1 line
32 KiB
JSON
1 line
32 KiB
JSON
{"ast":null,"code":"// Copyright 2017 Joyent, Inc.\nmodule.exports = {\n read: read,\n verify: verify,\n sign: sign,\n signAsync: signAsync,\n write: write,\n\n /* Internal private API */\n fromBuffer: fromBuffer,\n toBuffer: toBuffer\n};\n\nvar assert = require('assert-plus');\n\nvar SSHBuffer = require('../ssh-buffer');\n\nvar crypto = require('crypto');\n\nvar Buffer = require('safer-buffer').Buffer;\n\nvar algs = require('../algs');\n\nvar Key = require('../key');\n\nvar PrivateKey = require('../private-key');\n\nvar Identity = require('../identity');\n\nvar rfc4253 = require('./rfc4253');\n\nvar Signature = require('../signature');\n\nvar utils = require('../utils');\n\nvar Certificate = require('../certificate');\n\nfunction verify(cert, key) {\n /*\n * We always give an issuerKey, so if our verify() is being called then\n * there was no signature. Return false.\n */\n return false;\n}\n\nvar TYPES = {\n 'user': 1,\n 'host': 2\n};\nObject.keys(TYPES).forEach(function (k) {\n TYPES[TYPES[k]] = k;\n});\nvar ECDSA_ALGO = /^ecdsa-sha2-([^@-]+)-cert-v01@openssh.com$/;\n\nfunction read(buf, options) {\n if (Buffer.isBuffer(buf)) buf = buf.toString('ascii');\n var parts = buf.trim().split(/[ \\t\\n]+/g);\n if (parts.length < 2 || parts.length > 3) throw new Error('Not a valid SSH certificate line');\n var algo = parts[0];\n var data = parts[1];\n data = Buffer.from(data, 'base64');\n return fromBuffer(data, algo);\n}\n\nfunction fromBuffer(data, algo, partial) {\n var sshbuf = new SSHBuffer({\n buffer: data\n });\n var innerAlgo = sshbuf.readString();\n if (algo !== undefined && innerAlgo !== algo) throw new Error('SSH certificate algorithm mismatch');\n if (algo === undefined) algo = innerAlgo;\n var cert = {};\n cert.signatures = {};\n cert.signatures.openssh = {};\n cert.signatures.openssh.nonce = sshbuf.readBuffer();\n var key = {};\n var parts = key.parts = [];\n key.type = getAlg(algo);\n var partCount = algs.info[key.type].parts.length;\n\n while (parts.length < partCount) parts.push(sshbuf.readPart());\n\n assert.ok(parts.length >= 1, 'key must have at least one part');\n var algInfo = algs.info[key.type];\n\n if (key.type === 'ecdsa') {\n var res = ECDSA_ALGO.exec(algo);\n assert.ok(res !== null);\n assert.strictEqual(res[1], parts[0].data.toString());\n }\n\n for (var i = 0; i < algInfo.parts.length; ++i) {\n parts[i].name = algInfo.parts[i];\n\n if (parts[i].name !== 'curve' && algInfo.normalize !== false) {\n var p = parts[i];\n p.data = utils.mpNormalize(p.data);\n }\n }\n\n cert.subjectKey = new Key(key);\n cert.serial = sshbuf.readInt64();\n var type = TYPES[sshbuf.readInt()];\n assert.string(type, 'valid cert type');\n cert.signatures.openssh.keyId = sshbuf.readString();\n var principals = [];\n var pbuf = sshbuf.readBuffer();\n var psshbuf = new SSHBuffer({\n buffer: pbuf\n });\n\n while (!psshbuf.atEnd()) principals.push(psshbuf.readString());\n\n if (principals.length === 0) principals = ['*'];\n cert.subjects = principals.map(function (pr) {\n if (type === 'user') return Identity.forUser(pr);else if (type === 'host') return Identity.forHost(pr);\n throw new Error('Unknown identity type ' + type);\n });\n cert.validFrom = int64ToDate(sshbuf.readInt64());\n cert.validUntil = int64ToDate(sshbuf.readInt64());\n var exts = [];\n var extbuf = new SSHBuffer({\n buffer: sshbuf.readBuffer()\n });\n var ext;\n\n while (!extbuf.atEnd()) {\n ext = {\n critical: true\n };\n ext.name = extbuf.readString();\n ext.data = extbuf.readBuffer();\n exts.push(ext);\n }\n\n extbuf = new SSHBuffer({\n buffer: sshbuf.readBuffer()\n });\n\n while (!extbuf.atEnd()) {\n ext = {\n critical: false\n };\n ext.name = extbuf.readString();\n ext.data = extbuf.readBuffer();\n exts.push(ext);\n }\n\n cert.signatures.openssh.exts = exts;\n /* reserved */\n\n sshbuf.readBuffer();\n var signingKeyBuf = sshbuf.readBuffer();\n cert.issuerKey = rfc4253.read(signingKeyBuf);\n /*\n * OpenSSH certs don't give the identity of the issuer, just their\n * public key. So, we use an Identity that matches anything. The\n * isSignedBy() function will later tell you if the key matches.