Mercurial > dropbear
view test/test_dropbearconvert.py @ 1916:3f4cdf839a1a
Make SHA1 optional, implement SHA256 fingerprints
SHA256 is always compiled and only enable SHA1 when needed. Fingerprints
are always SHA256: base64 format, md5 and sha1 are removed. dbrandom now
uses sha256 its hash function.
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Wed, 30 Mar 2022 11:44:04 +0800 |
parents | ced53051e200 |
children |
line wrap: on
line source
import subprocess import tempfile import pytest keytypes = [ "rsa", "rsa-4096", "ed25519", "ecdsa", "ecdsa-256", "ecdsa-384", "ecdsa-521", "dss", ] def parse_keytype(kt): if '-' in kt: return kt.split('-') else: return (kt, None) @pytest.mark.parametrize("keytype", keytypes) @pytest.mark.parametrize("keyformat", [None, "PEM"]) def test_from_openssh(request, tmp_path, keytype, keyformat): """ Convert OpenSSH to Dropbear format, PEM and OpenSSH internal """ opt = request.config.option kt, keybits = parse_keytype(keytype) if kt == 'dss' and keyformat is None: pytest.skip("dss doesn't support openssh format") os_kt = kt if os_kt == 'dss': # OpenSSH calls it 'dsa', Dropbear calls it 'dss' os_kt = 'dsa' os_key = tmp_path / 'oskey1' db_key = tmp_path / 'dbkey1' # Generate an OpenSSH key args = [ opt.ssh_keygen, '-f', os_key, '-t', os_kt, '-N', '', # no password ] if keybits is not None: args += ['-b', keybits] if keyformat: args += ['-m', keyformat] p = subprocess.run(args, check=True) # Convert to dropbear format args = [ opt.dropbearconvert, 'openssh', 'dropbear', os_key, db_key, ] p = subprocess.run(args, check=True) # Compare pubkeys args = [ opt.dropbearkey, '-f', db_key, '-y' ] p = subprocess.run(args, check=True, stdout=subprocess.PIPE, text=True) db_pubkey = p.stdout.splitlines()[1].strip() os_pubkey = os_key.with_suffix('.pub').open().read().strip() # we compare the whole key including comment since it currently matches assert db_pubkey == os_pubkey @pytest.mark.parametrize("keytype", keytypes) def test_roundtrip(request, tmp_path, keytype): """ Dropbear's private key format is deterministic so we can compare round trip conversion. (OpenSSH's format has more variable comments and other fields). """ opt = request.config.option kt, keybits = parse_keytype(keytype) os_key = tmp_path / 'oskey1' db_key1 = tmp_path / 'dbkey1' db_key2 = tmp_path / 'dbkey2' # generate a key args = [ opt.dropbearkey, '-t', kt, '-f', db_key1, ] if keybits is not None: args += ['-s', keybits] p = subprocess.run(args, check=True) # convert to openssh args = [ opt.dropbearconvert, 'dropbear', 'openssh', db_key1, os_key, ] p = subprocess.run(args, check=True) # Check ssh-keygen can read it args = [ opt.ssh_keygen, '-f', os_key, '-y', ] p = subprocess.run(args, check=True, text=True, stdout=subprocess.PIPE) os_pubkey = p.stdout.strip() # Compare public keys args = [ opt.dropbearkey, '-f', db_key1, '-y', ] p = subprocess.run(args, check=True, text=True, stdout=subprocess.PIPE) db_pubkey = p.stdout.splitlines()[1].strip() # comment may differ db_pubkey = db_pubkey.split(' ')[:2] os_pubkey = os_pubkey.split(' ')[:2] assert db_pubkey == os_pubkey # convert back to dropbear args = [ opt.dropbearconvert, 'openssh', 'dropbear', os_key, db_key2, ] p = subprocess.run(args, check=True) # check the round trip is identical assert db_key1.open('rb').read() == db_key2.open('rb').read()