kaniini / ecdsatool Goto Github PK

View Code? Open in Web Editor NEW

13.0 7.0 5.0 43 KB

ECDSA-CHALLENGE keypair manipulation tools and library

License: Other

Makefile 0.57% Shell 11.58% C 65.99% M4 19.11% Perl 6 2.74%

ecdsatool's Introduction

ecdsatool

This software is free, but copyrighted software. See COPYING for terms and conditions.

what is this?

This tool creates and manipulates ECC NISTP256 keypairs, as used by the proposed ECDSA-NIST256P-CHALLENGE IALv3.2 mechanism.

It is built ontop of a library called libecdsaauth, which provides primitives for patching ECDSA challenge support into pre-existing clients and daemons.

Also a modified version of the Irssi cap_sasl.pl script is included, which uses ecdsatool to do the authentication, because Perl is hopeless and doesn't have a working ECDSA implementation. Use the ECDSA-NIST256P-CHALLENGE mechanism with /sasl set.

how to use the tool?

First, lets create a keypair, and store it in /home/nenolod/irc.pem:

$ ecdsatool keygen /home/nenolod/irc.pem
A9T8WQPtyWlP0sEFQaugzQjWHH+hmoRIfFl7yaADaagb

This creates a new ECC NISTP256 keypair and stores it in /home/nenolod/irc.pem. The value returned by ecdsatool is the public key, which you may register with services.

Presently, to do that on Atheme, you would set it as a NickServ property. A better interface for key enrollment will be added soon. To do this, run the following command on IRC:

/msg nickserv set property pubkey A9T8WQPtyWlP0sEFQaugzQjWHH+hmoRIfFl7yaADaagb

recovering the public key from a private key?

Use the pubkey subcommand:

$ ecdsatool pubkey /home/nenolod/irc.pem
A9T8WQPtyWlP0sEFQaugzQjWHH+hmoRIfFl7yaADaagb

interrogating information about keypairs?

Use the keyinfo subcommand:

$ ecdsatool keyinfo /home/nenolod/irc.pem
Information on /home/nenolod/irc.pem:
    Private-Key: (256 bit)
    priv:
        00:92:0c:69:ac:48:6b:ef:7e:96:69:0a:94:4b:df:
        97:34:00:a8:96:8e:da:05:ec:20:5f:33:36:26:08:
        b1:51:e5
    pub: 
        03:d4:fc:59:03:ed:c9:69:4f:d2:c1:05:41:ab:a0:
        cd:08:d6:1c:7f:a1:9a:84:48:7c:59:7b:c9:a0:03:
        69:a8:1b
    Field Type: prime-field
    Prime:
        00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
        00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
        ff:ff:ff
    A:   
        00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
        00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
        ff:ff:fc
    B:   
        5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86:
        bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2:
        60:4b
    Generator (compressed):
        03:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4:
        40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8:
        98:c2:96
    Order: 
        00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff:
        ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc:
        63:25:51
    Cofactor:  1 (0x1)
    Seed:
        c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26:
        b7:81:9f:7e:90

signing challenges from scripts?

Use the sign subcommand.

$ ecdsatool sign /home/nenolod/irc.pem 'QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE='
MEUCICNBUzxaMXcqyec7q0aZcHMa0HY9NELX869/8tjd58cFAiEA75FzpxmPOcotr0vc8ncEM79DoQRf/bOSoi1yK5X67J8=

mechanism spec?

Similar to EXTERNAL:

Start authentication by sending AUTHENTICATE ECDSA-NIST256P-CHALLENGE.
Wait for an ACK from the IRC network.
Send the accountname encapsulated in base64.
Wait for the challenge message from the IRC network.
Sign the message and send it back, using ecdsatool sign or the library API.
If everything went to plan, authentication should be successful, and you'll be able to get on the network.

ecdsatool's People

Contributors

Stargazers

Watchers

Forkers

atheme-forks mharlets2014 darkz arlolra electr1ceel

ecdsatool's Issues

Copyright clarification

About the possibility of adding libecdsaauth support in an irc client, i would like to understand if the library is

as stated in the CHANGES file, or

as stated in the README.md file.

cap_sasl.pl does not identify on reconnect on freenode

i am using the cap_sasl.pl script provided by ecdsatool with irssi to connect to freenode. it identifies properly on the initial connect but fails to identify on reconnects. am i doing something wrong or is this a known issue? thanks for all your hard work on ecdsatool.

generates malformed keys

@maxteufel can probably provide more detailed information.