\n */\n\n cert.issuer = Identity.forHost('**');\n var sigBuf = sshbuf.readBuffer();\n cert.signatures.openssh.signature = Signature.parse(sigBuf, cert.issuerKey.type, 'ssh');\n\n if (partial !== undefined) {\n partial.remainder = sshbuf.remainder();\n partial.consumed = sshbuf._offset;\n }\n\n return new Certificate(cert);\n}\n\nfunction int64ToDate(buf) {\n var i = buf.readUInt32BE(0) * 4294967296;\n i += buf.readUInt32BE(4);\n var d = new Date();\n d.setTime(i * 1000);\n d.sourceInt64 = buf;\n return d;\n}\n\nfunction dateToInt64(date) {\n if (date.sourceInt64 !== undefined) return date.sourceInt64;\n var i = Math.round(date.getTime() / 1000);\n var upper = Math.floor(i / 4294967296);\n var lower = Math.floor(i % 4294967296);\n var buf = Buffer.alloc(8);\n buf.writeUInt32BE(upper, 0);\n buf.writeUInt32BE(lower, 4);\n return buf;\n}\n\nfunction sign(cert, key) {\n if (cert.signatures.openssh === undefined) cert.signatures.openssh = {};\n\n try {\n var blob = toBuffer(cert, true);\n } catch (e) {\n delete cert.signatures.openssh;\n return false;\n }\n\n var sig = cert.signatures.openssh;\n var hashAlgo = undefined;\n if (key.type === 'rsa' || key.type === 'dsa') hashAlgo = 'sha1';\n var signer = key.createSign(hashAlgo);\n signer.write(blob);\n sig.signature = signer.sign();\n return true;\n}\n\nfunction signAsync(cert, signer, done) {\n if (cert.signatures.openssh === undefined) cert.signatures.openssh = {};\n\n try {\n var blob = toBuffer(cert, true);\n } catch (e) {\n delete cert.signatures.openssh;\n done(e);\n return;\n }\n\n var sig = cert.signatures.openssh;\n signer(blob, function (err, signature) {\n if (err) {\n done(err);\n return;\n }\n\n try {\n /*\n * This will throw if the signature isn't of a\n * type/algo that can be used for SSH.\n */\n signature.toBuffer('ssh');\n } catch (e) {\n done(e);\n return;\n }\n\n sig.signature = signature;\n done();\n });\n}\n\nfunction write(cert, options) {\n if (options === undefined) options = {};\n var blob = toBuffer(cert);\n var out = getCertType(cert.subjectKey) + ' ' + blob.toString('base64');\n if (options.comment) out = out + ' ' + options.comment;\n return out;\n}\n\nfunction toBuffer(cert, noSig) {\n assert.object(cert.signatures.openssh, 'signature for openssh format');\n var sig = cert.signatures.openssh;\n if (sig.nonce === undefined) sig.nonce = crypto.randomBytes(16);\n var buf = new SSHBuffer({});\n buf.writeString(getCertType(cert.subjectKey));\n buf.writeBuffer(sig.nonce);\n var key = cert.subjectKey;\n var algInfo = algs.info[key.type];\n algInfo.parts.forEach(function (part) {\n buf.writePart(key.part[part]);\n });\n buf.writeInt64(cert.serial);\n var type = cert.subjects[0].type;\n assert.notStrictEqual(type, 'unknown');\n cert.subjects.forEach(function (id) {\n assert.strictEqual(id.type, type);\n });\n type = TYPES[type];\n buf.writeInt(type);\n\n if (sig.keyId === undefined) {\n sig.keyId = cert.subjects[0].type + '_' + (cert.subjects[0].uid || cert.subjects[0].hostname);\n }\n\n buf.writeString(sig.keyId);\n var sub = new SSHBuffer({});\n cert.subjects.forEach(function (id) {\n if (type === TYPES.host) sub.writeString(id.hostname);else if (type === TYPES.user) sub.writeString(id.uid);\n });\n buf.writeBuffer(sub.toBuffer());\n buf.writeInt64(dateToInt64(cert.validFrom));\n buf.writeInt64(dateToInt64(cert.validUntil));\n var exts = sig.exts;\n if (exts === undefined) exts = [];\n var extbuf = new SSHBuffer({});\n exts.forEach(function (ext) {\n if (ext.critical !