Add the most minimal example of an agent

wiktor-k · wiktor-k · commit 75682ad3c34d · 2025-01-20T12:49:07.000+01:00
Signed-off-by: Wiktor Kwapisiewicz &lt;wiktor@metacode.biz&gt;
diff --git a/examples/README.md b/examples/README.md
@@ -4,6 +4,10 @@ The examples in this directory show slightly more elaborate use-cases that can b
 
 ## Agents
 
+### `random-key`
+
+Generates a new random key and supports only the basic operations used by the OpenSSH client: retrieving supported public keys (`request_identities`) and signing using the ephemeral key (`sign_request`).
+
 ### `key-storage`
 
 Implements a simple agent which remembers RSA private keys (added via `ssh-add`) and allows fetching their public keys and signing using three different signing mechanisms.
diff --git a/examples/random-key.rs b/examples/random-key.rs
@@ -0,0 +1,120 @@
+use std::sync::{Arc, Mutex};
+
+use async_trait::async_trait;
+use rsa::pkcs1v15::SigningKey;
+use rsa::sha2::{Sha256, Sha512};
+use rsa::signature::{RandomizedSigner, SignatureEncoding};
+use sha1::Sha1;
+#[cfg(windows)]
+use ssh_agent_lib::agent::NamedPipeListener as Listener;
+use ssh_agent_lib::agent::{listen, Session};
+use ssh_agent_lib::error::AgentError;
+use ssh_agent_lib::proto::{message, signature, SignRequest};
+use ssh_key::private::RsaKeypair;
+use ssh_key::{
+    private::{KeypairData, PrivateKey},
+    public::PublicKey,
+    Algorithm, Signature,
+};
+#[cfg(not(windows))]
+use tokio::net::UnixListener as Listener;
+
+#[derive(Clone, PartialEq, Debug)]
+struct Identity {
+    pubkey: PublicKey,
+    privkey: PrivateKey,
+    comment: String,
+}
+
+#[derive(Clone)]
+struct RandomKey {
+    identity: Arc<Mutex<Option<Identity>>>,
+}
+
+impl RandomKey {
+    pub fn new() -> Result<Self, AgentError> {
+        let rsa = RsaKeypair::random(&mut rand::thread_rng(), 2048).map_err(AgentError::other)?;
+        let privkey = PrivateKey::new(KeypairData::Rsa(rsa), "automatically generated RSA key")
+            .map_err(AgentError::other)?;
+        Ok(Self {
+            identity: Arc::new(Mutex::new(Some(Identity {
+                pubkey: PublicKey::from(&privkey),
+                privkey,
+                comment: "automatically generated RSA key".into(),
+            }))),
+        })
+    }
+}
+
+#[crate::async_trait]
+impl Session for RandomKey {
+    async fn sign(&mut self, sign_request: SignRequest) -> Result<Signature, AgentError> {
+        let pubkey: PublicKey = sign_request.pubkey.clone().into();
+
+        if let Some(identity) = &self.identity.lock().unwrap().as_ref() {
+            if identity.pubkey.key_data() != pubkey.key_data() {
+                return Err(std::io::Error::other("Key not found").into());
+            }
+            match identity.privkey.key_data() {
+                KeypairData::Rsa(ref key) => {
+                    let algorithm;
+
+                    let private_key: rsa::RsaPrivateKey =
+                        key.try_into().map_err(AgentError::other)?;
+                    let mut rng = rand::thread_rng();
+                    let data = &sign_request.data;
+
+                    let signature = if sign_request.flags & signature::RSA_SHA2_512 != 0 {
+                        algorithm = "rsa-sha2-512";
+                        SigningKey::<Sha512>::new(private_key).sign_with_rng(&mut rng, data)
+                    } else if sign_request.flags & signature::RSA_SHA2_256 != 0 {
+                        algorithm = "rsa-sha2-256";
+                        SigningKey::<Sha256>::new(private_key).sign_with_rng(&mut rng, data)
+                    } else {
+                        algorithm = "ssh-rsa";
+                        SigningKey::<Sha1>::new(private_key).sign_with_rng(&mut rng, data)
+                    };
+                    eprintln!("algo: {algorithm}, bytes: {signature:?}");
+                    Ok(Signature::new(
+                        Algorithm::new(algorithm).map_err(AgentError::other)?,
+                        signature.to_bytes().to_vec(),
+                    )
+                    .map_err(AgentError::other)?)
+                }
+                _ => Err(std::io::Error::other("Signature for key type not implemented").into()),
+            }
+        } else {
+            Err(std::io::Error::other("Failed to create signature: identity not found").into())
+        }
+    }
+
+    async fn request_identities(&mut self) -> Result<Vec<message::Identity>, AgentError> {
+        let mut identities = vec![];
+        if let Some(identity) = self.identity.lock().unwrap().as_ref() {
+            identities.push(message::Identity {
+                pubkey: identity.pubkey.key_data().clone(),
+                comment: identity.comment.clone(),
+            })
+        }
+        Ok(identities)
+    }
+}
+
+#[tokio::main]
+async fn main() -> Result<(), AgentError> {
+    env_logger::init();
+
+    #[cfg(not(windows))]
+    let socket = "ssh-agent.sock";
+    #[cfg(windows)]
+    let socket = r"\\.\pipe\agent";
+
+    let _ = std::fs::remove_file(socket); // remove the socket if exists
+
+    // This is only used for integration tests on Windows:
+    #[cfg(windows)]
+    std::fs::File::create("server-started")?;
+
+    listen(Listener::bind(socket)?, RandomKey::new()?).await?;
+    Ok(())
+}
