diff --git a/lib/jwk/import.js b/lib/jwk/import.js index d283cdbafb..dd1953893f 100644 --- a/lib/jwk/import.js +++ b/lib/jwk/import.js @@ -26,6 +26,8 @@ const mergedParameters = (target = {}, source = {}) => { } } +const openSSHpublicKey = /^[a-zA-Z0-9-]+ (?:[a-zA-Z0-9+/])*(?:==|=)?(?: .*)?$/ + const asKey = (key, parameters, { calculateMissingRSAPrimes = false } = {}) => { let privateKey, publicKey, secret @@ -98,7 +100,7 @@ const asKey = (key, parameters, { calculateMissingRSAPrimes = false } = {}) => { try { // this is to filter out invalid PEM keys and certs, i'll rather have them fail import then // have them imported as symmetric "oct" keys - if (!key.includes('-----BEGIN')) { + if (!key.includes('-----BEGIN') && !openSSHpublicKey.test(key.toString('ascii').replace(/[\r\n]/g, ''))) { secret = createSecretKey(Buffer.isBuffer(key) ? key : Buffer.from(key)) } } catch (err) {} diff --git a/test/jwk/oct.test.js b/test/jwk/oct.test.js index 1edb7b2174..1bbba1ef9b 100644 --- a/test/jwk/oct.test.js +++ b/test/jwk/oct.test.js @@ -1,4 +1,5 @@ const test = require('ava') +const { EOL } = require('os') const { createSecretKey } = require('../../lib/help/key_object') const { hasProperty, hasNoProperties } = require('../macros') @@ -172,3 +173,34 @@ test('they may be imported so long as there was no k', t => { }) }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' }) }) + +;[ + 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6ZsprTWFF+fOG0mrdIQ+HxXnb5pAazkvSff1d49tgc73VKkrStsNSq9ss3j65p6gn6un8DZht0zP58iMqgK9YjfTC1OOGKFCtXzJsY9XwhFoSvhaI0iC2NH+aGu8OFfYXiQs/UZGe9acvFgViTSa/qYvh3NYTVPPf4EaaUndMIVz6scwuPji4w/n5dYXk5PF58k0Dq52ID6yQVk2QBRf8JcL+dPy3YztPTB2kcu7e0N9VopC5Qq2TsCb2H9ooHlgMerJ0WjlCv1ADC/8I+Cj7K1dj/3dcrMK/YR+2Muey5aQufPWoxtFpUv/2ieIAi19hhLeUOZbOlkwD/k/DO9Ht panva@local', + 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJS61dYMKR7grCcg2wLzkQZs4ok5VVZ6Oc+TlOSrz6s5WLl4WdN2hPCpYs/PtbyGcW0a8CAEKik3guStuMGCN1I= panva@local', + 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5wJKRxgAdYUPm7gfP9eP4MKnWahgALTRDgMHt0VMj7 panva@local', + `-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW` +].forEach((openSSH, i, { length }) => { + test(`openssh keys do not fall through to oct keys ${i + 1}/${length}`, t => { + // strings + t.throws(() => { + asKey(openSSH) + }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' }) + t.throws(() => { + asKey(openSSH.replace(' panva@local', '')) + }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' }) + t.throws(() => { + asKey(openSSH.match(/.{1,64}/g).join(EOL)) + }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' }) + // buffers + t.throws(() => { + asKey(Buffer.from(openSSH)) + }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' }) + t.throws(() => { + asKey(Buffer.from(openSSH.replace(' panva@local', ''))) + }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' }) + t.throws(() => { + asKey(Buffer.from(openSSH.match(/.{1,64}/g).join(EOL))) + }, { instanceOf: errors.JWKImportFailed, message: 'key import failed' }) + }) +})