== true) return;\n extbuf.writeString(ext.name);\n extbuf.writeBuffer(ext.data);\n });\n buf.writeBuffer(extbuf.toBuffer());\n extbuf = new SSHBuffer({});\n exts.forEach(function (ext) {\n if (ext.critical === true) return;\n extbuf.writeString(ext.name);\n extbuf.writeBuffer(ext.data);\n });\n buf.writeBuffer(extbuf.toBuffer());\n /* reserved */\n\n buf.writeBuffer(Buffer.alloc(0));\n sub = rfc4253.write(cert.issuerKey);\n buf.writeBuffer(sub);\n if (!noSig) buf.writeBuffer(sig.signature.toBuffer('ssh'));\n return buf.toBuffer();\n}\n\nfunction getAlg(certType) {\n if (certType === 'ssh-rsa-cert-v01@openssh.com') return 'rsa';\n if (certType === 'ssh-dss-cert-v01@openssh.com') return 'dsa';\n if (certType.match(ECDSA_ALGO)) return 'ecdsa';\n if (certType === 'ssh-ed25519-cert-v01@openssh.com') return 'ed25519';\n throw new Error('Unsupported cert type ' + certType);\n}\n\nfunction getCertType(key) {\n if (key.type === 'rsa') return 'ssh-rsa-cert-v01@openssh.com';\n if (key.type === 'dsa') return 'ssh-dss-cert-v01@openssh.com';\n if (key.type === 'ecdsa') return 'ecdsa-sha2-' + key.curve + '-cert-v01@openssh.com';\n if (key.type === 'ed25519') return 'ssh-ed25519-cert-v01@openssh.com';\n throw new Error('Unsupported key type ' + key.type);\n}","map":{"version":3,"sources":["/Users/tylerkoenig/Code/personal/react-scss2/node_modules/sshpk/lib/formats/openssh-cert.js"],"names":["module","exports","read","verify","sign","signAsync","write","fromBuffer","toBuffer","assert","require","SSHBuffer","crypto","Buffer","algs","Key","PrivateKey","Identity","rfc4253","Signature","utils","Certificate","cert","key","TYPES","Object","keys","forEach","k","ECDSA_ALGO","buf","options","isBuffer","toString","parts","trim","split","length","Error","algo","data","from","partial","sshbuf","buffer","innerAlgo","readString","undefined","signatures","openssh","nonce","readBuffer","type","getAlg","partCount","info","push","readPart","ok","algInfo","res","exec","strictEqual","i","name","normalize","p","mpNormalize","subjectKey","serial","readInt64","readInt","string","keyId","principals","pbuf","psshbuf","atEnd","subjects","map","pr","forUser","forHost","validFrom","int64ToDate","validUntil","exts","extbuf","ext","critical","signingKeyBuf","issuerKey","issuer","sigBuf","signature","parse","remainder","consumed","_offset","readUInt32BE","d","Date","setTime","sourceInt64","dateToInt64","date","Math","round","getTime","upper","floor","lower","alloc","writeUInt32BE","blob","e","sig","hashAlgo","signer","createSign","done","err","out","getCertType","comment","noSig","object","randomBytes","writeString","writeBuffer","part","writePart","writeInt64","notStrictEqual","id","writeInt","uid","hostname","sub","host","user","certType","match","curve"],"mappings":"AAAA;AAEAA,MAAM,CAACC,OAAP,GAAiB;AAChBC,EAAAA,IAAI,EAAEA,IADU;AAEhBC,EAAAA,MAAM,EAAEA,MAFQ;AAGhBC,EAAAA,IAAI,EAAEA,IAHU;AAIhBC,EAAAA,SAAS,EAAEA,SAJK;AAKhBC,EAAAA,KAAK,EAAEA,KALS;;AAOhB;AACAC,EAAAA,UAAU,EAAEA,UARI;AAShBC,EAAAA,QAAQ,EAAEA;AATM,CAAjB;;AAYA,IAAIC,MAAM,GAAGC,OAAO,CAAC,aAAD,CAApB;;AACA,IAAIC,SAAS,GAAGD,OAAO,CAAC,eAAD,CAAvB;;AACA,IAAIE,MAAM,GAAGF,OAAO,CAAC,QAAD,CAApB;;AACA,IAAIG,MAAM,GAAGH,OAAO,CAAC,cAAD,CAAP,CAAwBG,MAArC;;AACA,IAAIC,IAAI,GAAGJ,OAAO,CAAC,SAAD,CAAlB;;AACA,IAAIK,GAAG,GAAGL,OAAO,CAAC,QAAD,CAAjB;;AACA,IAAIM,UAAU,GAAGN,OAAO,CAAC,gBAAD,CAAxB;;AACA,IAAIO,QAAQ,GAAGP,OAAO,CAAC,aAAD,CAAtB;;AACA,IAAIQ,OAAO,GAAGR,OAAO,CAAC,WAAD,CAArB;;AACA,IAAIS,SAAS,GAAGT,OAAO,CAAC,cAAD,CAAvB;;AACA,IAAIU,KAAK,GAAGV,OAAO,CAAC,UAAD,CAAnB;;AACA,IAAIW,WAAW,GAAGX,OAAO,CAAC,gBAAD,CAAzB;;AAEA,SAASP,MAAT,CAAgBmB,IAAhB,EAAsBC,GAAtB,EAA2B;AAC1B;AACD;AACA;AACA;AACC,SAAQ,KAAR;AACA;;AAED,IAAIC,KAAK,GAAG;AACX,UAAQ,CADG;AAEX,UAAQ;AAFG,CAAZ;AAIAC,MAAM,CAACC,IAAP,CAAYF,KAAZ,EAAmBG,OAAnB,CAA2B,UAAUC,CAAV,EAAa;AAAEJ,EAAAA,KAAK,CAACA,KAAK,CAACI,CAAD,CAAN,CAAL,GAAkBA,CAAlB;AAAsB,CAAhE;AAEA,IAAIC,UAAU,GAAG,4CAAjB;;AAEA,SAAS3B,IAAT,CAAc4B,GAAd,EAAmBC,OAAnB,EAA4B;AAC3B,MAAIlB,MAAM,CAACmB,QAAP,CAAgBF,GAAhB,CAAJ,EACCA,GAAG,GAAGA,GAAG,CAACG,QAAJ,CAAa,OAAb,CAAN;AACD,MAAIC,KAAK,GAAGJ,GAAG,CAACK,IAAJ,GAAWC,KAAX,CAAiB,WAAjB,CAAZ;AACA,MAAIF,KAAK,CAACG,MAAN,GAAe,CAAf,IAAoBH,KAAK,CAACG,MAAN,GAAe,CAAvC,EACC,MAAO,IAAIC,KAAJ,CAAU,kCAAV,CAAP;AAED,MAAIC,IAAI,GAAGL,KAAK,CAAC,CAAD,CAAhB;AACA,MAAIM,IAAI,GAAGN,KAAK,CAAC,CAAD,CAAhB;AAEAM,EAAAA,IAAI,GAAG3B,MAAM,CAAC4B,IAAP,CAAYD,IAAZ,EAAkB,QAAlB,CAAP;AACA,SAAQjC,UAAU,CAACiC,IAAD,EAAOD,IAAP,CAAlB;AACA;;AAED,SAAShC,UAAT,CAAoBiC,IAApB,EAA0BD,IAA1B,EAAgCG,OAAhC,EAAyC;AACxC,MAAIC,MAAM,GAAG,IAAIhC,SAAJ,CAAc;AAAEiC,IAAAA,MAAM,EAAEJ;AAAV,GAAd,CAAb;AACA,MAAIK,SAAS,GAAGF,MAAM,CAACG,UAAP,EAAhB;AACA,MAAIP,IAAI,KAAKQ,SAAT,IAAsBF,SAAS,KAAKN,IAAxC,EACC,MAAO,IAAID,KAAJ,CAAU,oCAAV,CAAP;AACD,MAAIC,IAAI,KAAKQ,SAAb,EACCR,IAAI,GAAGM,SAAP;AAED,MAAIvB,IAAI,GAAG,EAAX;AACAA,EAAAA,IAAI,CAAC0B,UAAL,GAAkB,EAAlB;AACA1B,EAAAA,IAAI,CAAC0B,UAAL,CAAgBC,OAAhB,GAA0B,EAA1B;AAEA3B,EAAAA,IAAI,CAAC0B,UAAL,CAAgBC,OAAhB,CAAwBC,KAAxB,GAAgCP,MAAM,CAACQ,UAAP,EAAhC;AAEA,MAAI5B,GAAG,GAAG,EAAV;AACA,MAAIW,KAAK,GAAIX,GAAG,CAACW,KAAJ,GAAY,EAAzB;AACAX,EAAAA,GAAG,CAAC6B,IAAJ,GAAWC,MAAM,CAACd,IAAD,CAAjB;AAEA,MAAIe,SAAS,GAAGxC,IAAI,CAACyC,IAAL,CAAUhC,GAAG,CAAC6B,IAAd,EAAoBlB,KAApB,CAA0BG,MAA1C;;AACA,SAAOH,KAAK,CAACG,MAAN,GAAeiB,SAAtB,EACCpB,KAAK,CAACsB,IAAN,CAAWb,MAAM,CAACc,QAAP,EAAX;;AACDhD,EAAAA,MAAM,CAACiD,EAAP,CAAUxB,KAAK,CAACG,MAAN,IAAgB,CAA1B,EAA6B,iCAA7B;AAEA,MAAIsB,OAAO,GAAG7C,IAAI,CAACyC,IAAL,CAAUhC,GAAG,CAAC6B,IAAd,CAAd;;AACA,MAAI7B,GAAG,CAAC6B,IAAJ,KAAa,OAAjB,EAA0B;AACzB,QAAIQ,GAAG,GAAG/B,UAAU,CAACgC,IAAX,CAAgBtB,IAAhB,CAAV;AACA9B,IAAAA,MAAM,CAACiD,EAAP,CAAUE,GAAG,KAAK,IAAlB;AACAnD,IAAAA,MAAM,CAACqD,WAAP,CAAmBF,GAAG,CAAC,CAAD,CAAtB,EAA2B1B,KAAK,CAAC,CAAD,CAAL,CAASM,IAAT,CAAcP,QAAd,EAA3B;AACA;;AAED,OAAK,IAAI8B,CAAC,GAAG,CAAb,EAAgBA,CAAC,GAAGJ,OAAO,CAACzB,KAAR,CAAcG,MAAlC,EAA0C,EAAE0B,CAA5C,EAA+C;AAC9C7B,IAAAA,KAAK,CAAC6B,CAAD,CAAL,CAASC,IAAT,GAAgBL,OAAO,CAACzB,KAAR,CAAc6B,CAAd,CAAhB;;AACA,QAAI7B,KAAK,CAAC6B,CAAD,CAAL,CAASC,IAAT,KAAkB,OAAlB,IACAL,OAAO,CAACM,SAAR,KAAsB,KAD1B,EACiC;AAChC,UAAIC,CAAC,GAAGhC,KAAK,CAAC6B,CAAD,CAAb;AACAG,MAAAA,CAAC,CAAC1B,IAAF,GAASpB,KAAK,CAAC+C,WAAN,CAAkBD,CAAC,CAAC1B,IAApB,CAAT;AACA;AACD;;AAEDlB,EAAAA,IAAI,CAAC8C,UAAL,GAAkB,IAAIrD,GAAJ,CAAQQ,GAAR,CAAlB;AAEAD,EAAAA,IAAI,CAAC+C,MAAL,GAAc1B,MAAM,CAAC2B,SAAP,EAAd;AAEA,MAAIlB,IAAI,GAAG5B,KAAK,CAACmB,MAAM,CAAC4B,OAAP,EAAD,CAAhB;AACA9D,EAAAA,MAAM,CAAC+D,MAAP,CAAcpB,IAAd,EAAoB,iBAApB;AAEA9B,EAAAA,IAAI,CAAC0B,UAAL,CAAgBC,OAAhB,CAAwBwB,KAAxB,GAAgC9B,MAAM,CAACG,UAAP,EAAhC;AAEA,MAAI4B,UAAU,GAAG,EAAjB;AACA,MAAIC,IAAI,GAAGhC,MAAM,CAACQ,UAAP,EAAX;AACA,MAAIyB,OAAO,GAAG,IAAIjE,SAAJ,CAAc;AAAEiC,IAAAA,MAAM,EAAE+B;AAAV,GAAd,CAAd;;AACA,SAAO,CAACC,OAAO,CAACC,KAAR,EAAR,EACCH,UAAU,CAAClB,IAAX,CAAgBoB,OAAO,CAAC9B,UAAR,EAAhB;;AACD,MAAI4B,UAAU,CAACrC,MAAX,KAAsB,CAA1B,EACCqC,UAAU,GAAG,CAAC,GAAD,CAAb;AAEDpD,EAAAA,IAAI,CAACwD,QAAL,GAAgBJ,UAAU,CAACK,GAAX,CAAe,UAAUC,EAAV,EAAc;AAC5C,QAAI5B,IAAI,KAAK,MAAb,EACC,OAAQnC,QAAQ,CAACgE,OAAT,CAAiBD,EAAjB,CAAR,CADD,KAEK,IAAI5B,IAAI,KAAK,MAAb,EACJ,OAAQnC,QAAQ,CAACiE,OAAT,CAAiBF,EAAjB,CAAR;AACD,UAAO,IAAI1C,KAAJ,CAAU,2BAA2Bc,IAArC,CAAP;AACA,GANe,CAAhB;AAQA9B,EAAAA,IAAI,CAAC6D,SAAL,GAAiBC,WAAW,CAACzC,MAAM,CAAC2B,SAAP,EAAD,CAA5B;AACAhD,EAAAA,IAAI,CAAC+D,UAAL,GAAkBD,WAAW,CAACzC,MAAM,CAAC2B,SAAP,EAAD,CAA7B;AAEA,MAAIgB,IAAI,GAAG,EAAX;AACA,MAAIC,MAAM,GAAG,IAAI5E,SAAJ,CAAc;AAAEiC,IAAAA,MAAM,EAAED,MAAM,CAACQ,UAAP;AAAV,GAAd,CAAb;AACA,MAAIqC,GAAJ;;AACA,SAAO,CAACD,MAAM,CAACV,KAAP,EAAR,EAAwB;AACvBW,IAAAA,GAAG,GAAG;AAAEC,MAAAA,QAAQ,EAAE;AAAZ,KAAN;AACAD,IAAAA,GAAG,CAACxB,IAAJ,GAAWuB,MAAM,CAACzC,UAAP,EAAX;AACA0C,IAAAA,GAAG,CAAChD,IAAJ,GAAW+C,MAAM,CAACpC,UAAP,EAAX;AACAmC,IAAAA,IAAI,CAAC9B,IAAL,CAAUgC,GAAV;AACA;;AACDD,EAAAA,MAAM,GAAG,IAAI5E,SAAJ,CAAc;AAAEiC,IAAAA,MAAM,EAAED,MAAM,CAACQ,UAAP;AAAV,GAAd,CAAT;;AACA,SAAO,CAACoC,MAAM,CAACV,KAAP,EAAR,EAAwB;AACvBW,IAAAA,GAAG,GAAG;AAAEC,MAAAA,QAAQ,EAAE;AAAZ,KAAN;AACAD,IAAAA,GAAG,CAACxB,IAAJ,GAAWuB,MAAM,CAACzC,UAAP,EAAX;AACA0C,IAAAA,GAAG,CAAChD,IAAJ,GAAW+C,MAAM,CAACpC,UAAP,EAAX;AACAmC,IAAAA,IAAI,CAAC9B,IAAL,CAAUgC,GAAV;AACA;;AACDlE,EAAAA,IAAI,CAAC0B,UAAL,CAAgBC,OAAhB,CAAwBqC,IAAxB,GAA+BA,IAA/B;AAEA;;AACA3C,EAAAA,MAAM,CAACQ,UAAP;AAEA,MAAIuC,aAAa,GAAG/C,MAAM,CAACQ,UAAP,EAApB;AACA7B,EAAAA,IAAI,CAACqE,SAAL,GAAiBzE,OAAO,CAAChB,IAAR,CAAawF,aAAb,CAAjB;AAEA;AACD;AACA;AACA;AACA;;AACCpE,EAAAA,IAAI,CAACsE,MAAL,GAAc3E,QAAQ,CAACiE,OAAT,CAAiB,IAAjB,CAAd;AAEA,MAAIW,MAAM,GAAGlD,MAAM,CAACQ,UAAP,EAAb;AACA7B,EAAAA,IAAI,CAAC0B,UAAL,CAAgBC,OAAhB,CAAwB6C,SAAxB,GACI3E,SAAS,CAAC4E,KAAV,CAAgBF,MAAhB,EAAwBvE,IAAI,CAACqE,SAAL,CAAevC,IAAvC,EAA6C,KAA7C,CADJ;;AAGA,MAAIV,OAAO,KAAKK,SAAhB,EAA2B;AAC1BL,IAAAA,OAAO,CAACsD,SAAR,GAAoBrD,MAAM,CAACqD,SAAP,EAApB;AACAtD,IAAAA,OAAO,CAACuD,QAAR,GAAmBtD,MAAM,CAACuD,OAA1B;AACA;;AAED,SAAQ,IAAI7E,WAAJ,CAAgBC,IAAhB,CAAR;AACA;;AAED,SAAS8D,WAAT,CAAqBtD,GAArB,EAA0B;AACzB,MAAIiC,CAAC,GAAGjC,GAAG,CAACqE,YAAJ,CAAiB,CAAjB,IAAsB,UAA9B;AACApC,EAAAA,CAAC,IAAIjC,GAAG,CAACqE,YAAJ,CAAiB,CAAjB,CAAL;AACA,MAAIC,CAAC,GAAG,IAAIC,IAAJ,EAAR;AACAD,EAAAA,CAAC,CAACE,OAAF,CAAUvC,CAAC,GAAG,IAAd;AACAqC,EAAAA,CAAC,CAACG,WAAF,GAAgBzE,GAAhB;AACA,SAAQsE,CAAR;AACA;;AAED,SAASI,WAAT,CAAqBC,IAArB,EAA2B;AAC1B,MAAIA,IAAI,CAACF,WAAL,KAAqBxD,SAAzB,EACC,OAAQ0D,IAAI,CAACF,WAAb;AACD,MAAIxC,CAAC,GAAG2C,IAAI,CAACC,KAAL,CAAWF,IAAI,CAACG,OAAL,KAAiB,IAA5B,CAAR;AACA,MAAIC,KAAK,GAAGH,IAAI,CAACI,KAAL,CAAW/C,CAAC,GAAG,UAAf,CAAZ;AACA,MAAIgD,KAAK,GAAGL,IAAI,CAACI,KAAL,CAAW/C,CAAC,GAAG,UAAf,CAAZ;AACA,MAAIjC,GAAG,GAAGjB,MAAM,CAACmG,KAAP,CAAa,CAAb,CAAV;AACAlF,EAAAA,GAAG,CAACmF,aAAJ,CAAkBJ,KAAlB,EAAyB,CAAzB;AACA/E,EAAAA,GAAG,CAACmF,aAAJ,CAAkBF,KAAlB,EAAyB,CAAzB;AACA,SAAQjF,GAAR;AACA;;AAED,SAAS1B,IAAT,CAAckB,IAAd,EAAoBC,GAApB,EAAyB;AACxB,MAAID,IAAI,CAAC0B,UAAL,CAAgBC,OAAhB,KAA4BF,SAAhC,EACCzB,IAAI,CAAC0B,UAAL,CAAgBC,OAAhB,GAA0B,EAA1B;;AACD,MAAI;AACH,QAAIiE,IAAI,GAAG1G,QAAQ,CAACc,IAAD,EAAO,IAAP,CAAnB;AACA,GAFD,CAEE,OAAO6F,CAAP,EAAU;AACX,WAAQ7F,IAAI,CAAC0B,UAAL,CAAgBC,OAAxB;AACA,WAAQ,KAAR;AACA;;AACD,MAAImE,GAAG,GAAG9F,IAAI,CAAC0B,UAAL,CAAgBC,OAA1B;AACA,MAAIoE,QAAQ,GAAGtE,SAAf;AACA,MAAIxB,GAAG,CAAC6B,IAAJ,KAAa,KAAb,IAAsB7B,GAAG,CAAC6B,IAAJ,KAAa,KAAvC,EACCiE,QAAQ,GAAG,MAAX;AACD,MAAIC,MAAM,GAAG/F,GAAG,CAACgG,UAAJ,CAAeF,QAAf,CAAb;AACAC,EAAAA,MAAM,CAAChH,KAAP,CAAa4G,IAAb;AACAE,EAAAA,GAAG,CAACtB,SAAJ,GAAgBwB,MAAM,CAAClH,IAAP,EAAhB;AACA,SAAQ,IAAR;AACA;;AAED,SAASC,SAAT,CAAmBiB,IAAnB,EAAyBgG,MAAzB,EAAiCE,IAAjC,EAAuC;AACtC,MAAIlG,IAAI,CAAC0B,UAAL,CAAgBC,OAAhB,KAA4BF,SAAhC,EACCzB,IAAI,CAAC0B,UAAL,CAAgBC,OAAhB,GAA0B,EAA1B;;AACD,MAAI;AACH,QAAIiE,IAAI,GAAG1G,QAAQ,CAACc,IAAD,EAAO,IAAP,CAAnB;AACA,GAFD,CAEE,OAAO6F,CAAP,EAAU;AACX,WAAQ7F,IAAI,CAAC0B,UAAL,CAAgBC,OAAxB;AACAuE,IAAAA,IAAI,CAACL,CAAD,CAAJ;AACA;AACA;;AACD,MAAIC,GAAG,GAAG9F,IAAI,CAAC0B,UAAL,CAAgBC,OAA1B;AAEAqE,EAAAA,MAAM,CAACJ,IAAD,EAAO,UAAUO,GAAV,EAAe3B,SAAf,EAA0B;AACtC,QAAI2B,GAAJ,EAAS;AACRD,MAAAA,IAAI,CAACC,GAAD,CAAJ;AACA;AACA;;AACD,QAAI;AACH;AACH;AACA;AACA;AACG3B,MAAAA,SAAS,CAACtF,QAAV,CAAmB,KAAnB;AACA,KAND,CAME,OAAO2G,CAAP,EAAU;AACXK,MAAAA,IAAI,CAACL,CAAD,CAAJ;AACA;AACA;;AACDC,IAAAA,GAAG,CAACtB,SAAJ,GAAgBA,SAAhB;AACA0B,IAAAA,IAAI;AACJ,GAjBK,CAAN;AAkBA;;AAED,SAASlH,KAAT,CAAegB,IAAf,EAAqBS,OAArB,EAA8B;AAC7B,MAAIA,OAAO,KAAKgB,SAAhB,EACChB,OAAO,GAAG,EAAV;AAED,MAAImF,IAAI,GAAG1G,QAAQ,CAACc,IAAD,CAAnB;AACA,MAAIoG,GAAG,GAAGC,WAAW,CAACrG,IAAI,CAAC8C,UAAN,CAAX,GAA+B,GAA/B,GAAqC8C,IAAI,CAACjF,QAAL,CAAc,QAAd,CAA/C;AACA,MAAIF,OAAO,CAAC6F,OAAZ,EACCF,GAAG,GAAGA,GAAG,GAAG,GAAN,GAAY3F,OAAO,CAAC6F,OAA1B;AACD,SAAQF,GAAR;AACA;;AAGD,SAASlH,QAAT,CAAkBc,IAAlB,EAAwBuG,KAAxB,EAA+B;AAC9BpH,EAAAA,MAAM,CAACqH,MAAP,CAAcxG,IAAI,CAAC0B,UAAL,CAAgBC,OAA9B,EAAuC,8BAAvC;AACA,MAAImE,GAAG,GAAG9F,IAAI,CAAC0B,UAAL,CAAgBC,OAA1B;AAEA,MAAImE,GAAG,CAAClE,KAAJ,KAAcH,SAAlB,EACCqE,GAAG,CAAClE,KAAJ,GAAYtC,MAAM,CAACmH,WAAP,CAAmB,EAAnB,CAAZ;AACD,MAAIjG,GAAG,GAAG,IAAInB,SAAJ,CAAc,EAAd,CAAV;AACAmB,EAAAA,GAAG,CAACkG,WAAJ,CAAgBL,WAAW,CAACrG,IAAI,CAAC8C,UAAN,CAA3B;AACAtC,EAAAA,GAAG,CAACmG,WAAJ,CAAgBb,GAAG,CAAClE,KAApB;AAEA,MAAI3B,GAAG,GAAGD,IAAI,CAAC8C,UAAf;AACA,MAAIT,OAAO,GAAG7C,IAAI,CAACyC,IAAL,CAAUhC,GAAG,CAAC6B,IAAd,CAAd;AACAO,EAAAA,OAAO,CAACzB,KAAR,CAAcP,OAAd,CAAsB,UAAUuG,IAAV,EAAgB;AACrCpG,IAAAA,GAAG,CAACqG,SAAJ,CAAc5G,GAAG,CAAC2G,IAAJ,CAASA,IAAT,CAAd;AACA,GAFD;AAIApG,EAAAA,GAAG,CAACsG,UAAJ,CAAe9G,IAAI,CAAC+C,MAApB;AAEA,MAAIjB,IAAI,GAAG9B,IAAI,CAACwD,QAAL,CAAc,CAAd,EAAiB1B,IAA5B;AACA3C,EAAAA,MAAM,CAAC4H,cAAP,CAAsBjF,IAAtB,EAA4B,SAA5B;AACA9B,EAAAA,IAAI,CAACwD,QAAL,CAAcnD,OAAd,CAAsB,UAAU2G,EAAV,EAAc;AACnC7H,IAAAA,MAAM,CAACqD,WAAP,CAAmBwE,EAAE,CAAClF,IAAtB,EAA4BA,IAA5B;AACA,GAFD;AAGAA,EAAAA,IAAI,GAAG5B,KAAK,CAAC4B,IAAD,CAAZ;AACAtB,EAAAA,GAAG,CAACyG,QAAJ,CAAanF,