From 3243243be8e85413a74fedfec6694ee2dbd3d62f Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Fri, 10 Dec 2021 20:57:22 +0200 Subject: [PATCH] SSH Agent: Add support for generating SSH keys Supported key types are RSA, ECDSA and Ed25519. Includes tests to compare writing out keys produce the exact same private key if read from OpenSSH format and tests against ssh-agent to ensure all no generated key is rejected. --- share/translations/keepassxc_en.ts | 735 ++++++++++++----------- src/gui/entry/EditEntryWidget.cpp | 41 ++ src/gui/entry/EditEntryWidget.h | 2 + src/gui/entry/EditEntryWidgetSSHAgent.ui | 48 +- src/sshagent/CMakeLists.txt | 2 + src/sshagent/OpenSSHKey.cpp | 68 +++ src/sshagent/OpenSSHKey.h | 3 + src/sshagent/OpenSSHKeyGen.cpp | 141 +++++ src/sshagent/OpenSSHKeyGen.h | 30 + src/sshagent/OpenSSHKeyGenDialog.cpp | 99 +++ src/sshagent/OpenSSHKeyGenDialog.h | 48 ++ src/sshagent/OpenSSHKeyGenDialog.ui | 138 +++++ tests/TestOpenSSHKey.cpp | 6 + tests/TestSSHAgent.cpp | 61 ++ tests/TestSSHAgent.h | 3 + 15 files changed, 1048 insertions(+), 377 deletions(-) create mode 100644 src/sshagent/OpenSSHKeyGen.cpp create mode 100644 src/sshagent/OpenSSHKeyGen.h create mode 100644 src/sshagent/OpenSSHKeyGenDialog.cpp create mode 100644 src/sshagent/OpenSSHKeyGenDialog.h create mode 100644 src/sshagent/OpenSSHKeyGenDialog.ui diff --git a/share/translations/keepassxc_en.ts b/share/translations/keepassxc_en.ts index 824846331..dbe5c95e0 100644 --- a/share/translations/keepassxc_en.ts +++ b/share/translations/keepassxc_en.ts @@ -1,6 +1,6 @@ - + AboutDialog @@ -82,6 +82,10 @@ Details + + Your decision will be remembered for the duration while both the requesting client AND KeePassXC are running. + + Remember @@ -90,10 +94,6 @@ Allow Selected - - Your decision will be remembered for the duration while both the requesting client AND KeePassXC are running. - - Deny All && Future @@ -124,6 +124,10 @@ Use OpenSSH + + Use both agents + + SSH_AUTH_SOCK override @@ -152,10 +156,6 @@ SSH Agent connection is working! - - Use both agents - - ApplicationSettingsWidget @@ -171,6 +171,10 @@ Security + + This setting cannot be enabled when minimize on unlock is enabled. + + Access error for config file %1 @@ -227,10 +231,6 @@ Select backup storage directory - - This setting cannot be enabled when minimize on unlock is enabled. - - ApplicationSettingsWidgetGeneral @@ -262,6 +262,10 @@ Remember previously used databases + + recent files + + Load previously open databases on startup @@ -414,6 +418,10 @@ Toolbar button style: + + Show passwords in color + + Use monospaced font for notes @@ -499,14 +507,6 @@ Remember last typed entry for: - - recent files - - - - Show passwords in color - - ApplicationSettingsWidgetSecurity @@ -639,6 +639,10 @@ Very long delay detected, max is %1: %2 + + Entry does not have attribute for PICKCHARS: %1 + + Invalid conversion type: %1 @@ -656,10 +660,6 @@ Invalid placeholder: %1 - - Entry does not have attribute for PICKCHARS: %1 - - AutoTypeAssociationsModel @@ -1396,6 +1396,10 @@ Backup database located at %2 Key File: + + <p>In addition to a password, you can use a secret file to enhance the security of your database. This file can be generated in your database's security settings.</p><p>This is <strong>not</strong> your *.kdbx database file!<br>If you do not have a key file, leave this field empty.</p><p>Click for more information…</p> + + Key file help @@ -1408,6 +1412,11 @@ Backup database located at %2 Hardware Key: + + <p>You can use a hardware security key such as a <strong>YubiKey</strong> or <strong>OnlyKey</strong> with slots configured for HMAC-SHA1.</p> +<p>Click for more information…</p> + + Hardware key help @@ -1542,15 +1551,6 @@ If you do not have a key file, please leave the field empty. Select hardware key… - - <p>In addition to a password, you can use a secret file to enhance the security of your database. This file can be generated in your database's security settings.</p><p>This is <strong>not</strong> your *.kdbx database file!<br>If you do not have a key file, leave this field empty.</p><p>Click for more information…</p> - - - - <p>You can use a hardware security key such as a <strong>YubiKey</strong> or <strong>OnlyKey</strong> with slots configured for HMAC-SHA1.