fix: properly fail to import unsupported openssh keys

panva · Dec 10, 2019 · bee5744 · bee5744
1 parent 94ec607
commit bee5744
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/lib/jwk/import.js b/lib/jwk/import.js
@@ -26,6 +26,8 @@ const mergedParameters = (target = {}, source = {}) => {
  }
 }
 
+const openSSHpublicKey = /^[a-zA-Z0-9-]+ (?:[a-zA-Z0-9+/])*(?:==|=)?(?: .*)?$/
+
 const asKey = (key, parameters, { calculateMissingRSAPrimes = false } = {}) => {
  let privateKey, publicKey, secret
 
@@ -98,7 +100,7 @@ const asKey = (key, parameters, { calculateMissingRSAPrimes = false } = {}) => {
  try {
  // this is to filter out invalid PEM keys and certs, i'll rather have them fail import then
  // have them imported as symmetric "oct" keys
- if (!key.includes('-----BEGIN')) {
+ if (!key.includes('-----BEGIN') && !openSSHpublicKey.test(key.toString('ascii').replace(/[\r\n]/g, ''))) {
  secret = createSecretKey(Buffer.isBuffer(key) ? key : Buffer.from(key))
  }
  } catch (err) {}

diff --git a/test/jwk/oct.test.js b/test/jwk/oct.test.js
@@ -1,4 +1,5 @@
 const test = require('ava')
+const { EOL } = require('os')
 
 const { createSecretKey } = require('../../lib/help/key_object')
 const { hasProperty, hasNoProperties } = require('../macros')
@@ -172,3 +173,34 @@ test('they may be imported so long as there was no k', t => {
  })
  }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' })
 })
+
+;[
+ 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6ZsprTWFF+fOG0mrdIQ+HxXnb5pAazkvSff1d49tgc73VKkrStsNSq9ss3j65p6gn6un8DZht0zP58iMqgK9YjfTC1OOGKFCtXzJsY9XwhFoSvhaI0iC2NH+aGu8OFfYXiQs/UZGe9acvFgViTSa/qYvh3NYTVPPf4EaaUndMIVz6scwuPji4w/n5dYXk5PF58k0Dq52ID6yQVk2QBRf8JcL+dPy3YztPTB2kcu7e0N9VopC5Qq2TsCb2H9ooHlgMerJ0WjlCv1ADC/8I+Cj7K1dj/3dcrMK/YR+2Muey5aQufPWoxtFpUv/2ieIAi19hhLeUOZbOlkwD/k/DO9Ht panva@local',
+ 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJS61dYMKR7grCcg2wLzkQZs4ok5VVZ6Oc+TlOSrz6s5WLl4WdN2hPCpYs/PtbyGcW0a8CAEKik3guStuMGCN1I= panva@local',
+ 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5wJKRxgAdYUPm7gfP9eP4MKnWahgALTRDgMHt0VMj7 panva@local',
+ `-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW`
+].forEach((openSSH, i, { length }) => {
+ test(`openssh keys do not fall through to oct keys ${i + 1}/${length}`, t => {
+ // strings
+ t.throws(() => {
+ asKey(openSSH)
+ }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' })
+ t.throws(() => {
+ asKey(openSSH.replace(' panva@local', ''))
+ }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' })
+ t.throws(() => {
+ asKey(openSSH.match(/.{1,64}/g).join(EOL))
+ }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' })
+ // buffers
+ t.throws(() => {
+ asKey(Buffer.from(openSSH))
+ }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' })
+ t.throws(() => {
+ asKey(Buffer.from(openSSH.replace(' panva@local', '')))
+ }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' })
+ t.throws(() => {
+ asKey(Buffer.from(openSSH.match(/.{1,64}/g).join(EOL)))
+ }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' })
+ })
+})