IAAb;;AAEA,MAAIgE,GAAG,CAAC3C,KAAJ,KAAc1B,SAAlB,EAA6B;AAC5BqE,IAAAA,GAAG,CAAC3C,KAAJ,GAAYnD,IAAI,CAACwD,QAAL,CAAc,CAAd,EAAiB1B,IAAjB,GAAwB,GAAxB,IACP9B,IAAI,CAACwD,QAAL,CAAc,CAAd,EAAiB0D,GAAjB,IAAwBlH,IAAI,CAACwD,QAAL,CAAc,CAAd,EAAiB2D,QADlC,CAAZ;AAEA;;AACD3G,EAAAA,GAAG,CAACkG,WAAJ,CAAgBZ,GAAG,CAAC3C,KAApB;AAEA,MAAIiE,GAAG,GAAG,IAAI/H,SAAJ,CAAc,EAAd,CAAV;AACAW,EAAAA,IAAI,CAACwD,QAAL,CAAcnD,OAAd,CAAsB,UAAU2G,EAAV,EAAc;AACnC,QAAIlF,IAAI,KAAK5B,KAAK,CAACmH,IAAnB,EACCD,GAAG,CAACV,WAAJ,CAAgBM,EAAE,CAACG,QAAnB,EADD,KAEK,IAAIrF,IAAI,KAAK5B,KAAK,CAACoH,IAAnB,EACJF,GAAG,CAACV,WAAJ,CAAgBM,EAAE,CAACE,GAAnB;AACD,GALD;AAMA1G,EAAAA,GAAG,CAACmG,WAAJ,CAAgBS,GAAG,CAAClI,QAAJ,EAAhB;AAEAsB,EAAAA,GAAG,CAACsG,UAAJ,CAAe5B,WAAW,CAAClF,IAAI,CAAC6D,SAAN,CAA1B;AACArD,EAAAA,GAAG,CAACsG,UAAJ,CAAe5B,WAAW,CAAClF,IAAI,CAAC+D,UAAN,CAA1B;AAEA,MAAIC,IAAI,GAAG8B,GAAG,CAAC9B,IAAf;AACA,MAAIA,IAAI,KAAKvC,SAAb,EACCuC,IAAI,GAAG,EAAP;AAED,MAAIC,MAAM,GAAG,IAAI5E,SAAJ,CAAc,EAAd,CAAb;AACA2E,EAAAA,IAAI,CAAC3D,OAAL,CAAa,UAAU6D,GAAV,EAAe;AAC3B,QAAIA,GAAG,CAACC,QAAJ,KAAiB,IAArB,EACC;AACDF,IAAAA,MAAM,CAACyC,WAAP,CAAmBxC,GAAG,CAACxB,IAAvB;AACAuB,IAAAA,MAAM,CAAC0C,WAAP,CAAmBzC,GAAG,CAAChD,IAAvB;AACA,GALD;AAMAV,EAAAA,GAAG,CAACmG,WAAJ,CAAgB1C,MAAM,CAAC/E,QAAP,EAAhB;AAEA+E,EAAAA,MAAM,GAAG,IAAI5E,SAAJ,CAAc,EAAd,CAAT;AACA2E,EAAAA,IAAI,CAAC3D,OAAL,CAAa,UAAU6D,GAAV,EAAe;AAC3B,QAAIA,GAAG,CAACC,QAAJ,KAAiB,IAArB,EACC;AACDF,IAAAA,MAAM,CAACyC,WAAP,CAAmBxC,GAAG,CAACxB,IAAvB;AACAuB,IAAAA,MAAM,CAAC0C,WAAP,CAAmBzC,GAAG,CAAChD,IAAvB;AACA,GALD;AAMAV,EAAAA,GAAG,CAACmG,WAAJ,CAAgB1C,MAAM,CAAC/E,QAAP,EAAhB;AAEA;;AACAsB,EAAAA,GAAG,CAACmG,WAAJ,CAAgBpH,MAAM,CAACmG,KAAP,CAAa,CAAb,CAAhB;AAEA0B,EAAAA,GAAG,GAAGxH,OAAO,CAACZ,KAAR,CAAcgB,IAAI,CAACqE,SAAnB,CAAN;AACA7D,EAAAA,GAAG,CAACmG,WAAJ,CAAgBS,GAAhB;AAEA,MAAI,CAACb,KAAL,EACC/F,GAAG,CAACmG,WAAJ,CAAgBb,GAAG,CAACtB,SAAJ,CAActF,QAAd,CAAuB,KAAvB,CAAhB;AAED,SAAQsB,GAAG,CAACtB,QAAJ,EAAR;AACA;;AAED,SAAS6C,MAAT,CAAgBwF,QAAhB,EAA0B;AACzB,MAAIA,QAAQ,KAAK,8BAAjB,EACC,OAAQ,KAAR;AACD,MAAIA,QAAQ,KAAK,8BAAjB,EACC,OAAQ,KAAR;AACD,MAAIA,QAAQ,CAACC,KAAT,CAAejH,UAAf,CAAJ,EACC,OAAQ,OAAR;AACD,MAAIgH,QAAQ,KAAK,kCAAjB,EACC,OAAQ,SAAR;AACD,QAAO,IAAIvG,KAAJ,CAAU,2BAA2BuG,QAArC,CAAP;AACA;;AAED,SAASlB,WAAT,CAAqBpG,GAArB,EAA0B;AACzB,MAAIA,GAAG,CAAC6B,IAAJ,KAAa,KAAjB,EACC,OAAQ,8BAAR;AACD,MAAI7B,GAAG,CAAC6B,IAAJ,KAAa,KAAjB,EACC,OAAQ,8BAAR;AACD,MAAI7B,GAAG,CAAC6B,IAAJ,KAAa,OAAjB,EACC,OAAQ,gBAAgB7B,GAAG,CAACwH,KAApB,GAA4B,uBAApC;AACD,MAAIxH,GAAG,CAAC6B,IAAJ,KAAa,SAAjB,EACC,OAAQ,kCAAR;AACD,QAAO,IAAId,KAAJ,CAAU,0BAA0Bf,GAAG,CAAC6B,IAAxC,CAAP;AACA","sourcesContent":["// Copyright 2017 Joyent, Inc.\n\nmodule.exports = {\n\tread: read,\n\tverify: verify,\n\tsign: sign,\n\tsignAsync: signAsync,\n\twrite: write,\n\n\t/* Internal private API */\n\tfromBuffer: fromBuffer,\n\ttoBuffer: toBuffer\n};\n\nvar assert = require('assert-plus');\nvar SSHBuffer = require('../ssh-buffer');\nvar crypto = require('crypto');\nvar Buffer = require('safer-buffer').Buffer;\nvar algs = require('../algs');\nvar Key = require('../key');\nvar PrivateKey = require('../private-key');\nvar Identity = require('../identity');\nvar rfc4253 = require('./rfc4253');\nvar Signature = require('../signature');\nvar utils = require('../utils');\nvar Certificate = require('../certificate');\n\nfunction verify(cert, key) {\n\t/*\n\t * We always give an issuerKey, so if our verify() is being called then\n\t * there was no signature. Return false.\n\t */\n\treturn (false);\n}\n\nvar TYPES = {\n\t'user': 1,\n\t'host': 2\n};\nObject.keys(TYPES).forEach(function (k) { TYPES[TYPES[k]] = k; });\n\nvar ECDSA_ALGO = /^ecdsa-sha2-([^@-]+)-cert-v01@openssh.com$/;\n\nfunction read(buf, options) {\n\tif (Buffer.isBuffer(buf))\n\t\tbuf = buf.toString('ascii');\n\tvar parts = buf.trim().split(/[ \\t\\n]+/g);\n\tif (parts.length < 2 || parts.length > 3)\n\t\tthrow (new Error('Not a valid SSH certificate line'));\n\n\tvar algo = parts[0];\n\tvar data = parts[1];\n\n\tdata = Buffer.from(data, 'base64');\n\treturn (fromBuffer(data, algo));\n}\n\nfunction fromBuffer(data, algo, partial) {\n\tvar sshbuf = new SSHBuffer({ buffer: data });\n\tvar innerAlgo = sshbuf.readString();\n\tif (algo !