[WIP] SSH Data Signatures

.devcontainer/devcontainer.json

@@ -0,0 +1,10 @@
+{
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "scheiblingco.code-pypack",
+                "scheiblingco.code-cmd-repeat"
+            ]
+        }
+    }
+}

.github/workflows/deploy_testing.yml

@@ -1,3 +1,4 @@
+name: "Release Tests"
 on:
   release:
     types: [created]

.github/workflows/dev_testing.yml

@@ -1,3 +1,4 @@
+name: "Development Tests"
 on:
     push:
         paths-ignore:

.github/workflows/linting.yml

@@ -1,3 +1,4 @@
+name: "Pylint"
 on:
     push:
         paths-ignore:
@@ -23,12 +24,11 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install -r requirements.txt
-          pip install pylint pylint-report pylint-json2html
+          pip install -r requirements-test.txt
 
       - name: Run tests
         run: |
-          pylint src/sshkey_tools | tee | pylint-json2html -o report.html
+          python3 -m pylint src/sshkey_tools | tee | pylint_report -o report.html
 
       - name: Upload report
         uses: actions/upload-artifact@v1

.github/workflows/publish.yml

@@ -1,3 +1,4 @@
+name: "Build Release"
 on:
   release:
     types: [published]

.gitignore

@@ -148,4 +148,13 @@ report.html
 test_certificate
 testing.py
 .idea
-core
+core
+/id_rsa
+/id_rsa.pub
+/id_ecdsa*
+/id_dsa*
+/id_ed25519*
+hello.txt
+hello.txt.sig
+
+/testkeys

.pylintrc

@@ -1,2 +1,6 @@
+[MASTER]
+load-plugins=pylint_report
+extension-pkg-allow-list=cryptography.hazmat.bindings._rust
+
 [REPORTS]
-output-format=json
+output-format=pylint_report.CustomJsonReporter

Pipfile

@@ -0,0 +1,25 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+click = ">=7.1"
+cryptography = ">=41.0"
+bcrypt = ">=4.0"
+enum34 = ">=1.1"
+prettytable = ">=3.1"
+pytimeparse2 = ">=1.4"
+
+[dev-packages]
+pylint-report = "*"
+paramiko = "*"
+coverage = "*"
+black = "*"
+pytest-cov = "*"
+faker = "*"
+cprint = "*"
+pylint = "*"
+
+[requires]
+python_version = "3.9"

README.md

@@ -1,10 +1,34 @@
+![SSHKey Tools](./assets/sshkey-tools-plain.svg)
 # sshkey-tools
+[![PyPI version](https://badge.fury.io/py/sshkey-tools.svg)](https://badge.fury.io/py/sshkey-tools)
+![Linting](https://github.com/scheiblingco/sshkey-tools/actions/workflows/linting.yml/badge.svg)
+![Testing-Dev](https://github.com/scheiblingco/sshkey-tools/actions/workflows/dev_testing.yml/badge.svg)
+![Testing-Build](https://github.com/scheiblingco/sshkey-tools/actions/workflows/deploy_testing.yml/badge.svg)
+![Build](https://github.com/scheiblingco/sshkey-tools/actions/workflows/publish.yml/badge.svg)
+[![CodeQL](https://github.com/scheiblingco/sshkey-tools/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/scheiblingco/sshkey-tools/actions/workflows/github-code-scanning/codeql)
+
+
 
 Python package for managing OpenSSH keypairs and certificates ([protocol.CERTKEYS](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)). Supported functionality includes:
 
+## Notice
+The DSA algorithm has been deprecated and is removed in pyca/cryptography 41.x, meaning **version 0.9.* of this package will be the last to support DSA keys and certificates** for SSH. If there is any demand to reintroduce DSA support, please open an issue regarding this and we'll look into it. 
+
+For now, **0.9.* will be restricted to version <41.1 of the cryptography package** and **0.10 will have its DSA support removed**. We've introduced a deprecation notice in version 0.9.3.
+
+### Background
+The DSA algorithm is considered deprecated and will be removed in a future version. If possible, use RSA, [(ECDSA)](https://billatnapier.medium.com/ecdsa-weakness-where-nonces-are-reused-2be63856a01a) or ED25519 as a first-hand choice.
+
+### Notice from OpenSSH:
+```
+OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use. It can be re-enabled using the HostKeyAlgorithms configuration option: sshd_config(5) HostKeyAlgorithms
+```
+
+[ECDSA has some flaws](https://billatnapier.medium.com/ecdsa-weakness-where-nonces-are-reused-2be63856a01a), especially when using short nonces or re-using nonces, it can still be used but exercise some caution in regards to nonces/re-signing identical data multiple times.
+
 # Features
 ### SSH Keys
-- Supports RSA, DSA, ECDSA and ED25519 keys
+- Supports RSA, ECDSA and ED25519 keys
 - Import existing keys from file, string, byte data or [pyca/cryptography](https://github.com/pyca/cryptography) class
 - Generate new keys
 - Get public key from private keys
@@ -13,7 +37,7 @@ Python package for managing OpenSSH keypairs and certificates ([protocol.CERTKEY
 - Generate fingerprint
 
 ### OpenSSH Certificates
-- Supports RSA, DSA, ECDSA and ED25519 certificates
+- Supports RSA, ECDSA and ED25519 certificates
 - Import existing certificates from file, string or bytes
 - Verify certificate signature against internal or separate public key
 - Create new certificates from CA private key and subject public key
@@ -22,11 +46,7 @@ Python package for managing OpenSSH keypairs and certificates ([protocol.CERTKEY
 - Export certificates to file, string or bytes
 
 # Roadmap
-- [x] Rewrite certificate field functionality for simpler usage
-- [ ] Re-add functionality for changing RSA hash method
-- [ ] Add CLI functionality
-- [ ] Convert to/from putty format (keys only)
-
+See issues for planned features and fixes
 
 # Installation
 
@@ -49,12 +69,18 @@ pip3 install ./
 # Documentation
 You can find the full documentation at [scheiblingco.github.io/sshkey-tools/](https://scheiblingco.github.io/sshkey-tools/)
 
+## Building the documentation
+```bash
+pdoc3 src/sshkey_tools/ -o docs --html
+cp -rf docs/sshkey_tools/* docs/
+rm -rf docs/sshkey_tools
+```
+
 ## SSH Keypairs (generating, loading, exporting)
 ```python
 # Import the certificate classes
 from sshkey_tools.keys import (
     RsaPrivateKey,
-    DsaPrivateKey,
     EcdsaPrivateKey,
     Ed25519PrivateKey,
     EcdsaCurves
@@ -69,7 +95,8 @@ rsa_priv = RsaPrivateKey.generate()
 rsa_priv = RsaPrivateKey.generate(2048)
 
 # Generate DSA keys (since SSH only supports 1024-bit keys, this is the default)
-dsa_priv = DsaPrivateKey.generate()
+# DEPRECATED
+# dsa_priv = DsaPrivateKey.generate()
 
 # Generate ECDSA keys (The default curve is P521)
 ecdsa_priv = EcdsaPrivateKey.generate()
@@ -124,6 +151,7 @@ b"\0xc\0a\........"
 The loaded private key objects can be used to sign bytestrings, and the public keys can be used to verify signatures on those
 ```python
 from sshkey_tools.keys import RsaPrivateKey, RsaPublicKey
+from sshkey_tools.fields import RsaAlgs
 
 signable_data = b'This is a message that will be signed'
 
@@ -133,6 +161,10 @@ pubkey = RsaPrivateKey.public_key
 # Sign the data
 signature = privkey.sign(signable_data)
 
+# When using an RSA key for the signature, you can specify the hashing algorithm
+# The default algorithm is SHA512
+signature = privkey.sign(signable_data, RsaAlgs.SHA512)
+
 # Verify the signature (Throws exception if invalid)
 pubkey.verify(signable_data, signature)
 ```
@@ -308,6 +340,10 @@ certificate.sign()
 ```
 
 ## Changelog
+### 0.9.1
+- Updated documentation
+- Fix for bug where exception would occur when trying to export a key without a comment set
+
 ### 0.9
 - Adjustments to certificate field handling for easier usage/syntax autocompletion
 - Updated testing

dev.Dockerfile

@@ -0,0 +1,7 @@
+FROM mcr.microsoft.com/devcontainers/universal:2
+
+RUN curl https://pyenv.run | bash \
+    && echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc \
+    && echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc \
+    && echo 'eval "$(pyenv init -)"' >> ~/.bashrc
+