add verify SSH signature

Author: ddebin

.github/workflows/main.yml

@@ -19,7 +19,9 @@ jobs:
         with:
           ssh-private-key: |
             ${{ secrets.RSA_KEY }}
-            ${{ secrets.ECDSA_KEY }}
+            ${{ secrets.ECDSA_256_KEY }}
+            ${{ secrets.ECDSA_384_KEY }}
+            ${{ secrets.ECDSA_521_KEY }}
             ${{ secrets.ED25519_KEY }}
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v6

.gitignore

@@ -6,4 +6,5 @@ mise.toml
 /*.tgz
 /.nyc_output
 /coverage
-/id_*
+/id_*
+*.local.*

src/lib/ssh_agent_client.ts

@@ -1,4 +1,5 @@
 import * as crypto from 'node:crypto'
+import { readString, writeHeader, writeString } from './utils.ts'
 import { createConnection } from 'node:net'
 import { DecryptTransform } from './decrypt_transform.ts'
 import { EncryptTransform } from './encrypt_transform.ts'
@@ -52,30 +53,6 @@ export interface SSHAgentClientOptions {
   rsaSignatureFlag?: RsaSignatureFlag
 }
 
-/** Read a length-prefixed string (uint32 BE length + bytes) from a buffer. */
-const readString = function readString(buffer: Buffer, offset: number): Buffer {
-  const len = buffer.readUInt32BE(offset)
-  return buffer.subarray(offset + 4, offset + 4 + len)
-}
-
-/** Write a length-prefixed string into `target` at `offset`, return next offset. */
-const writeString = function writeString(target: Buffer, src: Buffer, offset: number): number {
-  target.writeUInt32BE(src.length, offset)
-  src.copy(target, offset + 4)
-  return offset + 4 + src.length
-}
-
-/**
- * Write the 5-byte SSH agent frame header (4-byte length + 1-byte tag)
- * into `request` and return the next write offset (5).
- * The length field is the total buffer length minus the 4-byte length field itself.
- */
-const writeHeader = function writeHeader(request: Buffer, tag: number): number {
-  request.writeUInt32BE(request.length - 4, 0)
-  request.writeUInt8(tag, 4)
-  return 5
-}
-
 export class SSHAgentClient {
   private readonly timeout: number
   private readonly sockFile: string

src/lib/utils.ts

@@ -0,0 +1,25 @@
+/** Read a length-prefixed string (uint32 BE length + bytes) from a buffer. */
+const readString = function readString(buffer: Buffer, offset: number): Buffer {
+  const len = buffer.readUInt32BE(offset)
+  return buffer.subarray(offset + 4, offset + 4 + len)
+}
+
+/** Write a length-prefixed string into `target` at `offset`, return next offset. */
+const writeString = function writeString(target: Buffer, src: Buffer, offset: number): number {
+  target.writeUInt32BE(src.length, offset)
+  src.copy(target, offset + 4)
+  return offset + 4 + src.length
+}
+
+/**
+ * Write the 5-byte SSH agent frame header (4-byte length + 1-byte tag)
+ * into `request` and return the next write offset (5).
+ * The length field is the total buffer length minus the 4-byte length field itself.
+ */
+const writeHeader = function writeHeader(request: Buffer, tag: number): number {
+  request.writeUInt32BE(request.length - 4, 0)
+  request.writeUInt8(tag, 4)
+  return 5
+}
+
+export { readString, writeString, writeHeader }