== undefined && innerAlgo !== algo)\n\t\tthrow (new Error('SSH certificate algorithm mismatch'));\n\tif (algo === undefined)\n\t\talgo = innerAlgo;\n\n\tvar cert = {};\n\tcert.signatures = {};\n\tcert.signatures.openssh = {};\n\n\tcert.signatures.openssh.nonce = sshbuf.readBuffer();\n\n\tvar key = {};\n\tvar parts = (key.parts = []);\n\tkey.type = getAlg(algo);\n\n\tvar partCount = algs.info[key.type].parts.length;\n\twhile (parts.length < partCount)\n\t\tparts.push(sshbuf.readPart());\n\tassert.ok(parts.length >= 1, 'key must have at least one part');\n\n\tvar algInfo = algs.info[key.type];\n\tif (key.type === 'ecdsa') {\n\t\tvar res = ECDSA_ALGO.exec(algo);\n\t\tassert.ok(res !== null);\n\t\tassert.strictEqual(res[1], parts[0].data.toString());\n\t}\n\n\tfor (var i = 0; i < algInfo.parts.length; ++i) {\n\t\tparts[i].name = algInfo.parts[i];\n\t\tif (parts[i].name !== 'curve' &&\n\t\t algInfo.normalize !== false) {\n\t\t\tvar p = parts[i];\n\t\t\tp.data = utils.mpNormalize(p.data);\n\t\t}\n\t}\n\n\tcert.subjectKey = new Key(key);\n\n\tcert.serial = sshbuf.readInt64();\n\n\tvar type = TYPES[sshbuf.readInt()];\n\tassert.string(type, 'valid cert type');\n\n\tcert.signatures.openssh.keyId = sshbuf.readString();\n\n\tvar principals = [];\n\tvar pbuf = sshbuf.readBuffer();\n\tvar psshbuf = new SSHBuffer({ buffer: pbuf });\n\twhile (!psshbuf.atEnd())\n\t\tprincipals.push(psshbuf.readString());\n\tif (principals.length === 0)\n\t\tprincipals = ['*'];\n\n\tcert.subjects = principals.map(function (pr) {\n\t\tif (type === 'user')\n\t\t\treturn (Identity.forUser(pr));\n\t\telse if (type === 'host')\n\t\t\treturn (Identity.forHost(pr));\n\t\tthrow (new Error('Unknown identity type ' + type));\n\t});\n\n\tcert.validFrom = int64ToDate(sshbuf.readInt64());\n\tcert.validUntil = int64ToDate(sshbuf.readInt64());\n\n\tvar exts = [];\n\tvar extbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() });\n\tvar ext;\n\twhile (!extbuf.atEnd()) {\n\t\text = { critical: true };\n\t\text.name = extbuf.readString();\n\t\text.data = extbuf.readBuffer();\n\t\texts.push(ext);\n\t}\n\textbuf = new SSHBuffer({ buffer: sshbuf.readBuffer() });\n\twhile (!extbuf.atEnd()) {\n\t\text = { critical: false };\n\t\text.name = extbuf.readString();\n\t\text.data = extbuf.readBuffer();\n\t\texts.push(ext);\n\t}\n\tcert.signatures.openssh.exts = exts;\n\n\t/* reserved */\n\tsshbuf.readBuffer();\n\n\tvar signingKeyBuf = sshbuf.readBuffer();\n\tcert.issuerKey = rfc4253.read(signingKeyBuf);\n\n\t/*\n\t * OpenSSH certs don't give the identity of the issuer, just their\n\t * public key. So, we use an Identity that matches anything. The\n\t * isSignedBy() function will later tell you if the key matches.\n\t */\n\tcert.issuer = Identity.forHost('**');\n\n\tvar sigBuf = sshbuf.readBuffer();\n\tcert.signatures.openssh.signature =\n\t Signature.parse(sigBuf, cert.issuerKey.type, 'ssh');\n\n\tif (partial !== undefined) {\n\t\tpartial.remainder = sshbuf.remainder();\n\t\tpartial.consumed = sshbuf._offset;\n\t}\n\n\treturn (new Certificate(cert));\n}\n\nfunction int64ToDate(buf) {\n\tvar i = buf.readUInt32BE(0) * 4294967296;\n\ti += buf.readUInt32BE(4);\n\tvar d = new Date();\n\td.setTime(i * 1000);\n\td.sourceInt64 = buf;\n\treturn (d);\n}\n\nfunction dateToInt64(date) {\n\tif (date.sourceInt64 !