python 使用正则表达式进行 ssh-rsa 公钥验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2494450/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
ssh-rsa public key validation using a regular expression
提问by Warlax
What regular expression can I use (if any) to validate that a given string is a legal ssh rsa public key?
我可以使用什么正则表达式(如果有)来验证给定的字符串是合法的 ssh rsa 公钥?
I only need to validate the actual key - I don't care about the key type the precedes it or the username comment after it.
我只需要验证实际的密钥 - 我不关心它前面的密钥类型或它后面的用户名注释。
Ideally, someone will also provide the python code to run the regex validation.
理想情况下,还会有人提供 python 代码来运行正则表达式验证。
Thanks.
谢谢。
回答by JimB
A "good enough" check is to see if the key starts with the correct header.
“足够好”的检查是查看密钥是否以正确的标题开头。
The data portion of the keyfile should decode from base64, or it will fail with a base64.binascii.Error
密钥文件的数据部分应该从 base64 解码,否则它将失败并显示 base64.binascii.Error
Unpack the first 4 bytes (an int), which should be 7. This is the length of the following string (I guess this could be different, but you're only concerned with ssh-rsa).
解压前 4 个字节(一个 int),它应该是 7。这是以下字符串的长度(我想这可能不同,但您只关心 ssh-rsa)。
openssh_pubkey = open('keyfile').read()
type, key_string, comment = openssh_pubkey.split()
data = base64.decodestring(key_string)
int_len = 4
str_len = struct.unpack('>I', data[:int_len])[0] # this should return 7
data[int_len:int_len+str_len] == type
Alternatively, you could forgo the binary checks, and look for AAAAB3NzaC1yc2EAat the start of an ssh-rsa key, bit I would still verify it's valid base64.
或者,您可以放弃二进制检查,并AAAAB3NzaC1yc2EA在 ssh-rsa 密钥的开头查找,我仍然会验证它是有效的 base64。
[edit] Clarification:
Via the specification, the first part if the key is a length prefixed string. The length is packed as a big-endian unsigned int ('>I' for a python struct). It's a 7 here, because the following string, 'ssh-rsa', is 7 bytes long. data[4:11]is the next 7 bytes (per the length prefix), but I edited the code above to use some descriptive variables to try and make this more clear. If you want to be thorough, you should also check for ssh-dss, and possibly pgp-sign-rsa, and pgp-sign-dss, but they are far less common.
[编辑] 说明:
通过规范,如果键是长度前缀字符串,则第一部分。长度被打包为一个 big-endian unsigned int('>I' 表示 python 结构)。这里是 7,因为下面的字符串“ssh-rsa”有 7 个字节长。data[4:11]是接下来的 7 个字节(根据长度前缀),但我编辑了上面的代码以使用一些描述性变量来尝试使这一点更加清晰。如果您想要彻底,您还应该检查 ssh-dss,可能还有 pgp-sign-rsa 和 pgp-sign-dss,但它们不太常见。
回答by David Gelhar
Based on the references to "key type that precedes it" and "username comment after it", I assume you're talking about public keys stored in ssh2 keyfile format.
根据对“前面的密钥类型”和“后面的用户名注释”的引用,我假设您在谈论以 ssh2 密钥文件格式存储的公钥。
In that format, the key is stored in base64format, so a simple check would be to verify that the string contains only valid base64 characters.
在该格式中,密钥以base64格式存储,因此简单的检查是验证字符串是否仅包含有效的 base64 字符。
If you want to go a little further, you could note that the first few bytes of the encoded key specify the key type, and match on that. See this post, which says:
如果您想更进一步,您可以注意到编码密钥的前几个字节指定了密钥类型,并与之匹配。看到这个帖子,它说:
If you base64-decode the first bit of that text (AAAAB3NzaC1yc2EA) you'll find that it starts with bytes 00 00 00 07 (indicating that a 7-character string follows) and then the seven characters "ssh-rsa", which is the key type. DSA keys start with the slightly different string `AAAAB3NzaC1kc3MA', which decodes similarly to the string "ssh-dss".
如果您对该文本的第一位 (AAAAB3NzaC1yc2EA) 进行 base64 解码,您会发现它以字节 00 00 00 07 开头(表示后面跟着一个 7 个字符的字符串),然后是七个字符“ssh-rsa”,即密钥类型。DSA 密钥以稍微不同的字符串`AAAAB3NzaC1kc3MA'开头,它的解码类似于字符串“ssh-dss”。