src/lib/verify_signature.ts

@@ -0,0 +1,122 @@
+/* eslint-disable id-length */
+
+import * as crypto from 'crypto'
+import { type SSHKey, type SSHSignature } from './ssh_agent_client.ts'
+import { readString } from './utils.ts'
+
+const sshEcCurveParam = (curve: string): { crv: string; coordLen: number } => {
+  if (curve === 'nistp256') return { crv: 'P-256', coordLen: 32 }
+  if (curve === 'nistp384') return { crv: 'P-384', coordLen: 48 }
+  if (curve === 'nistp521') return { crv: 'P-521', coordLen: 66 }
+  throw new Error(`Unsupported EC curve: ${curve}`)
+}
+
+const ecdsaHashAlgo = (sigType: string): string => {
+  if (sigType === 'ecdsa-sha2-nistp256') return 'SHA256'
+  if (sigType === 'ecdsa-sha2-nistp384') return 'SHA384'
+  if (sigType === 'ecdsa-sha2-nistp521') return 'SHA512'
+  throw new Error(`Unsupported ECDSA signature type: ${sigType}`)
+}
+
+/** Convert an SSH public key blob to a Node.js `crypto.KeyObject`. */
+const parseSSHPublicKey = (key: SSHKey): crypto.KeyObject => {
+  const blob = key.raw
+  const type = readString(blob, 0)
+  const keyType = type.toString('ascii')
+
+  if (keyType === 'ssh-rsa') {
+    const rsaOffset = 4 + type.length
+    const exponent = readString(blob, rsaOffset)
+    const modulus = readString(blob, rsaOffset + 4 + exponent.length)
+    return crypto.createPublicKey({
+      key: { kty: 'RSA', n: modulus.toString('base64url'), e: exponent.toString('base64url') },
+      format: 'jwk',
+    })
+  }
+
+  if (keyType === 'ssh-ed25519') {
+    const pubKeyBytes = readString(blob, 4 + type.length)
+    // SPKI DER encoding for Ed25519 (OID 1.3.101.112)
+    const spkiPrefix = Buffer.from('302a300506032b6570032100', 'hex')
+    return crypto.createPublicKey({
+      key: Buffer.concat([spkiPrefix, pubKeyBytes]),
+      format: 'der',
+      type: 'spki',
+    })
+  }
+
+  if (keyType.startsWith('ecdsa-sha2-')) {
+    const ecOffset = 4 + type.length
+    const curveName = readString(blob, ecOffset)
+    const point = readString(blob, ecOffset + 4 + curveName.length)
+    const { crv, coordLen } = sshEcCurveParam(curveName.toString('ascii'))
+    // Uncompressed EC point: 0x04 || x || y
+    const pointX = point.subarray(1, 1 + coordLen)
+    const pointY = point.subarray(1 + coordLen)
+    return crypto.createPublicKey({
+      key: { kty: 'EC', crv, x: pointX.toString('base64url'), y: pointY.toString('base64url') },
+      format: 'jwk',
+    })
+  }
+
+  throw new Error(`Unsupported key type: ${keyType}`)
+}
+
+const encodeDerLength = (len: number): Buffer => {
+  if (len < 128) return Buffer.from([len])
+  if (len < 256) return Buffer.from([0x81, len])
+  return Buffer.from([0x82, Math.floor(len / 256), len % 256])
+}
+
+const encodeDerInt = (bytes: Buffer): Buffer => {
+  // Strip leading zeros, keeping at least one byte
+  let start = 0
+  while (start < bytes.length - 1 && bytes[start] === 0) start += 1
+  const trimmed = bytes.subarray(start)
+  // Prepend 0x00 if high bit is set to keep the DER INTEGER positive
+  const [firstByte] = trimmed
+  const content = firstByte >= 0x80 ? Buffer.concat([Buffer.from([0x00]), trimmed]) : trimmed
+  return Buffer.concat([Buffer.from([0x02]), encodeDerLength(content.length), content])
+}
+
+/** Map an SSH signature to the hash algorithm and signature bytes expected by `crypto.verify`. */
+const parseSSHSignature = (sig: SSHSignature): { hashAlgo: string | null; sigBytes: Buffer } => {
+  const { type, raw } = sig
+
+  if (type === 'rsa-sha2-256') return { hashAlgo: 'SHA256', sigBytes: raw }
+  if (type === 'rsa-sha2-512') return { hashAlgo: 'SHA512', sigBytes: raw }
+  if (type === 'ssh-rsa') return { hashAlgo: 'SHA1', sigBytes: raw }
+  if (type === 'ssh-ed25519') return { hashAlgo: null, sigBytes: raw }
+
+  if (type.startsWith('ecdsa-sha2-')) {
+    // SSH ECDSA signature: mpint(r) || mpint(s) → DER ASN.1 SEQUENCE { INTEGER r, INTEGER s }
+    const sigR = readString(raw, 0)
+    const sigS = readString(raw, 4 + sigR.length)
+    const rDer = encodeDerInt(sigR)
+    const sDer = encodeDerInt(sigS)
+    const seqContent = Buffer.concat([rDer, sDer])
+    const sigBytes = Buffer.concat([Buffer.from([0x30]), encodeDerLength(seqContent.length), seqContent])
+    return { hashAlgo: ecdsaHashAlgo(type), sigBytes }
+  }
+
+  throw new Error(`Unsupported signature type: ${type}`)
+}
+
+/**
+ * Verify an SSH signature against a message and public key.
+ *
+ * No SSH agent communication is required — this is a local crypto operation.
+ *
+ * @param signature - The signature to verify (from {@link sign}).
+ * @param key - The SSH public key (from {@link getIdentities} or {@link getIdentity}).
+ * @param data - The original message that was signed.
+ * @returns `true` if the signature is valid, `false` otherwise.
+ * @throws {Error} if the key type or signature type is unsupported.
+ */
+const verifySSHSignature = (signature: SSHSignature, key: SSHKey, data: Buffer): boolean => {
+  const publicKey = parseSSHPublicKey(key)
+  const { hashAlgo, sigBytes } = parseSSHSignature(signature)
+  return crypto.verify(hashAlgo, data, publicKey, sigBytes)
+}
+
+export { parseSSHPublicKey, parseSSHSignature, verifySSHSignature }