</p> -<p>Click for more information…</p> - - authenticate to access the database @@ -1600,10 +1600,6 @@ If you do not have a key file, please leave the field empty. KeePassXC-Browser settings - - Refresh database root group ID - - Disconnect all browsers @@ -1612,6 +1608,10 @@ If you do not have a key file, please leave the field empty. Forget all site-specific settings on entries + + Refresh database root group ID + + Stored keys @@ -2169,6 +2169,18 @@ This is definitely a bug, please report it to the developers. Writing the HTML file failed. + + Export database to XML file + + + + XML file + + + + Writing the XML file failed + + Export Confirmation @@ -2191,21 +2203,13 @@ This is definitely a bug, please report it to the developers. Database tab name modifier - - Export database to XML file - - - - XML file - - - - Writing the XML file failed - - DatabaseWidget + + Searches and Tags + + Searching… @@ -2254,6 +2258,13 @@ This is definitely a bug, please report it to the developers. Expired entries + + Entries expiring within %1 day(s) + + + + + No current database. @@ -2278,6 +2289,18 @@ This is definitely a bug, please report it to the developers. No Results + + Save + + + + Enter a unique name or overwrite an existing search from the list: + + + + Save Search + + Lock Database? @@ -2363,29 +2386,6 @@ Disable safe saves and try again? Could not find database file: %1 - - Entries expiring within %1 day(s) - - - - - - - Searches and Tags - - - - Enter a unique name or overwrite an existing search from the list: - - - - Save - - - - Save Search - - EditEntryWidget @@ -2522,6 +2522,13 @@ Would you like to correct it? Hide + + %n hour(s) + + + + + %n week(s) @@ -2543,13 +2550,6 @@ Would you like to correct it? - - %n hour(s) - - - - - EditEntryWidgetAdvanced @@ -2668,10 +2668,20 @@ Would you like to correct it? Add new window association + + + + Add item + + Remove selected window association + + - + Remove item + + Window title: @@ -2696,16 +2706,6 @@ Would you like to correct it? Custom Auto-Type sequence for this window - - + - Add item - - - - - - Remove item - - EditEntryWidgetBrowser @@ -2926,19 +2926,6 @@ Would you like to correct it? Private key - - External file - - - - Browser for key file - - - - Browse… - Button for opening file dialog - - Attachment @@ -2955,6 +2942,23 @@ Would you like to correct it? Remove from agent + + External file + + + + Browser for key file + + + + Browse… + Button for opening file dialog + + + + Generate + + Select attachment file @@ -2990,10 +2994,6 @@ Would you like to correct it? Icon - - Browser Integration - - Properties @@ -3010,6 +3010,10 @@ Would you like to correct it? Group has unsaved changes + + Browser Integration + + Enable @@ -3796,7 +3800,7 @@ Error: %1 - Notes + URL @@ -3816,7 +3820,7 @@ Error: %1 - URL + Notes @@ -3867,6 +3871,10 @@ Error: %1 Never + + Double click to copy value + + Enabled @@ -3875,10 +3883,6 @@ Error: %1 Disabled - - Double click to copy value - - EntryURLModel @@ -4937,6 +4941,10 @@ Are you sure you want to continue with this file? TOTP + + Tags + + &Groups @@ -5137,6 +5145,10 @@ Are you sure you want to continue with this file? Copy title to clipboard + + Copy &URL + + Copy URL to clipboard @@ -5197,6 +5209,10 @@ Are you sure you want to continue with this file? Copy &TOTP + + Copy Password and TOTP + + E&mpty recycle bin @@ -5293,6 +5309,14 @@ Are you sure you want to continue with this file? Clone Group... + + &XML File… + + + + XML File… + + Clear history @@ -5321,6 +5345,10 @@ Expect some bugs and minor issues, this version is meant for testing purposes. + + No Tags + + Restore Entry(s) @@ -5352,6 +5380,13 @@ We recommend you use the AppImage available on our downloads page. Quit KeePassXC + + %1 Entry(s) + + + + + Please present or touch your YubiKey to continue… @@ -5364,37 +5399,6 @@ We recommend you use the AppImage available on our downloads page. You must restart the application to apply this setting. Would you like to restart now? - - Tags - - - - No Tags - - - - %1 Entry(s) - - - - - - - Copy Password and TOTP - - - - &XML File… - - - - XML File… - - - - Copy &URL - - ManageDatabase @@ -5700,6 +5704,10 @@ We recommend you use the AppImage available on our downloads page. Unknown cipher: %1 + + AES-256/GCM is currently not supported + + Passphrase is required to decrypt this key @@ -5764,8 +5772,23 @@ We recommend you use the AppImage available on our downloads page. Unexpected EOF when writing private key + + + OpenSSHKeyGenDialog - AES-256/GCM is currently not supported + SSH Key Generator + + + + Type + + + + Bits + + + + Comment @@ -5947,6 +5970,10 @@ We recommend you use the AppImage available on