]
+
+			macdata: either vers = 1 [ pri ][
+				select binary/write 800 [
+					UI32BYTES :type
+					UI32BYTES :encr
+					UI32BYTES :comm
+					UI32BYTES :pub
+					UI32BYTES :pri
+				] 'buffer
+			]
+			mackey: checksum/secure join "putty-private-key-file-mac-key" any [pass ""]
+			if pass [forall pass [pass/1: random 255]]
+			if pmac <> form either mac? [
+				checksum/secure/key macdata mackey
+			][	checksum/secure     macdata ] [
+				print either key ["Wrong password!"]["MAC failed!"]
+				return none
+			]
+			binary/read pub [
+				t: UI32BYTES	
+				e: UI32BYTES ;exponent
+				n: UI32BYTES ;modulus
+			]
+			binary/read pri [
+				d: UI32BYTES
+				p: UI32BYTES
+				q: UI32BYTES
+				i: UI32BYTES
+			]
+			if "ssh-rsa" = to string! t [
+				return rsa-init/private n e d p q none none i
+			]
+		][
+			print system/state/last-error
+		]
+		none
+	]
+]

src/mezz/codec-ssh-key.r

@@ -1,7 +1,7 @@
 REBOL [
 	Title:   "REBOL 3 codec: Secure Shell Key"
 	Author:  "Oldes"
-	Rights:  "Copyright (C) 2018 Oldes. All rights reserved."
+	Rights:  "Copyright (C) 2020 Oldes. All rights reserved."
 	License: "BSD-3"
 	Test:    %tests/units/crypt-test.r3
 	Note: {
@@ -35,7 +35,7 @@ wrap [
 		decode: function [
 			"Decodes and initilize SSH key"
 			key [binary! string! file!]
-			/password p [string! binary!] "Optional password"
+			/password p [string! binary! none!] "Optional password"
 		][
 			case [
 				file?   key [ key: read key ]
@@ -59,7 +59,7 @@ wrap [
 						"AES-128-CBC" #"," copy iv to end
 					]
 					iv: debase iv 16
-					unless password [p: ask/hide "Pasword: "]
+					unless p [p: ask/hide "Pasword: "]
 					p: checksum/method
 						join to binary! p copy/part iv 8
 						'md5

