Patch net-ssh for ecdsa private keys

This patches net-ssh so it will properly handle loading and using ecdsa private keys. Patching is restricted to tested versions.
2024-01-10 11:50:56 -08:00 · 2024-01-10 11:50:56 -08:00 · 2d5c9c0d12
commit 2d5c9c0d12
parent 96f2039bcd
2 changed files with 77 additions and 0 deletions
--- a/lib/vagrant.rb
+++ b/lib/vagrant.rb
@ -5,6 +5,7 @@ require "log4r"

 # Add patches to log4r to support trace level
 require "vagrant/patches/log4r"
+require "vagrant/patches/net-ssh"
 # Set our log levels and include trace
 require 'log4r/configurator'
 Log4r::Configurator.custom_levels(*(["TRACE"] + Log4r::Log4rConfig::LogLevels))
--- a/lib/vagrant/patches/net-ssh.rb
+++ b/lib/vagrant/patches/net-ssh.rb
@ -0,0 +1,76 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+require "net/ssh"
+require "net/ssh/buffer"
+
+# Set the version requirement for when net-ssh should be patched
+NET_SSH_PATCH_REQUIREMENT = Gem::Requirement.new(">= 7.0.0", "< 7.2.2")
+
+# This patch provides support for properly loading ECDSA private keys
+if NET_SSH_PATCH_REQUIREMENT.satisfied_by?(Gem::Version.new(Net::SSH::Version::STRING))
+  Net::SSH::Buffer.class_eval do
+    def vagrant_read_private_keyblob(type)
+      case type
+      when /^ecdsa\-sha2\-(\w*)$/
+        curve_name_in_type = $1
+        curve_name_in_key = read_string
+
+        unless curve_name_in_type == curve_name_in_key
+          raise Net::SSH::Exception, "curve name mismatched (`#{curve_name_in_key}' with `#{curve_name_in_type}')"
+        end
+
+        public_key_oct = read_string
+        priv_key_bignum = read_bignum
+        begin
+          curvename = OpenSSL::PKey::EC::CurveNameAlias[curve_name_in_key]
+          group = OpenSSL::PKey::EC::Group.new(curvename)
+          point = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new(public_key_oct, 2))
+          priv_bn = OpenSSL::BN.new(priv_key_bignum, 2)
+          asn1 = OpenSSL::ASN1::Sequence(
+            [
+              OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(0)),
+              OpenSSL::ASN1::Sequence.new(
+                [
+                  OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+                  OpenSSL::ASN1::ObjectId(curvename)
+                ]
+              ),
+              OpenSSL::ASN1::OctetString.new(
+                OpenSSL::ASN1::Sequence.new(
+                  [
+                    OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(1)),
+                    OpenSSL::ASN1::OctetString.new(priv_bn.to_s(2)),
+                    OpenSSL::ASN1::ASN1Data.new(
+                      [
+                        OpenSSL::ASN1::BitString.new(point.to_octet_string(:uncompressed)),
+                      ], 1, :CONTEXT_SPECIFIC,
+                    )
+                  ]
+                ).to_der
+              )
+            ]
+          )
+
+          key = OpenSSL::PKey::EC.new(asn1.to_der)
+
+          return key
+        rescue OpenSSL::PKey::ECError
+          raise NotImplementedError, "unsupported key type `#{type}'"
+        end
+      else
+        netssh_read_private_keyblob(type)
+      end
+    end
+
+    alias_method :netssh_read_private_keyblob, :read_private_keyblob
+    alias_method :read_private_keyblob, :vagrant_read_private_keyblob
+  end
+
+  OpenSSL::PKey::EC::Point.class_eval do
+    include Net::SSH::Authentication::PubKeyFingerprint
+    def to_pem
+      "#{ssh_type} #{self.to_bn.to_s(2)}"
+    end
+  end
+end