our downloads page. Also choose from: + + Excluded characters: "0", "1", "l", "I", "O", "|", "﹒" + + Exclude look-alike characters @@ -6027,6 +6054,30 @@ We recommend you use the AppImage available on our downloads page. Entropy: %1 bit + + Password Quality: %1 + + + + Poor + Password quality + + + + Weak + Password quality + + + + Good + Password quality + + + + Excellent + Password quality + + Confirm Delete Wordlist @@ -6072,34 +6123,6 @@ Do you want to overwrite it? Special Characters - - Password Quality: %1 - - - - Poor - Password quality - - - - Weak - Password quality - - - - Good - Password quality - - - - Excellent - Password quality - - - - Excluded characters: "0", "1", "l", "I", "O", "|", "﹒" - - PasswordWidget @@ -6600,6 +6623,10 @@ Do you want to overwrite it? Too many arguments provided. + + Path of the database. + + Target decryption time in MS for the database. @@ -6608,6 +6635,11 @@ Do you want to overwrite it? time + + Set the key file for the database. +This options is deprecated, use --set-key-file instead. + + Set the key file for the database. @@ -6620,10 +6652,6 @@ Do you want to overwrite it? Create a new database. - - Path of the database. - - Invalid decryption time %1. @@ -6668,6 +6696,158 @@ Do you want to overwrite it? Successfully created new database. + + Unset the password for the database. + + + + Unset the key file for the database. + + + + Edit a database. + + + + Cannot use %1 and %2 at the same time. + + + + Could not change the database key. + + + + Database was not modified. + + + + Writing the database failed: %1 + + + + Successfully edited the database. + + + + Cannot remove password: The database does not have a password. + + + + Cannot remove file key: The database does not have a file key. + + + + Loading the new key file failed: %1 + + + + Found unexpected Key type %1 + + + + Cannot remove all the keys from a database. + + + + Show a database's information. + + + + UUID: + + + + Name: + + + + Description: + + + + Cipher: + + + + KDF: + + + + Recycle bin is enabled. + + + + Recycle bin is not enabled. + + + + Location + + + + Database created + + + + Last saved + + + + Unsaved changes + + + + yes + + + + no + + + + Number of groups + + + + Number of entries + + + + Number of expired entries + + + + Unique passwords + + + + Non-unique passwords + + + + Maximum password reuse + + + + Number of short passwords + + + + Number of weak passwords + + + + Entries excluded from reports + + + + Average password length + + + + %1 characters + + Word count for the diceware passphrase. @@ -6718,10 +6898,6 @@ Do you want to overwrite it? Enter new password for entry: - - Writing the database failed: %1 - - Successfully edited entry %1. @@ -6946,106 +7122,6 @@ Do you want to overwrite it? Successfully imported database. - - Show a database's information. - - - - UUID: - - - - Name: - - - - Description: - - - - Cipher: - - - - KDF: - - - - Recycle bin is enabled. - - - - Recycle bin is not enabled. - - - - Location - - - - Database created - - - - Last saved - - - - Unsaved changes - - - - yes - - - - no - - - - Number of groups - - - - Number of entries - - - - Number of expired entries - - - - Unique passwords - - - - Non-unique passwords - - - - Maximum password reuse - - - - Number of short passwords - - - - Number of weak passwords - - - - Entries excluded from reports - - - - Average password length - - - - %1 characters - - Unknown command %1 @@ -7214,6 +7290,10 @@ Available commands: Show the protected attributes in clear text. + + Show all the attributes of the entry. + + Show the attachments of the entry. @@ -7281,6 +7361,10 @@ Please consider generating a new key file. Invalid YubiKey serial %1 + + Please present or touch your YubiKey to continue. + + Enter password to encrypt database (optional): @@ -7770,6 +7854,10 @@ Kernel: %3 %4 Another instance of KeePassXC is already running. + + KeePassXC is not running. No open database to lock + + Fatal error while testing the cryptographic functions. @@ -7804,71 +7892,6 @@ Kernel: %3 %4 Failed to sign challenge using Windows Hello. - - Please present or touch your YubiKey to continue. - - - - Show all the attributes of the entry. - - - - Edit a database. - - - - Could not change the database key. - - - - Database was not modified. - - - - Successfully edited the database. - - - - Loading the new key file failed: %1 - - - - Unset the password for the database. - - - - Unset the key file for the database. - - - - Cannot