src/tests/units/crypt-test.r3

@@ -221,8 +221,24 @@ sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV
 
 
 ===start-group=== "SSH-key codec"
-	--test-- "Init RSA key from file"
+--test-- "Init RSA key from file"
 	--assert handle? try [key: decode 'ssh-key read %units/files/rebol-public.ppk]
 	rsa key none ; release it, as it is not GCed yet.
+===end-group===
+
+===start-group=== "PPK codec"
+--test-- "Init RSA key from PPK file"
+	--assert handle? try [key: load %units/files/rebol-private-no-pass.ppk]
+	rsa key none ; release it, as it is not GCed yet.
+
+--test-- "Init RSA key from encrypted PPK file"
+	--assert handle? try [key: codecs/ppk/decode/password %units/files/rebol-private.ppk "Rebol"]
+	rsa key none ; release it, as it is not GCed yet.
+
+--test-- "Init public RSA key from SSH2 PPK file"
+	--assert handle? try [key: load %units/files/rebol-public.ppk]
+	rsa key none ; release it, as it is not GCed yet.
+===end-group===
+
 
 ~~~end-file~~~

src/tests/units/files/rebol-private-no-pass.ppk

@@ -0,0 +1,26 @@
+PuTTY-User-Key-File-2: ssh-rsa
+Encryption: none
+Comment: rsa-key-rebol-test
+Public-Lines: 6
+AAAAB3NzaC1yc2EAAAABJQAAAQEA8mjwC6ZCwpQCnDXqU7g2tyvMFoWpJV+myfBz
+9zbhw7rHxUmFubMtEwCKQhYccQxbPCcWu/KIg5TOhmcf9RK1xIuUrOUiUdM8uOwR
+S+e5kitTUgux/wjyMNlpK5laIS1hFHiFhCxecN7Won3bsPDMm5Wi3dBMv1+1jK1r
+lDtJYxDDcJE2T59m1UI4AN/Pm7dndr11yCmUdKy6VACf5V7u4OX5uC3fsTEuCV1P
+2WwLBqtZMYG3jjzuRTana+s8n2TXk5D9lXoPMc7Tj4/aSw50UUAYhmVpie/8vtVw
+A7MhOCA4us6q3+Mx07vq8EmzbLOGtP9taXQkDF6JR6wY4IEXBw==
+Private-Lines: 14
+AAABABo02647fNbD5JtEGVUoq/ggaRcxC138gLvipMDHqbRLizfsRc7i8B263oOv
+XQVNcaWjXGdYfXYCP9ctvkQCBdAPFv3vQfsCFGcEw5mA1cqc5mm8Ez4qewwzLfbg
+JWte2hANB4PpHvdyCV2svc3whNKMt6lG84pPiT+kC6FShHlpYre9nv6jbGuAb0tJ
+h1pO9KZVBs/Sn5nS+SwmN+lYDOo66owLK+JmhSZ8fIpxueyB1lWVgIV1SlcEst/a
+WmYtdgYW9bqRIDqB1RSL+SG8PaV1nptlebYOBAYwh23ZfZB3dXAMyE2cqv/io1kM
+2Unhj2UrcSO8J2Xai3m4Vp6XcU0AAACBAP2AxslebLmhbVLNFikTYVUUr3nhRsVb
+C/V0Tem0LG4WejVYDdjeZFYkZ5h7PM36PVfMpzSsSZMHhl1kCgRtgJYxMndHTPEc
+UxaAmFnbt/fKzRCY9QO01tk79JGyz3JobiaiL5RCvxGVHzzay8BecuAsPDqTJVUu
+Juo9IPTYotK1AAAAgQD0zDBuPcsCUXDfu2GChPu7X3t85IaKysFEB1ExAsQJU8rK
+0Liw5JiIQPY3XZNFQL0CzTOeD3ZrmMTTcT10AL+9qgolUG6z+ErKEOi/90lCS/MM
+0AXAARd+SZ/5mMflV2ETzCjZzzryf6xHHccZIto4IPFcS8JicBIU5KICzOVsSwAA
+AIEA4aa3eBSozdeS9yCRYz4vFK7kAY7pWTIuMIyUjzxNCyFiPqWxVZPFYIQts0KZ
+5diK42wdwFfT1CguqvkkEAwN/J1L9Mq4g3WYKPyefjw8Ub2Vx/vaI0MqAH26Jbbd
+0YBrAFm+aVO5Z6bbFYlkKaVZNi/kA4L1NgFFvT8OsSURgLU=
+Private-MAC: ae8cac65d4d96599886f6efaaa703176960f3983

src/tests/units/files/rebol-private.ppk

@@ -0,0 +1,26 @@
+PuTTY-User-Key-File-2: ssh-rsa
+Encryption: aes256-cbc
+Comment: rsa-key-rebol-test
+Public-Lines: 6
+AAAAB3NzaC1yc2EAAAABJQAAAQEA8mjwC6ZCwpQCnDXqU7g2tyvMFoWpJV+myfBz
+9zbhw7rHxUmFubMtEwCKQhYccQxbPCcWu/KIg5TOhmcf9RK1xIuUrOUiUdM8uOwR
+S+e5kitTUgux/wjyMNlpK5laIS1hFHiFhCxecN7Won3bsPDMm5Wi3dBMv1+1jK1r
+lDtJYxDDcJE2T59m1UI4AN/Pm7dndr11yCmUdKy6VACf5V7u4OX5uC3fsTEuCV1P
+2WwLBqtZMYG3jjzuRTana+s8n2TXk5D9lXoPMc7Tj4/aSw50UUAYhmVpie/8vtVw
+A7MhOCA4us6q3+Mx07vq8EmzbLOGtP9taXQkDF6JR6wY4IEXBw==
+Private-Lines: 14
+/Gzphw/DanBX5LxOzabPGUGokcJ1CenfNcHJfzfdnESNf2JWdWppZR0b/vgh0wgd
+3brFou3jMlVee6NSPXhOn4+rL+ptjdnlPnF3RZU5ckcRngAWRVX987Ufzj426enc
+8IeWyCLQbHCQJ1xsG3CLc3hd4ke10yri4IipD0O4olL6n3Bt5w9wyuZQq/liCcxJ
+Y5iaHrUWphGsmEBtAnpAgAXbgqm3fKZEYgyTWo3X0u2QOYQsI/xJD4dfJ+4QbM/F
+PDCBMe7kGz8cbjdKAa7JywUuw28N/Srhg7aWlGRnUgwB7mdhc5GQlw0O13FvfGfU
+JgD3QIdzOv4cDFtLtYujuw0pf0ZST4aoxbF5lPkTHyRdgtT8DBa6AawWbr1zIYfn
+6B28w0cHt86Cy7nUGy5D8Kl1ez514DzNo+RsvvApzmeTRR+K2RZSf4KN/Kmj9Lsq
+VXW/xIK7PvxTSBdBVMNEDVw0s+PpNOePou7/jRi1GPMCqFG9aPGvk+48ACPrmX0g
+EqHYub3ksMw0EItZ8VdZgVqo2QOfTIuLqS9IvtniDH4V64QAS+ZskB2XTInaT+w+
+upTMyejdKMp1Oyg6JB/n2BpPWvSohT7D9Bav+NDepe1araIMlhVM48P1cGVvUTBB
+Q6iuj83Whk9jDSKWQ/wG8cjuDFgCu3SRSb+y2qcdNJrLeizafjS15OMM1ZUZzpWd
+qxl7UYFGiYr/J5ceO8DastXu7X6tJtOy2PjeATJoYU6aKFE7rdtn/Ia3Cn/jopJ9
+CicXyZRtq+k2X8Caij5Qw3AjWY0RwgZV5w4tsgoBTA1Q25LDDIdo8Ycu8Iapo7Fq
+CQiGrQGCwAOzYOS9rqPc+1LuykqS31bY12aP7wsQZBq/t4gZZ9Obvpj6JsJao7ds
+Private-MAC: 30325c1c3e2eebad4a079e37394e83633143b84d

src/tests/units/rsa-test.r3

@@ -99,4 +99,26 @@ Rebol [
 
 ===end-group===
 
+
+===start-group=== "RSA initialization using codecs"
+	--test-- "RSA sign/verify using external file"
+	; Bob has data, which wants to sign, so it's clear, that nobody modifies them
+	data: "Hello!"
+	; As RSA is slow, it is used on hashes.. for example SHA1
+	hash: checksum/secure data
+	; Bob uses private key which keeps secret...
+	--assert handle? try [private-key: load %units/files/rebol-private-no-pass.ppk]
+	; .. to sign the hash..
+	--assert binary? signed-hash: rsa/sign private-key hash
+
+	; than sends data, and signed hash to Eve, who have his public key 
+	--assert handle? try [public-key: load %units/files/rebol-public.ppk]
+	; Eve uses the key to verify the checksum...
+	--assert (checksum/secure data) = rsa/verify public-key signed-hash
+	; so she know, that data were not modified
+
+	; cleanup:
+	rsa public-key none
+	rsa private-key none
+
 ~~~end-file~~~