test/ssh_agent_client.spec.ts

@@ -31,7 +31,7 @@ describe('SSHAgentClient tests', () => {
   it('should find identites', async () => {
     const agent = new SSHAgentClient()
     const identities = await agent.getIdentities()
-    chai.assert.strictEqual(identities.length, 3)
+    chai.assert.strictEqual(identities.length, 5)
     const identity = identities.find(id => id.type === 'ssh-rsa')
     if (!identity) {
       throw new Error()
@@ -54,7 +54,7 @@ describe('SSHAgentClient tests', () => {
       throw new Error()
     }
     chai.assert.strictEqual(identity.type, 'ecdsa-sha2-nistp256')
-    chai.assert.strictEqual(identity.comment, 'key_ecdsa')
+    chai.assert.strictEqual(identity.comment, 'key_ecdsa_256')
   })
   it('should find identity with selector in pubkey', async () => {
     const agent = new SSHAgentClient()

test/ssh_agent_verify.spec.ts

@@ -0,0 +1,138 @@
+import * as chai from 'chai'
+import { describe, it } from 'mocha'
+import {
+  RsaSignatureFlag,
+  SSHAgentClient,
+  type SSHKey,
+  type SSHSignature,
+} from '../src/lib/ssh_agent_client.ts'
+import { verifySSHSignature } from '../src/lib/verify_signature.ts'
+
+const DATA = Buffer.from('hello', 'utf8')
+
+describe('SSHAgentClient verify tests', () => {
+  it('should verify RSA (ssh-rsa) signature', async () => {
+    const agent = new SSHAgentClient({ rsaSignatureFlag: RsaSignatureFlag.DEFAULT })
+    const identity = await agent.getIdentity('key_rsa')
+    if (!identity) {
+      throw new Error()
+    }
+    const signature = await agent.sign(identity, DATA)
+    chai.assert.isTrue(verifySSHSignature(signature, identity, DATA))
+  })
+
+  it('should verify RSA (rsa-sha2-256) signature', async () => {
+    const agent = new SSHAgentClient({ rsaSignatureFlag: RsaSignatureFlag.SSH_AGENT_RSA_SHA2_256 })
+    const identity = await agent.getIdentity('key_rsa')
+    if (!identity) {
+      throw new Error()
+    }
+    const signature = await agent.sign(identity, DATA)
+    chai.assert.isTrue(verifySSHSignature(signature, identity, DATA))
+  })
+
+  it('should verify RSA (rsa-sha2-512) signature', async () => {
+    const agent = new SSHAgentClient()
+    const identity = await agent.getIdentity('key_rsa')
+    if (!identity) {
+      throw new Error()
+    }
+    const signature = await agent.sign(identity, DATA)
+    chai.assert.isTrue(verifySSHSignature(signature, identity, DATA))
+  })
+
+  it('should verify Ed25519 signature', async () => {
+    const agent = new SSHAgentClient()
+    const identity = await agent.getIdentity('key_ed25519')
+    if (!identity) {
+      throw new Error()
+    }
+    const signature = await agent.sign(identity, DATA)
+    chai.assert.isTrue(verifySSHSignature(signature, identity, DATA))
+  })
+
+  it('should verify ECDSA 256 signature', async () => {
+    const agent = new SSHAgentClient()
+    const identity = await agent.getIdentity('key_ecdsa_256')
+    if (!identity) {
