Path: blob/master/src/applications/auth/sshkey/PhabricatorAuthSSHPrivateKey.php
12256 views
<?php12/**3* Data structure representing a raw private key.4*/5final class PhabricatorAuthSSHPrivateKey extends Phobject {67private $body;8private $passphrase;910private function __construct() {11// <internal>12}1314public function setPassphrase(PhutilOpaqueEnvelope $passphrase) {15$this->passphrase = $passphrase;16return $this;17}1819public function getPassphrase() {20return $this->passphrase;21}2223public static function newFromRawKey(PhutilOpaqueEnvelope $entire_key) {24$key = new self();2526$key->body = $entire_key;2728return $key;29}3031public function getKeyBody() {32return $this->body;33}3435public function newBarePrivateKey() {36if (!Filesystem::binaryExists('ssh-keygen')) {37throw new Exception(38pht(39'Analyzing or decrypting SSH keys requires the "ssh-keygen" binary, '.40'but it is not available in "$PATH". Make it available to work with '.41'SSH private keys.'));42}4344$old_body = $this->body;4546// Some versions of "ssh-keygen" are sensitive to trailing whitespace for47// some keys. Trim any trailing whitespace and replace it with a single48// newline.49$raw_body = $old_body->openEnvelope();50$raw_body = rtrim($raw_body)."\n";51$old_body = new PhutilOpaqueEnvelope($raw_body);5253$tmp = $this->newTemporaryPrivateKeyFile($old_body);5455// See T13454 for discussion of why this is so awkward. In broad strokes,56// we don't have a straightforward way to distinguish between keys with an57// invalid format and keys with a passphrase which we don't know.5859// First, try to extract the public key from the file using the (possibly60// empty) passphrase we were given. If everything is in good shape, this61// should work.6263$passphrase = $this->getPassphrase();64if ($passphrase) {65list($err, $stdout, $stderr) = exec_manual(66'ssh-keygen -y -P %P -f %R',67$passphrase,68$tmp);69} else {70list($err, $stdout, $stderr) = exec_manual(71'ssh-keygen -y -P %s -f %R',72'',73$tmp);74}7576// If that worked, the key is good and the (possibly empty) passphrase is77// correct. Strip the passphrase if we have one, then return the bare key.7879if (!$err) {80if ($passphrase) {81execx(82'ssh-keygen -p -P %P -N %s -f %R',83$passphrase,84'',85$tmp);8687$new_body = new PhutilOpaqueEnvelope(Filesystem::readFile($tmp));88unset($tmp);89} else {90$new_body = $old_body;91}9293return self::newFromRawKey($new_body);94}9596// We were not able to extract the public key. Try to figure out why. The97// reasons we expect are:98//99// - We were given a passphrase, but the key has no passphrase.100// - We were given a passphrase, but the passphrase is wrong.101// - We were not given a passphrase, but the key has a passphrase.102// - The key format is invalid.103//104// Our ability to separate these cases varies a lot, particularly because105// some versions of "ssh-keygen" return very similar diagnostic messages106// for any error condition. Try our best.107108if ($passphrase) {109// First, test for "we were given a passphrase, but the key has no110// passphrase", since this is a conclusive test.111list($err) = exec_manual(112'ssh-keygen -y -P %s -f %R',113'',114$tmp);115if (!$err) {116throw new PhabricatorAuthSSHPrivateKeySurplusPassphraseException(117pht(118'A passphrase was provided for this private key, but it does '.119'not require a passphrase. Check that you supplied the correct '.120'key, or omit the passphrase.'));121}122}123124// We're out of conclusive tests, so try to guess why the error occurred.125// In some versions of "ssh-keygen", we get a usable diagnostic message. In126// other versions, not so much.127128$reason_format = 'format';129$reason_passphrase = 'passphrase';130$reason_unknown = 'unknown';131132$patterns = array(133// macOS 10.14.6134'/incorrect passphrase supplied to decrypt private key/'135=> $reason_passphrase,136137// macOS 10.14.6138'/invalid format/' => $reason_format,139140// Ubuntu 14141'/load failed/' => $reason_unknown,142);143144$reason = 'unknown';145foreach ($patterns as $pattern => $pattern_reason) {146$ok = preg_match($pattern, $stderr);147148if ($ok === false) {149throw new Exception(150pht(151'Pattern "%s" is not valid.',152$pattern));153}154155if ($ok) {156$reason = $pattern_reason;157break;158}159}160161if ($reason === $reason_format) {162throw new PhabricatorAuthSSHPrivateKeyFormatException(163pht(164'This private key is not formatted correctly. Check that you '.165'have provided the complete text of a valid private key.'));166}167168if ($reason === $reason_passphrase) {169if ($passphrase) {170throw new PhabricatorAuthSSHPrivateKeyIncorrectPassphraseException(171pht(172'This private key requires a passphrase, but the wrong '.173'passphrase was provided. Check that you supplied the correct '.174'key and passphrase.'));175} else {176throw new PhabricatorAuthSSHPrivateKeyIncorrectPassphraseException(177pht(178'This private key requires a passphrase, but no passphrase was '.179'provided. Check that you supplied the correct key, or provide '.180'the passphrase.'));181}182}183184if ($passphrase) {185throw new PhabricatorAuthSSHPrivateKeyUnknownException(186pht(187'This private key could not be opened with the provided passphrase. '.188'This might mean that the passphrase is wrong or that the key is '.189'not formatted correctly. Check that you have supplied the '.190'complete text of a valid private key and the correct passphrase.'));191} else {192throw new PhabricatorAuthSSHPrivateKeyUnknownException(193pht(194'This private key could not be opened. This might mean that the '.195'key requires a passphrase, or might mean that the key is not '.196'formatted correctly. Check that you have supplied the complete '.197'text of a valid private key and the correct passphrase.'));198}199}200201private function newTemporaryPrivateKeyFile(PhutilOpaqueEnvelope $key_body) {202$tmp = new TempFile();203204Filesystem::writeFile($tmp, $key_body->openEnvelope());205206return $tmp;207}208209}210211212