use %1 and %2 at the same time. - - - - Cannot remove all the keys from a database. - - - - Cannot remove password: The database does not have a password. - - - - Cannot remove file key: The database does not have a file key. - - - - Found unexpected Key type %1 - - - - Set the key file for the database. -This options is deprecated, use --set-key-file instead. - - - - KeePassXC is not running. No open database to lock - - QtIOCompressor @@ -8412,6 +8435,10 @@ This options is deprecated, use --set-key-file instead. Search Help + + Save Search + + Search (%1)… Search placeholder text, %1 is the keyboard shortcut @@ -8425,10 +8452,6 @@ This options is deprecated, use --set-key-file instead. Limit search to selected group - - Save Search - - SettingsClientModel @@ -8642,11 +8665,7 @@ This options is deprecated, use --set-key-file instead. TagModel - Expired - - - - Weak Passwords + Clear Search @@ -8654,7 +8673,11 @@ This options is deprecated, use --set-key-file instead. - Clear Search + Expired + + + + Weak Passwords diff --git a/src/gui/entry/EditEntryWidget.cpp b/src/gui/entry/EditEntryWidget.cpp index be7fd1467..b2977d6fd 100644 --- a/src/gui/entry/EditEntryWidget.cpp +++ b/src/gui/entry/EditEntryWidget.cpp @@ -41,6 +41,7 @@ #include "core/TimeDelta.h" #ifdef WITH_XC_SSHAGENT #include "sshagent/OpenSSHKey.h" +#include "sshagent/OpenSSHKeyGenDialog.h" #include "sshagent/SSHAgent.h" #endif #ifdef WITH_XC_BROWSER @@ -535,6 +536,7 @@ void EditEntryWidget::updateHistoryButtons(const QModelIndex& current, const QMo #ifdef WITH_XC_SSHAGENT void EditEntryWidget::setupSSHAgent() { + m_pendingPrivateKey = ""; m_sshAgentUi->setupUi(m_sshAgentWidget); QFont fixedFont = Font::fixedFont(); @@ -555,6 +557,7 @@ void EditEntryWidget::setupSSHAgent() connect(m_sshAgentUi->removeFromAgentButton, &QPushButton::clicked, this, &EditEntryWidget::removeKeyFromAgent); connect(m_sshAgentUi->decryptButton, &QPushButton::clicked, this, &EditEntryWidget::decryptPrivateKey); connect(m_sshAgentUi->copyToClipboardButton, &QPushButton::clicked, this, &EditEntryWidget::copyPublicKey); + connect(m_sshAgentUi->generateButton, &QPushButton::clicked, this, &EditEntryWidget::generatePrivateKey); connect(m_attachments.data(), &EntryAttachments::modified, this, &EditEntryWidget::updateSSHAgentAttachments); @@ -582,6 +585,12 @@ void EditEntryWidget::updateSSHAgent() m_sshAgentSettings.fromEntry(m_entry); setSSHAgentSettings(); + if (!m_pendingPrivateKey.isEmpty()) { + m_sshAgentSettings.setAttachmentName(m_pendingPrivateKey); + m_sshAgentSettings.setSelectedType("attachment"); + m_pendingPrivateKey = ""; + } + updateSSHAgentAttachments(); } @@ -784,6 +793,38 @@ void EditEntryWidget::copyPublicKey() { clipboard()->setText(m_sshAgentUi->publicKeyEdit->document()->toPlainText()); } + +void EditEntryWidget::generatePrivateKey() +{ + auto dialog = new OpenSSHKeyGenDialog(this); + + OpenSSHKey key; + dialog->setKey(&key); + + if (dialog->exec()) { + // derive openssh naming from type + QString keyPrefix = key.type(); + if (keyPrefix.startsWith("ecdsa")) { + keyPrefix = "id_ecdsa"; + } else { + keyPrefix.replace("ssh-", "id_"); + } + + for (int i = 0; i < 10; i++) { + QString keyName = keyPrefix; + + if (i > 0) { + keyName += "." + QString::number(i); + } + + if (!m_entry->attachments()->hasKey(keyName)) { + m_pendingPrivateKey = keyName; + m_entry->attachments()->set(m_pendingPrivateKey, key.privateKey().toUtf8()); + break; + } + } + } +} #endif void EditEntryWidget::useExpiryPreset(QAction* action) diff --git a/src/gui/entry/EditEntryWidget.h b/src/gui/entry/EditEntryWidget.h index 89422c0d4..582cdfbbc 100644 --- a/src/gui/entry/EditEntryWidget.h +++ b/src/gui/entry/EditEntryWidget.h @@ -123,6 +123,7 @@ private slots: void removeKeyFromAgent(); void decryptPrivateKey(); void copyPublicKey(); + void generatePrivateKey(); #endif #ifdef WITH_XC_BROWSER void updateBrowserModified(); @@ -167,6 +168,7 @@ private: bool m_history; #ifdef WITH_XC_SSHAGENT KeeAgentSettings m_sshAgentSettings; + QString m_pendingPrivateKey; #endif const QScopedPointer m_mainUi; const QScopedPointer m_advancedUi; diff --git a/src/gui/entry/EditEntryWidgetSSHAgent.ui b/src/gui/entry/EditEntryWidgetSSHAgent.ui index 81fac082a..3fa48baf3 100644 --- a/src/gui/entry/EditEntryWidgetSSHAgent.ui +++ b/src/gui/entry/EditEntryWidgetSSHAgent.ui @@ -118,23 +118,6 @@ Private key - - - - External file - - - - - - - Browser for key file - - - Browse… - - - @@ -145,7 +128,7 @@ - + Qt::ClickFocus @@ -155,7 +138,7 @@ - + @@ -173,7 +156,31 @@ - + + + + External file + + + + + + + Browser for key file + + + Browse… + + + + + + + Generate + + + + @@ -325,7 +332,6 @@ lifetimeCheckBox lifetimeSpinBox attachmentRadioButton - attachmentComboBox externalFileRadioButton browseButton addToAgentButton diff --git a/src/sshagent/CMakeLists.txt b/src/sshagent/CMakeLists.txt index 969467415..6bbb9c94d 100644 --- a/src/sshagent/CMakeLists.txt +++ b/src/sshagent/CMakeLists.txt @@ -8,6 +8,8 @@ if(WITH_XC_SSHAGENT) BinaryStream.cpp KeeAgentSettings.cpp OpenSSHKey.cpp + OpenSSHKeyGen.cpp + OpenSSHKeyGenDialog.cpp SSHAgent.cpp ) diff --git a/src/sshagent/OpenSSHKey.cpp b/src/sshagent/OpenSSHKey.cpp index e6b21c863..cdcc25701 100644 --- a/src/sshagent/OpenSSHKey.cpp +++ b/src/sshagent/OpenSSHKey.cpp @@ -20,6 +20,7 @@ #include "ASN1Key.h" #include "BinaryStream.h" +#include "crypto/Random.h" #include "crypto/SymmetricCipher.h" #include @@ -34,6 +35,7 @@ const QString OpenSSHKey::OPENSSH_CIPHER_SUFFIX = "@openssh.com"; OpenSSHKey::OpenSSHKey(QObject* parent) : QObject(parent) + , m_check(0) , m_type(QString()) , m_cipherName(QString("none")) , m_kdfName(QString("none")) @@ -49,6 +51,7 @@ OpenSSHKey::OpenSSHKey(QObject* parent) OpenSSHKey::OpenSSHKey(const OpenSSHKey& other) : QObject(nullptr) + , m_check(other.m_check) , m_type(other.m_type) , m_cipherName(other.m_cipherName) , m_kdfName(other.m_kdfName) @@ -126,6 +129,64 @@ const QString OpenSSHKey::publicKey() const return m_type + " " + QString::fromLatin1(publicKey.toBase64()) + " " + m_comment; } +const QString OpenSSHKey::privateKey() +{ + QByteArray sshKey; + BinaryStream stream(&sshKey); + + // magic + stream.write(QString("openssh-key-v1").toUtf8()); + stream.write(static_cast(0)); + + // cipher name + stream.writeString(QString("none")); + + // kdf name + stream.writeString(QString("none")); + + // kdf options + stream.writeString(QString("")); + + // number of keys + stream.write(static_cast(1)); + + // string wrapped public key + QByteArray publicKey; + BinaryStream publicStream(&publicKey); + writePublic(publicStream); + stream.writeString(publicKey); + + // string wrapper private key + QByteArray privateKey; + BinaryStream privateStream(&privateKey); + + // integrity check value + privateStream.write(m_check); + privateStream.write(m_check); + + writePrivate(privateStream); + + // padding for unencrypted key + for (quint8 i = 1; i <= privateKey.size() % 8; i++) { + privateStream.write(i); + } + + stream.writeString(privateKey); + + // encode to PEM format + QString out; + out += "-----BEGIN OPENSSH PRIVATE KEY-----\n"; + + auto base64Key = QString::fromUtf8(sshKey.toBase64()); + for (int i = 0; i < base64Key.size(); i += 70) { + out += base64Key.midRef(i, 70); + out += "\n"; + } + + out += "-----END OPENSSH PRIVATE KEY-----\n"; + return out; +} + const QString OpenSSHKey::errorString() const { return m_error; @@ -136,6 +197,11 @@ void OpenSSHKey::setType(const QString& type) m_type = type; } +void OpenSSHKey::setCheck(quint32 check) +{ + m_check = check; +} + void OpenSSHKey::setPublicData(const QByteArray& data) { m_rawPublicData = data; @@ -429,6 +495,8 @@ bool OpenSSHKey::openKey(const QString& passphrase) return false; } + m_check = checkInt1; + return readPrivate(keyStream); } diff --git a/src/sshagent/OpenSSHKey.h b/src/sshagent/OpenSSHKey.h index a42e433de..c2c831939 100644 --- a/src/sshagent/OpenSSHKey.h +++ b/src/sshagent/OpenSSHKey.h @@ -41,9 +41,11 @@ public: const QString fingerprint(QCryptographicHash::Algorithm algo = QCryptographicHash::Sha256) const; const QString comment() const; const QString publicKey() const; + const QString privateKey(); const QString errorString() const; void setType(const QString& type); + void setCheck(quint32 check); void setPublicData(const QByteArray& data); void setPrivateData(const QByteArray& data); void setComment(const QString& comment); @@ -70,6 +72,7 @@ private: bool extractPEM(const QByteArray& in, QByteArray& out); + quint32 m_check; QString m_type; QString m_cipherName; QByteArray m_cipherIV; diff --git a/src/sshagent/OpenSSHKeyGen.cpp b/src/sshagent/OpenSSHKeyGen.cpp new file mode 100644 index 000000000..c18f1b03e --- /dev/null +++ b/src/sshagent/OpenSSHKeyGen.cpp @@ -0,0 +1,141 @@ +/* + * Copyright (C) 2021 KeePassXC Team + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 2 or (at your option) + * version 3 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include "OpenSSHKeyGen.h" +#include "BinaryStream.h" +#include "OpenSSHKey.h" +#include "crypto/Random.h" + +#include +#include +#include + +namespace OpenSSHKeyGen +{ + namespace + { + void bigIntToStream(const Botan::BigInt& i, BinaryStream& stream, int padding = 0) + { + QByteArray ba(i.bytes() + padding, 0); + i.binary_encode(reinterpret_cast(ba.data() + padding), ba.size() - padding); + stream.writeString(ba); + } + + void vectorToStream(const std::vector& v, BinaryStream& stream) + { + QByteArray ba(reinterpret_cast(v.data()), v.size()); + stream.writeString(ba); + } + + void vectorToStream(const Botan::secure_vector& v, BinaryStream& stream) + { + QByteArray ba(reinterpret_cast(v.data()), v.size()); + stream.writeString(ba); + } + } // namespace + + bool generateRSA(OpenSSHKey& key, int bits) + { + auto rng = randomGen()->getRng(); + + try { + Botan::RSA_PrivateKey rsaKey(*rng, bits); + + QByteArray publicData; + BinaryStream publicStream(&publicData); + // intentionally flipped n e -> e n + bigIntToStream(rsaKey.get_e(), publicStream); + bigIntToStream(rsaKey.get_n(), publicStream, 1); + + QByteArray privateData; + BinaryStream privateStream(&privateData); + bigIntToStream(rsaKey.get_n(), privateStream, 1); + bigIntToStream(rsaKey.get_e(), privateStream); + bigIntToStream(rsaKey.get_d(), privateStream); + bigIntToStream(rsaKey.get_c(), privateStream, 1); + bigIntToStream(rsaKey.get_p(), privateStream, 1); + bigIntToStream(rsaKey.get_q(), privateStream, 1); + + key.setType("ssh-rsa"); + key.setCheck(randomGen()->randomUInt(std::numeric_limits::max() - 1) + 1); + key.setPublicData(publicData); + key.setPrivateData(privateData); + key.setComment("id_rsa"); + return true; + } catch (std::exception& e) { + return false; + } + } + + bool generateECDSA(OpenSSHKey& key, int bits) + { + auto rng = randomGen()->getRng(); + QString group = QString("nistp%1").arg(bits); + + try { + Botan::EC_Group domain(QString("secp%1r1").arg(bits).toStdString()); + Botan::ECDSA_PrivateKey ecdsaKey(*rng, domain); + + QByteArray publicData; + BinaryStream publicStream(&publicData); + publicStream.writeString(group); + vectorToStream(ecdsaKey.public_key_bits(), publicStream); + + QByteArray privateData; + BinaryStream privateStream(&privateData); + privateStream.writeString(group); + vectorToStream(ecdsaKey.public_key_bits(), privateStream); + bigIntToStream(ecdsaKey.private_value(), privateStream, 1); + + key.setType("ecdsa-sha2-" + group); + key.setCheck(randomGen()->randomUInt(std::numeric_limits::max() - 1) + 1); + key.setPublicData(publicData); + key.setPrivateData(privateData); + key.setComment("id_ecdsa"); + return true; + } catch (std::exception& e) { + return false; + } + } + + bool generateEd25519(OpenSSHKey& key) + { + auto rng = randomGen()->getRng(); + + try { + Botan::Ed25519_PrivateKey ed25519Key(*rng); + + QByteArray publicData; + BinaryStream publicStream(&publicData); + vectorToStream(ed25519Key.get_public_key(), publicStream); + + QByteArray privateData; + BinaryStream privateStream(&privateData); + vectorToStream(ed25519Key.get_public_key(), privateStream); + vectorToStream(ed25519Key.get_private_key(), privateStream); + + key.setType("ssh-ed25519"); + key.setCheck(randomGen()->randomUInt(std::numeric_limits::max() - 1) + 1); + key.setPublicData(publicData); + key.setPrivateData(privateData); + key.setComment("id_ed25519"); + return true; + } catch (std::exception& e) { + return false; + } + } +} // namespace OpenSSHKeyGen diff --git a/src/sshagent/OpenSSHKeyGen.h b/src/sshagent/OpenSSHKeyGen.h new file mode 100644 index 000000000..dfe122ac0 --- /dev/null +++ b/src/sshagent/OpenSSHKeyGen.h @@ -0,0 +1,30 @@ +/* + * Copyright (C) 2021 KeePassXC Team + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 2 or (at your option) + * version 3 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#ifndef KEEPASSXC_OPENSSHKEYGEN_H +#define KEEPASSXC_OPENSSHKEYGEN_H + +class OpenSSHKey; + +namespace OpenSSHKeyGen +{ + bool generateRSA(OpenSSHKey& key, int bits); + bool generateECDSA(OpenSSHKey& key, int bits); + bool generateEd25519(OpenSSHKey& key); +} // namespace OpenSSHKeyGen + +#endif diff --git a/src/sshagent/OpenSSHKeyGenDialog.cpp b/src/sshagent/OpenSSHKeyGenDialog.cpp new file mode 100644 index 000000000..df06879e9 --- /dev/null +++ b/src/sshagent/OpenSSHKeyGenDialog.cpp @@ -0,0 +1,99 @@ +/* + * Copyright (C) 2021 KeePassXC Team + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 2 or (at