1 files changed, 117 insertions, 6 deletions

diff --git a/lib/leap_cli/ssh/key.rb b/lib/leap_cli/ssh/key.rb
index ad1ecf15..76223b7e 100644
--- a/lib/leap_cli/ssh/key.rb
+++ b/lib/leap_cli/ssh/key.rb
@@ -2,12 +2,34 @@
 # A wrapper around OpenSSL::PKey::RSA instances to provide a better api for
 # dealing with SSH keys.
 #
-# NOTE: cipher 'ssh-ed25519' not supported yet because we are waiting
+# NOTES:
+#
+# cipher 'ssh-ed25519' not supported yet because we are waiting
 # for support in Net::SSH
 #
+# there are many ways to represent an SSH key, since SSH keys can be of
+# a variety of types.
+#
+# To confuse matters more, there are multiple binary representations.
+# So, for example, an RSA key has a native SSH representation
+# (two bignums, e followed by n), and a DER representation.
+#
+# AWS uses fingerprints of the DER representation, but SSH typically reports
+# fingerprints of the SSH representation.
+#
+# Also, SSH public key files are base64 encoded, but with whitespace removed
+# so it all goes on one line.
+#
+# Some useful links:
+#
+# https://stackoverflow.com/questions/3162155/convert-rsa-public-key-to-rsa-der
+# https://net-ssh.github.io/ssh/v2/api/classes/Net/SSH/Buffer.html
+# https://serverfault.com/questions/603982/why-does-my-openssh-key-fingerprint-not-match-the-aws-ec2-console-keypair-finger
+#
 
 require 'net/ssh'
 require 'forwardable'
+require 'base64'
 
 module LeapCli
   module SSH
@@ -72,6 +94,14 @@ module LeapCli
         public_key || private_key
       end
 
+      def self.my_public_keys
+        load_keys_from_paths File.join(ENV['HOME'], '.ssh', '*.pub')
+      end
+
+      def self.provider_public_keys
+        load_keys_from_paths Path.named_path([:user_ssh, '*'])
+      end
+
       #
       # Picks one key out of an array of keys that we think is the "best",
       # based on the order of preference in SUPPORTED_TYPES
@@ -127,19 +157,29 @@ module LeapCli
         end
       end
 
+      private
+
+      def self.load_keys_from_paths(key_glob)
+        keys = []
+        Dir.glob(key_glob).each do |file|
+          key = Key.load(file)
+          if key && key.public?
+            keys << key
+          end
+        end
+        return keys
+      end
+
       ##
       ## INSTANCE METHODS
       ##
 
       public
 
-      def initialize(rsa_key)
-        @key = rsa_key
+      def initialize(p_key)
+        @key = p_key
       end
 
-      def_delegator :@key, :fingerprint, :fingerprint
-      def_delegator :@key, :public?, :public?
-      def_delegator :@key, :private?, :private?
       def_delegator :@key, :ssh_type, :type
       def_delegator :@key, :public_encrypt, :public_encrypt
       def_delegator :@key, :public_decrypt, :public_decrypt
@@ -156,6 +196,70 @@ module LeapCli
         Key.new(@key.private_key)
       end
 
+      def private?
+        @key.respond_to?(:private?) ? @key.private? : @key.private_key?
+      end
+
+      def public?
+        @key.respond_to?(:public?) ? @key.public? : @key.public_key?
+      end
+
+      #
+      # three arguments:
+      #
+      # - digest: one of md5, sha1, sha256, etc. (default sha256)
+      # - encoding: either :hex (default) or :base64
+      # - type: fingerprint type, either :ssh (default) or :der
+      #
+      # NOTE:
+      #
+      # * I am not sure how to make a fingerprint for OpenSSL::PKey::EC::Point
+      #
+      # * AWS reports fingerprints using MD5 digest for uploaded ssh keys,
+      #   but SHA1 for keys it created itself.
+      #
+      # * Also, AWS fingerprints are digests on the DER encoding of the key.
+      #   But standard SSH fingerprints are digests of SSH encoding of the key.
+      #
+      # * Other tools will sometimes display fingerprints in hex and sometimes
+      #   in base64. Arrrgh.
+      #
+      def fingerprint(type: :ssh, digest: :sha256, encoding: :hex)
+        require 'digest'
+
+        digest = digest.to_s.upcase
+        digester = case digest
+          when "MD5" then Digest::MD5.new
+          when "SHA1" then Digest::SHA1.new
+          when "SHA256" then Digest::SHA256.new
+          when "SHA384" then Digest::SHA384.new
+          when "SHA512" then Digest::SHA512.new
+          else raise ArgumentError, "digest #{digest} is unknown"
+        end
+
+        keymatter = nil
+        if type == :der && @key.respond_to?(:to_der)
+          keymatter = @key.to_der
+        else
+          keymatter = self.raw_key.to_s
+        end
+
+        fp = nil
+        if encoding == :hex
+          fp = digester.hexdigest(keymatter)
+        elsif encoding == :base64
+          fp = Base64.encode64(digester.digest(keymatter)).sub(/=$/, '')
+        else
+          raise ArgumentError, "encoding #{encoding} not understood"
+        end
+
+        if digest == "MD5" && encoding == :hex
+          return fp.scan(/../).join(':')
+        else
+          return fp
+        end
+      end
+
       #
       # not sure if this will always work, but is seems to for now.
       #
@@ -175,10 +279,17 @@ module LeapCli
         self.type + " " + self.key
       end
 
+      #
+      # base64 encoding of the key, with spaces removed.
+      #
       def key
         [Net::SSH::Buffer.from(:key, @key).to_s].pack("m*").gsub(/\s/, "")
       end
 
+      def raw_key
+        Net::SSH::Buffer.from(:key, @key)
+      end
+
       def ==(other_key)
         return false if other_key.nil?
         return false if self.class != other_key.class