2015-01-03 22:17:16+0200 < Mikaela> mt: that pull request prevents my bot from connecting to freenode now that I enabled it, it tracebacks and I am pasting it
2015-01-03 22:18:06+0200 < MetaNova> Limnoria: version
2015-01-03 22:18:23+0200 < MetaNova> no?
2015-01-03 22:18:26+0200 < MetaNova> @version
2015-01-03 22:18:27+0200 <@Limnoria> The current (running) version of this Supybot is 0.83.4.1+limnoria 2014.12.11, running on Python 3.4.2 (default, Dec  2 2014, 15:08:18)  [GCC 4.9.2].  The newest versions available online are 2015.01.03 (in testing), 2014.12.22 (in master).
2015-01-03 22:18:31+0200 < Unit193> @latency
2015-01-03 22:18:32+0200 <@Limnoria> 0.05 seconds.
2015-01-03 22:18:39+0200 < tacocat> not all bots respond to their nick
2015-01-03 22:23:06+0200 <@Limnoria> Mikaela just pasted ecdsa prevents connecting to freenode (type: pytb): http://supybot.aperio.fr/paste/VhHs4ZdI
2015-01-03 22:23:11+0200 < Mikaela> mt: ^^^
2015-01-03 22:23:42+0200 < tacocat> ಠ_ಠ
2015-01-03 22:24:14+0200 < Mikaela> ?
2015-01-03 22:26:21+0200 < Mikaela> after unsetting the variable, the bot connects without issues. it responds to msb1 on #limnoria-bots
2015-01-03 22:26:37+0200 < pinkieval> seriously?!?!
2015-01-03 22:26:38+0200 < mt> looks like a malformed ec key - oh, and it looks like you forgot to strip the password (self.sasl_password = '...')
2015-01-03 22:27:02+0200 < pinkieval> why does it happen every time I merge a pull request related to SASL?
2015-01-03 22:27:07+0200 < tacocat> lool
2015-01-03 22:27:23+0200 < tacocat> pinkieval: sasl is evil and wants to take over the world
2015-01-03 22:27:36+0200 < pinkieval> seriously, test your code
2015-01-03 22:27:40+0200 < Mikaela> DEBUG 2015-01-03T20:27:22 supybot Incoming message (freenode): :NickServ!NickServ@services. NOTICE Euforia :The password for Dysforia has been changed to
2015-01-03 22:27:40+0200 < Mikaela> I never learn this
2015-01-03 22:27:44+0200 < pinkieval> I know it's a pain to test code live
2015-01-03 22:27:57+0200 < Mikaela> it doesn't happen every time and this is why there is testing branch
2015-01-03 22:28:07+0200 < mt> I actually tested my code and it worked fine
2015-01-03 22:28:13+0200 < pinkieval> at least it does not affect people who don't use SASL this time
2015-01-03 22:28:21+0200 < Mikaela> mt: the key was created using ecdsatool keygen
2015-01-03 22:29:02+0200 < Mikaela> it only affects people who set that configuration variable
2015-01-03 22:29:02+0200 < Mikaela> and the SASL timeout bug still affects everyone who uses any SASL mechanism including EXTERNAL/CertFP (as Limnoria automatically attempts EXTERNAL when certfp is configured)
2015-01-03 22:29:31+0200 < Mikaela> 2015-01-03 22:29:19+0200 < Euforia> The current (running) version of this Supybot is 0.83.4.1+limnoria 2015.01.03, running on Python 3.4.2 (default, Oct 13 2014, 19:49:42)  [GCC 4.2.1 Compatible Debian Clang 3.0 (tags/RELEASE_30/final)].  The newest versions available online are 2015.01.03 (in testing), 2014.12.22 (in master).
2015-01-03 22:29:46+0200 < mt> can you create one with `openssl ecparam -name prime256v1 -genkey -out <file>` and the get the fingerprint with `ecdsatool pubkey <file>` and test that?
2015-01-03 22:30:04+0200 < Mikaela> probably
2015-01-03 22:33:01+0200 < Mikaela> mt: that worked, but ecdsatool not working directly is an issue as every document tells to use it for generating the key
2015-01-03 22:34:38+0200 < mt> it's most likely an ecdsatool issue then
2015-01-03 22:35:03+0200 < Mikaela> while ecdsatool is the official way for creating the key?
2015-01-03 22:35:13+0200 < mt> "official way"?
2015-01-03 22:35:37+0200 < Mikaela> the one which every documentation that I can currently find recommends (mainly README for the said project)
2015-01-03 22:36:00+0200 < mt> there's nothing saying that it is the official way; atheme should support every valid prime256v1 keypair
2015-01-03 22:36:18+0200 < Mikaela> you might probably want to open an issue to ecdsatool then
2015-01-03 22:43:59+0200 < Mikaela> it appears that I also broke SASL PLAIN by that password change, but I can probably ignore it

add support for passphrase-encrypted keys (to both library and ecdsatool)

topic pretty much covers it. not really important since most clients don't support passphrase-encrypted certs either, but it would be nice.