your option) + * version 3 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include "OpenSSHKeyGenDialog.h" +#include "OpenSSHKey.h" +#include "OpenSSHKeyGen.h" +#include "gui/Icons.h" +#include "ui_OpenSSHKeyGenDialog.h" +#include +#include + +OpenSSHKeyGenDialog::OpenSSHKeyGenDialog(QWidget* parent) + : QDialog(parent) + , m_ui(new Ui::OpenSSHKeyGenDialog()) + , m_key(nullptr) +{ + setAttribute(Qt::WA_DeleteOnClose); + setWindowIcon(icons()->icon("password-generator")); + + m_ui->setupUi(this); + + m_ui->typeComboBox->clear(); + m_ui->typeComboBox->addItem("Ed25519"); + m_ui->typeComboBox->addItem("RSA"); + m_ui->typeComboBox->addItem("ECDSA"); + + QString user = QProcessEnvironment::systemEnvironment().value("USER"); + m_ui->commentLineEdit->setText(user + "@" + QHostInfo::localHostName()); + + connect(m_ui->typeComboBox, SIGNAL(currentIndexChanged(int)), this, SLOT(typeChanged())); + + typeChanged(); +} + +// Required for QScopedPointer +OpenSSHKeyGenDialog::~OpenSSHKeyGenDialog() +{ +} + +void OpenSSHKeyGenDialog::typeChanged() +{ + m_ui->bitsComboBox->clear(); + + if (m_ui->typeComboBox->currentText() == QString("Ed25519")) { + m_ui->bitsComboBox->addItem("32"); + } else if (m_ui->typeComboBox->currentText() == QString("RSA")) { + m_ui->bitsComboBox->addItem("2048"); + m_ui->bitsComboBox->addItem("3072"); + m_ui->bitsComboBox->addItem("4096"); + m_ui->bitsComboBox->setCurrentText("3072"); + } else if (m_ui->typeComboBox->currentText() == QString("ECDSA")) { + m_ui->bitsComboBox->addItem("256"); + m_ui->bitsComboBox->addItem("384"); + m_ui->bitsComboBox->addItem("521"); + m_ui->bitsComboBox->setCurrentText("256"); + } +} + +void OpenSSHKeyGenDialog::accept() +{ + // disable form and try to process this update before blocking in key generation + setEnabled(false); + QCoreApplication::processEvents(); + + int bits = m_ui->bitsComboBox->currentText().toInt(); + + if (m_ui->typeComboBox->currentText() == QString("Ed25519")) { + OpenSSHKeyGen::generateEd25519(*m_key); + } else if (m_ui->typeComboBox->currentText() == QString("RSA")) { + OpenSSHKeyGen::generateRSA(*m_key, bits); + } else if (m_ui->typeComboBox->currentText() == QString("ECDSA")) { + OpenSSHKeyGen::generateECDSA(*m_key, bits); + } else { + reject(); + return; + } + + m_key->setComment(m_ui->commentLineEdit->text()); + QDialog::accept(); +} + +void OpenSSHKeyGenDialog::setKey(OpenSSHKey* key) +{ + m_key = key; +} diff --git a/src/sshagent/OpenSSHKeyGenDialog.h b/src/sshagent/OpenSSHKeyGenDialog.h new file mode 100644 index 000000000..f46a1abe3 --- /dev/null +++ b/src/sshagent/OpenSSHKeyGenDialog.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2021 Team KeePassXC + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 2 or (at your option) + * version 3 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#ifndef KEEPASSXC_OPENSSHKEYGENDIALOG_H +#define KEEPASSXC_OPENSSHKEYGENDIALOG_H + +#include +class OpenSSHKey; + +namespace Ui +{ + class OpenSSHKeyGenDialog; +} + +class OpenSSHKeyGenDialog : public QDialog +{ + Q_OBJECT + +public: + explicit OpenSSHKeyGenDialog(QWidget* parent = nullptr); + ~OpenSSHKeyGenDialog() override; + + void accept() override; + void setKey(OpenSSHKey* key); + +private slots: + void typeChanged(); + +private: + QScopedPointer m_ui; + OpenSSHKey* m_key; +}; + +#endif // KEEPASSXC_OPENSSHKEYGENDIALOG_H diff --git a/src/sshagent/OpenSSHKeyGenDialog.ui b/src/sshagent/OpenSSHKeyGenDialog.ui new file mode 100644 index 000000000..0ab2c1716 --- /dev/null +++ b/src/sshagent/OpenSSHKeyGenDialog.ui @@ -0,0 +1,138 @@ + + + OpenSSHKeyGenDialog + + + + 0 + 0 + 200 + 100 + + + + + 0 + 0 + + + + SSH Key Generator + + + true + + + + + + + 0 + 0 + + + + QComboBox::AdjustToContents + + + + + + + + 0 + 0 + + + + Type + + + + + + + + 0 + 0 + + + + Bits + + + + + + + Comment + + + + + + + + 0 + 0 + + + + QComboBox::AdjustToMinimumContentsLength + + + 4 + + + + + + + + + + Qt::Horizontal + + + QDialogButtonBox::Cancel|QDialogButtonBox::Ok + + + + + + + + + buttonBox + accepted() + OpenSSHKeyGenDialog + accept() + + + 248 + 254 + + + 157 + 274 + + + + + buttonBox + rejected() + OpenSSHKeyGenDialog + reject() + + + 316 + 260 + + + 286 + 274 + + + + + diff --git a/tests/TestOpenSSHKey.cpp b/tests/TestOpenSSHKey.cpp index 1f0053474..a20b248ed 100644 --- a/tests/TestOpenSSHKey.cpp +++ b/tests/TestOpenSSHKey.cpp @@ -254,6 +254,7 @@ void