== undefined)\n\t\treturn (date.sourceInt64);\n\tvar i = Math.round(date.getTime() / 1000);\n\tvar upper = Math.floor(i / 4294967296);\n\tvar lower = Math.floor(i % 4294967296);\n\tvar buf = Buffer.alloc(8);\n\tbuf.writeUInt32BE(upper, 0);\n\tbuf.writeUInt32BE(lower, 4);\n\treturn (buf);\n}\n\nfunction sign(cert, key) {\n\tif (cert.signatures.openssh === undefined)\n\t\tcert.signatures.openssh = {};\n\ttry {\n\t\tvar blob = toBuffer(cert, true);\n\t} catch (e) {\n\t\tdelete (cert.signatures.openssh);\n\t\treturn (false);\n\t}\n\tvar sig = cert.signatures.openssh;\n\tvar hashAlgo = undefined;\n\tif (key.type === 'rsa' || key.type === 'dsa')\n\t\thashAlgo = 'sha1';\n\tvar signer = key.createSign(hashAlgo);\n\tsigner.write(blob);\n\tsig.signature = signer.sign();\n\treturn (true);\n}\n\nfunction signAsync(cert, signer, done) {\n\tif (cert.signatures.openssh === undefined)\n\t\tcert.signatures.openssh = {};\n\ttry {\n\t\tvar blob = toBuffer(cert, true);\n\t} catch (e) {\n\t\tdelete (cert.signatures.openssh);\n\t\tdone(e);\n\t\treturn;\n\t}\n\tvar sig = cert.signatures.openssh;\n\n\tsigner(blob, function (err, signature) {\n\t\tif (err) {\n\t\t\tdone(err);\n\t\t\treturn;\n\t\t}\n\t\ttry {\n\t\t\t/*\n\t\t\t * This will throw if the signature isn't of a\n\t\t\t * type/algo that can be used for SSH.\n\t\t\t */\n\t\t\tsignature.toBuffer('ssh');\n\t\t} catch (e) {\n\t\t\tdone(e);\n\t\t\treturn;\n\t\t}\n\t\tsig.signature = signature;\n\t\tdone();\n\t});\n}\n\nfunction write(cert, options) {\n\tif (options === undefined)\n\t\toptions = {};\n\n\tvar blob = toBuffer(cert);\n\tvar out = getCertType(cert.subjectKey) + ' ' + blob.toString('base64');\n\tif (options.comment)\n\t\tout = out + ' ' + options.comment;\n\treturn (out);\n}\n\n\nfunction toBuffer(cert, noSig) {\n\tassert.object(cert.signatures.openssh, 'signature for openssh format');\n\tvar sig = cert.signatures.openssh;\n\n\tif (sig.nonce === undefined)\n\t\tsig.nonce = crypto.randomBytes(16);\n\tvar buf = new SSHBuffer({});\n\tbuf.writeString(getCertType(cert.subjectKey));\n\tbuf.writeBuffer(sig.nonce);\n\n\tvar key = cert.subjectKey;\n\tvar algInfo = algs.info[key.type];\n\talgInfo.parts.forEach(function (part) {\n\t\tbuf.writePart(key.part[part]);\n\t});\n\n\tbuf.writeInt64(cert.serial);\n\n\tvar type = cert.subjects[0].type;\n\tassert.notStrictEqual(type, 'unknown');\n\tcert.subjects.forEach(function (id) {\n\t\tassert.strictEqual(id.type, type);\n\t});\n\ttype = TYPES[type];\n\tbuf.writeInt(type);\n\n\tif (sig.keyId === undefined) {\n\t\tsig.keyId = cert.subjects[0].type + '_' +\n\t\t (cert.subjects[0].uid || cert.subjects[0].hostname);\n\t}\n\tbuf.writeString(sig.keyId);\n\n\tvar sub = new SSHBuffer({});\n\tcert.subjects.forEach(function (id) {\n\t\tif (type === TYPES.host)\n\t\t\tsub.writeString(id.hostname);\n\t\telse if (type === TYPES.user)\n\t\t\tsub.writeString(id.uid);\n\t});\n\tbuf.writeBuffer(sub.toBuffer());\n\n\tbuf.writeInt64(dateToInt64(cert.validFrom));\n\tbuf.writeInt64(dateToInt64(cert.validUntil));\n\n\tvar exts = sig.exts;\n\tif (exts === undefined)\n\t\texts = [];\n\n\tvar extbuf = new SSHBuffer({});\n\texts.forEach(function (ext) {\n\t\tif (ext.critical !== true)\n\t\t\treturn;\n\t\textbuf.writeString(ext.name);\n\t\textbuf.writeBuffer(ext.data);\n\t});\n\tbuf.writeBuffer(extbuf.toBuffer());\n\n\textbuf = new SSHBuffer({});\n\texts.forEach(function (ext) {\n\t\tif (ext.critical === true)\n\t\t\treturn;\n\t\textbuf.writeString(ext.name);\n\t\textbuf.writeBuffer(ext.data);\n\t});\n\tbuf.writeBuffer(extbuf.toBuffer());\n\n\t/* reserved */\n\tbuf.writeBuffer(Buffer.alloc(0));\n\n\tsub = rfc4253.write(cert.issuerKey);\n\tbuf.writeBuffer(sub);\n\n\tif (!noSig)\n\t\tbuf.writeBuffer(sig.signature.toBuffer('ssh'));\n\n\treturn (buf.toBuffer());\n}\n\nfunction getAlg(certType) {\n\tif (certType === 'ssh-rsa-cert-v01@openssh.com')\n\t\treturn ('rsa');\n\tif (certType === 'ssh-dss-cert-v01@openssh.com')\n\t\treturn ('dsa');\n\tif (certType.match(ECDSA_ALGO))\n\t\treturn ('ecdsa');\n\tif (certType === 'ssh-ed25519-cert-v01@openssh.com')\n\t\treturn ('ed25519');\n\tthrow (new Error('Unsupported cert type ' + certType));\n}\n\nfunction getCertType(key) {\n\tif (key.type === 'rsa')\n\t\treturn ('ssh-rsa-cert-v01@openssh.com');\n\tif (key.type === 'dsa')\n\t\treturn ('ssh-dss-cert-v01@openssh.com');\n\tif (key.type === 'ecdsa')\n\t\treturn ('ecdsa-sha2-' + key.curve + '-cert-v01@openssh.com');\n\tif (key.type === 'ed25519')\n\t\treturn ('ssh-ed25519-cert-v01@openssh.com');\n\tthrow (new Error('Unsupported key type ' + key.type));\n}\n"]},"metadata":{},"sourceType":"script"} |