我正在 JavaScript 中开发 Bitbucket API 包装器。我正在尝试为添加 SSH 密钥的方法编写测试。我天真的尝试创建一个可信的 SSH 密钥,但没有成功。以下是我生成虚拟密钥的方法:
- 以“ssh-rsa”开头,
- 附加 279 个随机字符字符串的 Base64 编码表示形式,
- 附加“”,
- 附加 16 个随机字符字符串,
- 附加“@”,
- 附加 16 个字符的字符串随机字符
- 附加“.com”
当我发布以此方式生成的 SSH 密钥。幸运的是,我可以访问 Bitbucket 的源代码,因此我能够更深入地挖掘。 Bitbucket 通过 ssh-keygen 运行 SSH 密钥来验证它们。
我不明白 SSH 密钥是如何生成的,所以我可能会问一个愚蠢的问题。是否有可能生成一个足以欺骗 ssh-keygen 的 SSH 密钥?输出如下:
$ ssh-keygen -l -f ~/Desktop/dummy_rsa.pub
buffer_get_string_ret: bad string length 1903654498
key_from_blob: can't read key type
key_read: key_from_blob cXd2YnRzZXpha3Rld2V4YmdieWdoeWl2aXpla3hkaHBodnlteHl2ZHl0bnloYmRyYWZrdnVxaWR3cHBydnFmZWFkaHp0aGRwYml6ZXVxY3ZlZ3NiZ29lanl0cG9vZmlnZ2dyZmJ3aWxsdXJhb2puYWRjY3F0YW5rcGV3Z3dkc3lxd2tkb3d6emFzbXpubXJ1eGN2bm53a3l6bmRjenV1dnplbnFtZ3Z5bm96ZGZhandwcG9mcHVoaWFkZ25ud3VkdnB0enV6Zm51bWVxanhzanlwa2ZodGxpd2xld2pnY3dhbmJ6aXVyamp6c29rbm54dHp2enJmeWhnY2ZrcWlqemFscGNnbWJsY3lpcmRtYXFkbHB6c3l0 [email protected]
failed
/Users/dc/Desktop/dummy_rsa.pub is not a public key file.
需要明确的是,我不需要生成“有效”的 SSH 密钥,我只需要能够测试各种 API 端点。另外,由于测试在浏览器中运行,我无法生成密钥。
I'm developing a Bitbucket API wrapper in JavaScript. I'm trying to write tests for the method which adds an SSH key. My naive attempt at creating a believable SSH key was unsuccessful. Here's how I generated a dummy key:
- start with "ssh-rsa "
- append the Base64-encoded representation of a 279 character string of random characters
- append " "
- append a 16 character string of random characters
- append "@"
- append a 16 character string of random characters
- append ".com"
Bitbucket returns 400 Bad Request when I POST an SSH key generated in this manner. Fortunately I have access to Bitbucket's source code, so I've been able to dig a little deeper. Bitbucket validates SSH keys by running them through ssh-keygen.
I don't understand how SSH keys are generated, so I might be asking a silly question. Is it possible to generate an SSH key convincing enough to fool ssh-keygen? Here's the output:
$ ssh-keygen -l -f ~/Desktop/dummy_rsa.pub
buffer_get_string_ret: bad string length 1903654498
key_from_blob: can't read key type
key_read: key_from_blob cXd2YnRzZXpha3Rld2V4YmdieWdoeWl2aXpla3hkaHBodnlteHl2ZHl0bnloYmRyYWZrdnVxaWR3cHBydnFmZWFkaHp0aGRwYml6ZXVxY3ZlZ3NiZ29lanl0cG9vZmlnZ2dyZmJ3aWxsdXJhb2puYWRjY3F0YW5rcGV3Z3dkc3lxd2tkb3d6emFzbXpubXJ1eGN2bm53a3l6bmRjenV1dnplbnFtZ3Z5bm96ZGZhandwcG9mcHVoaWFkZ25ud3VkdnB0enV6Zm51bWVxanhzanlwa2ZodGxpd2xld2pnY3dhbmJ6aXVyamp6c29rbm54dHp2enJmeWhnY2ZrcWlqemFscGNnbWJsY3lpcmRtYXFkbHB6c3l0 [email protected]
failed
/Users/dc/Desktop/dummy_rsa.pub is not a public key file.
To be clear, I don't need to generate a "valid" SSH key, I just need to be able to test various API endpoints. Also, since the tests run in a browser, I can't shell out to generate a key.
发布评论
评论(3)
SSH 密钥不仅仅是随机字符串,因此它们无法通过验证。
这个名为 Javascript Cryptography Toolkit 的库此处可以帮助您生成 RSA 密钥(由 SSH 使用)。
他们有一个生成密钥的演示: https://github .com/ats4u/titaniumcore/blob/master/crypto/RSA.sample1.html
从演示页面的源代码中可以看到,该工具包相当重,但如果这就是您的需要,我想这就是你必须使用的。当然,将密钥生成转移到服务器会简单得多,但如果您正在编写仅客户端的库,那么您必须坚持这一点。
2019 更新:更新了 github 链接。
SSH keys are not just random strings of characters, so that's why they don't pass verification.
This library here called Javascript Cryptography Toolkit can help you generate RSA keys (used by SSH).
They have a demo of generating the key: https://github.com/ats4u/titaniumcore/blob/master/crypto/RSA.sample1.html
As you can see from the source code of the demo page, the toolkit is quite heavy weight, but if that's what you need, then that's what you have to use, I guess. Ofcourse it would have been much simpler to just offload key generation to the server, but if you are writing a client side only library, then you have to stick with this.
2019 update: updated links to github.
如果您最终对现有的轻量级 Ruby Sinatra 应用程序进行 AJAX 调用来生成和检索 SSH 密钥,则可以使用 sshkey Gem 来执行此操作 https://rubygems.org/gems/sshkey
这并没有回答如何在纯 JavaScript 中执行此操作,而是根据您的特定应用程序架构提供了替代途径(请参阅下面的评论 问题)。
If you end up making an AJAX call to your existing lightweight Ruby Sinatra app to generate and retrieve an SSH key, you can use the sshkey Gem to do so https://rubygems.org/gems/sshkey
This doesn't answer how to do it in pure JavaScript but provides an alternate avenue based on your specific application architecture (see comments below question).
更多浏览器有内置解决方案:
这允许使用各种算法,包括 ECDH、ECDSA、RSA-PSS、RSASSA-PKCS1-v1_5 和RSA-OAEP。
有一个完整的示例这里< /a>.
The more browsers have built-in solutions:
This allows various algorithms, including ECDH, ECDSA, RSA-PSS, RSASSA-PKCS1-v1_5, and RSA-OAEP.
There's a full example here.