TestOpenSSHKey::testParseRSACompare() QCOMPARE(oldKey.type(), newKey.type()); QCOMPARE(oldKey.fingerprint(), newKey.fingerprint()); QCOMPARE(oldPrivateKey, newPrivateKey); + QCOMPARE(newKeyString, newKey.privateKey()); } void TestOpenSSHKey::testParseECDSA256() @@ -277,6 +278,7 @@ void TestOpenSSHKey::testParseECDSA256() QCOMPARE(key.type(), QString("ecdsa-sha2-nistp256")); QCOMPARE(key.comment(), QString("opensshkey-test-ecdsa256@keepassxc")); QCOMPARE(key.fingerprint(), QString("SHA256:nwwovZmQbBeiR3GZRpK4OWHgCUE7E0wFtCN7Ng7eX5g")); + QCOMPARE(keyString, key.privateKey()); } void TestOpenSSHKey::testParseECDSA384() @@ -302,6 +304,7 @@ void TestOpenSSHKey::testParseECDSA384() QCOMPARE(key.type(), QString("ecdsa-sha2-nistp384")); QCOMPARE(key.comment(), QString("opensshkey-test-ecdsa384@keepassxc")); QCOMPARE(key.fingerprint(), QString("SHA256:B5tLMG976BZ6nyi/oRUmKaTJcaEaFagEjBfOAgru0OY")); + QCOMPARE(keyString, key.privateKey()); } void TestOpenSSHKey::testParseECDSA521() @@ -328,6 +331,7 @@ void TestOpenSSHKey::testParseECDSA521() QCOMPARE(key.type(), QString("ecdsa-sha2-nistp521")); QCOMPARE(key.comment(), QString("opensshkey-test-ecdsa521@keepassxc")); QCOMPARE(key.fingerprint(), QString("SHA256:m3LtA9MtZW8FN0R3vwA0AAI+YtegbggGCy3EGKWya+s")); + QCOMPARE(keyString, key.privateKey()); } void TestOpenSSHKey::testDecryptOpenSSHAES256CBC() @@ -533,6 +537,7 @@ void TestOpenSSHKey::testParseECDSASecurityKey() QCOMPARE(key.type(), QString("sk-ecdsa-sha2-nistp256@openssh.com")); QCOMPARE(key.comment(), QString("opensshkey-test-ecdsa-sk@keepassxc")); QCOMPARE(key.fingerprint(), QString("SHA256:ctOtAsPMqbtumGI41o2oeWfGDah4m1ACILRj+x0gx0E")); + QCOMPARE(keyString, key.privateKey()); } void TestOpenSSHKey::testParseED25519SecurityKey() @@ -557,4 +562,5 @@ void TestOpenSSHKey::testParseED25519SecurityKey() QCOMPARE(key.type(), QString("sk-ssh-ed25519@openssh.com")); QCOMPARE(key.comment(), QString("opensshkey-test-ed25519-sk@keepassxc")); QCOMPARE(key.fingerprint(), QString("SHA256:PGtS5WvbnYmNqFIeRbzO6cVP9GLh8eEzENgkHp02XIA")); + QCOMPARE(keyString, key.privateKey()); } diff --git a/tests/TestSSHAgent.cpp b/tests/TestSSHAgent.cpp index 3acf3352a..092cbb411 100644 --- a/tests/TestSSHAgent.cpp +++ b/tests/TestSSHAgent.cpp @@ -20,6 +20,7 @@ #include "core/Config.h" #include "crypto/Crypto.h" #include "sshagent/KeeAgentSettings.h" +#include "sshagent/OpenSSHKeyGen.h" #include "sshagent/SSHAgent.h" #include @@ -224,6 +225,66 @@ void TestSSHAgent::testToOpenSSHKey() QVERIFY(!key.publicKey().isEmpty()); } +void TestSSHAgent::testKeyGenRSA() +{ + SSHAgent agent; + agent.setEnabled(true); + agent.setAuthSockOverride(m_agentSocketFileName); + + QVERIFY(agent.isAgentRunning()); + + OpenSSHKey key; + KeeAgentSettings settings; + bool keyInAgent; + + QVERIFY(OpenSSHKeyGen::generateRSA(key, 2048)); + + QVERIFY(agent.addIdentity(key, settings, m_uuid)); + QVERIFY(agent.checkIdentity(key, keyInAgent) && keyInAgent); + QVERIFY(agent.removeIdentity(key)); + QVERIFY(agent.checkIdentity(key, keyInAgent) && !keyInAgent); +} + +void TestSSHAgent::testKeyGenECDSA() +{ + SSHAgent agent; + agent.setEnabled(true); + agent.setAuthSockOverride(m_agentSocketFileName); + + QVERIFY(agent.isAgentRunning()); + + OpenSSHKey key; + KeeAgentSettings settings; + bool keyInAgent; + + QVERIFY(OpenSSHKeyGen::generateECDSA(key, 256)); + + QVERIFY(agent.addIdentity(key, settings, m_uuid)); + QVERIFY(agent.checkIdentity(key, keyInAgent) && keyInAgent); + QVERIFY(agent.removeIdentity(key)); + QVERIFY(agent.checkIdentity(key, keyInAgent) && !keyInAgent); +} + +void TestSSHAgent::testKeyGenEd25519() +{ + SSHAgent agent; + agent.setEnabled(true); + agent.setAuthSockOverride(m_agentSocketFileName); + + QVERIFY(agent.isAgentRunning()); + + OpenSSHKey key; + KeeAgentSettings settings; + bool keyInAgent; + + QVERIFY(OpenSSHKeyGen::generateEd25519(key)); + + QVERIFY(agent.addIdentity(key, settings, m_uuid)); + QVERIFY(agent.checkIdentity(key, keyInAgent) && keyInAgent); + QVERIFY(agent.removeIdentity(key)); + QVERIFY(agent.checkIdentity(key, keyInAgent) && !keyInAgent); +} + void TestSSHAgent::cleanupTestCase() { if (m_agentProcess.state() != QProcess::NotRunning) { diff --git a/tests/TestSSHAgent.h b/tests/TestSSHAgent.h index 12c115b23..36b9b2bff 100644 --- a/tests/TestSSHAgent.h +++ b/tests/TestSSHAgent.h @@ -35,6 +35,9 @@ private slots: void testLifetimeConstraint(); void testConfirmConstraint(); void testToOpenSSHKey(); + void testKeyGenRSA(); + void testKeyGenECDSA(); + void testKeyGenEd25519(); void cleanupTestCase(); private: