Mercurial > dropbear
annotate test/test_dropbearconvert.py @ 1916:3f4cdf839a1a
Make SHA1 optional, implement SHA256 fingerprints
SHA256 is always compiled and only enable SHA1 when needed. Fingerprints
are always SHA256: base64 format, md5 and sha1 are removed. dbrandom now
uses sha256 its hash function.
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Wed, 30 Mar 2022 11:44:04 +0800 |
parents | ced53051e200 |
children |
rev | line source |
---|---|
1909 | 1 import subprocess |
2 import tempfile | |
3 | |
4 import pytest | |
5 | |
6 keytypes = [ | |
7 "rsa", "rsa-4096", | |
8 "ed25519", | |
9 "ecdsa", "ecdsa-256", "ecdsa-384", "ecdsa-521", | |
10 "dss", | |
11 ] | |
12 | |
13 def parse_keytype(kt): | |
14 if '-' in kt: | |
15 return kt.split('-') | |
16 else: | |
17 return (kt, None) | |
18 | |
19 @pytest.mark.parametrize("keytype", keytypes) | |
20 @pytest.mark.parametrize("keyformat", [None, "PEM"]) | |
21 def test_from_openssh(request, tmp_path, keytype, keyformat): | |
22 """ | |
23 Convert OpenSSH to Dropbear format, | |
24 PEM and OpenSSH internal | |
25 """ | |
26 opt = request.config.option | |
27 kt, keybits = parse_keytype(keytype) | |
28 | |
29 if kt == 'dss' and keyformat is None: | |
1911
ced53051e200
Add ecdsa OpenSSH format for dropbearconvert
Matt Johnston <matt@ucc.asn.au>
parents:
1909
diff
changeset
|
30 pytest.skip("dss doesn't support openssh format") |
1909 | 31 |
32 os_kt = kt | |
33 if os_kt == 'dss': | |
34 # OpenSSH calls it 'dsa', Dropbear calls it 'dss' | |
35 os_kt = 'dsa' | |
36 | |
37 os_key = tmp_path / 'oskey1' | |
38 db_key = tmp_path / 'dbkey1' | |
39 | |
40 # Generate an OpenSSH key | |
41 args = [ | |
42 opt.ssh_keygen, | |
43 '-f', os_key, | |
44 '-t', os_kt, | |
45 '-N', '', # no password | |
46 ] | |
47 if keybits is not None: | |
48 args += ['-b', keybits] | |
49 if keyformat: | |
50 args += ['-m', keyformat] | |
51 p = subprocess.run(args, check=True) | |
52 | |
53 # Convert to dropbear format | |
54 args = [ | |
55 opt.dropbearconvert, | |
56 'openssh', 'dropbear', | |
57 os_key, db_key, | |
58 ] | |
59 p = subprocess.run(args, check=True) | |
60 | |
61 # Compare pubkeys | |
62 args = [ | |
63 opt.dropbearkey, | |
64 '-f', db_key, | |
65 '-y' | |
66 ] | |
67 p = subprocess.run(args, check=True, stdout=subprocess.PIPE, text=True) | |
68 db_pubkey = p.stdout.splitlines()[1].strip() | |
69 os_pubkey = os_key.with_suffix('.pub').open().read().strip() | |
70 # we compare the whole key including comment since it currently matches | |
71 assert db_pubkey == os_pubkey | |
72 | |
73 @pytest.mark.parametrize("keytype", keytypes) | |
74 def test_roundtrip(request, tmp_path, keytype): | |
75 """ | |
76 Dropbear's private key format is deterministic so | |
77 we can compare round trip conversion. (OpenSSH's | |
78 format has more variable comments and other fields). | |
79 """ | |
80 opt = request.config.option | |
81 kt, keybits = parse_keytype(keytype) | |
82 | |
83 os_key = tmp_path / 'oskey1' | |
84 db_key1 = tmp_path / 'dbkey1' | |
85 db_key2 = tmp_path / 'dbkey2' | |
86 | |
87 # generate a key | |
88 args = [ | |
89 opt.dropbearkey, | |
90 '-t', kt, | |
91 '-f', db_key1, | |
92 ] | |
93 if keybits is not None: | |
94 args += ['-s', keybits] | |
95 p = subprocess.run(args, check=True) | |
96 | |
97 # convert to openssh | |
98 args = [ | |
99 opt.dropbearconvert, | |
100 'dropbear', 'openssh', | |
101 db_key1, os_key, | |
102 ] | |
103 p = subprocess.run(args, check=True) | |
104 | |
105 # Check ssh-keygen can read it | |
106 args = [ | |
107 opt.ssh_keygen, | |
108 '-f', os_key, | |
109 '-y', | |
110 ] | |
111 p = subprocess.run(args, check=True, text=True, stdout=subprocess.PIPE) | |
112 os_pubkey = p.stdout.strip() | |
113 | |
114 # Compare public keys | |
115 args = [ | |
116 opt.dropbearkey, | |
117 '-f', db_key1, | |
118 '-y', | |
119 ] | |
120 p = subprocess.run(args, check=True, text=True, stdout=subprocess.PIPE) | |
121 db_pubkey = p.stdout.splitlines()[1].strip() | |
122 # comment may differ | |
123 db_pubkey = db_pubkey.split(' ')[:2] | |
124 os_pubkey = os_pubkey.split(' ')[:2] | |
125 assert db_pubkey == os_pubkey | |
126 | |
127 # convert back to dropbear | |
128 args = [ | |
129 opt.dropbearconvert, | |
130 'openssh', 'dropbear', | |
131 os_key, db_key2, | |
132 ] | |
133 p = subprocess.run(args, check=True) | |
134 # check the round trip is identical | |
135 assert db_key1.open('rb').read() == db_key2.open('rb').read() |