+      throw new Error()
+    }
+    const signature = await agent.sign(identity, DATA)
+    chai.assert.isTrue(verifySSHSignature(signature, identity, DATA))
+  })
+
+  it('should verify ECDSA 384 signature', async () => {
+    const agent = new SSHAgentClient()
+    const identity = await agent.getIdentity('key_ecdsa_384')
+    if (!identity) {
+      throw new Error()
+    }
+    const signature = await agent.sign(identity, DATA)
+    chai.assert.isTrue(verifySSHSignature(signature, identity, DATA))
+  })
+
+  it('should verify ECDSA 521 signature', async () => {
+    const agent = new SSHAgentClient()
+    const identity = await agent.getIdentity('key_ecdsa_521')
+    if (!identity) {
+      throw new Error()
+    }
+    const signature = await agent.sign(identity, DATA)
+    chai.assert.isTrue(verifySSHSignature(signature, identity, DATA))
+  })
+
+  it('should return false for wrong data', async () => {
+    const agent = new SSHAgentClient()
+    const identity = await agent.getIdentity('key_ed25519')
+    if (!identity) {
+      throw new Error()
+    }
+    const signature = await agent.sign(identity, DATA)
+    chai.assert.isFalse(verifySSHSignature(signature, identity, Buffer.from('other', 'utf8')))
+  })
+
+  it('should return false for corrupted RSA signature', async () => {
+    const agent = new SSHAgentClient()
+    const identity = await agent.getIdentity('key_rsa')
+    if (!identity) {
+      throw new Error()
+    }
+    const signature = await agent.sign(identity, DATA)
+    const corruptedRaw = Buffer.alloc(signature.raw.length, 0)
+    const corruptedSig: SSHSignature = {
+      type: signature.type,
+      raw: corruptedRaw,
+      signature: corruptedRaw.toString('base64'),
+    }
+    chai.assert.isFalse(verifySSHSignature(corruptedSig, identity, DATA))
+  })
+
+  it('should throw for unsupported key type', () => {
+    const keyTypeName = 'unsupported-type'
+    const keyTypeBytes = Buffer.from(keyTypeName, 'ascii')
+    const keyTypeLenBuf = Buffer.alloc(4)
+    keyTypeLenBuf.writeUInt32BE(keyTypeBytes.length, 0)
+    const fakeKey: SSHKey = {
+      type: keyTypeName,
+      key: '',
+      comment: '',
+      raw: Buffer.concat([keyTypeLenBuf, keyTypeBytes]),
+    }
+    const fakeSig: SSHSignature = { type: 'ssh-rsa', signature: '', raw: Buffer.alloc(4) }
+    chai
+      .expect(() => verifySSHSignature(fakeSig, fakeKey, DATA))
+      .to.throw('Unsupported key type: unsupported-type')
+  })
+
+  it('should throw for unsupported signature type', async () => {
+    const agent = new SSHAgentClient()
+    const identity = await agent.getIdentity('key_rsa')
+    if (!identity) {
+      throw new Error()
+    }
+    const fakeSig: SSHSignature = { type: 'unsupported-sig', signature: '', raw: Buffer.alloc(4) }
+    chai
+      .expect(() => verifySSHSignature(fakeSig, identity, DATA))
+      .to.throw('Unsupported signature type: unsupported-sig')
+  })
+})