1 // Copyright 2014 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
16 "golang.org/x/crypto/ssh"
33 var errLocked = errors.New("agent: locked")
35 // NewKeyring returns an Agent that holds keys in memory. It is safe
36 // for concurrent use by multiple goroutines.
37 func NewKeyring() Agent {
41 // RemoveAll removes all identities.
42 func (r *keyring) RemoveAll() error {
53 // removeLocked does the actual key removal. The caller must already be holding the
55 func (r *keyring) removeLocked(want []byte) error {
57 for i := 0; i < len(r.keys); {
58 if bytes.Equal(r.keys[i].signer.PublicKey().Marshal(), want) {
60 r.keys[i] = r.keys[len(r.keys)-1]
61 r.keys = r.keys[:len(r.keys)-1]
69 return errors.New("agent: key not found")
74 // Remove removes all identities with the given public key.
75 func (r *keyring) Remove(key ssh.PublicKey) error {
82 return r.removeLocked(key.Marshal())
85 // Lock locks the agent. Sign and Remove will fail, and List will return an empty list.
86 func (r *keyring) Lock(passphrase []byte) error {
94 r.passphrase = passphrase
98 // Unlock undoes the effect of Lock
99 func (r *keyring) Unlock(passphrase []byte) error {
103 return errors.New("agent: not locked")
105 if len(passphrase) != len(r.passphrase) || 1 != subtle.ConstantTimeCompare(passphrase, r.passphrase) {
106 return fmt.Errorf("agent: incorrect passphrase")
114 // expireKeysLocked removes expired keys from the keyring. If a key was added
115 // with a lifetimesecs contraint and seconds >= lifetimesecs seconds have
116 // ellapsed, it is removed. The caller *must* be holding the keyring mutex.
117 func (r *keyring) expireKeysLocked() {
118 for _, k := range r.keys {
119 if k.expire != nil && time.Now().After(*k.expire) {
120 r.removeLocked(k.signer.PublicKey().Marshal())
125 // List returns the identities known to the agent.
126 func (r *keyring) List() ([]*Key, error) {
130 // section 2.7: locked agents return empty.
136 for _, k := range r.keys {
137 pub := k.signer.PublicKey()
138 ids = append(ids, &Key{
146 // Insert adds a private key to the keyring. If a certificate
147 // is given, that certificate is added as public key. Note that
148 // any constraints given are ignored.
149 func (r *keyring) Add(key AddedKey) error {
155 signer, err := ssh.NewSignerFromKey(key.PrivateKey)
161 if cert := key.Certificate; cert != nil {
162 signer, err = ssh.NewCertSigner(cert, signer)
170 comment: key.Comment,
173 if key.LifetimeSecs > 0 {
174 t := time.Now().Add(time.Duration(key.LifetimeSecs) * time.Second)
178 r.keys = append(r.keys, p)
183 // Sign returns a signature for the data.
184 func (r *keyring) Sign(key ssh.PublicKey, data []byte) (*ssh.Signature, error) {
188 return nil, errLocked
192 wanted := key.Marshal()
193 for _, k := range r.keys {
194 if bytes.Equal(k.signer.PublicKey().Marshal(), wanted) {
195 return k.signer.Sign(rand.Reader, data)
198 return nil, errors.New("not found")
201 // Signers returns signers for all the known keys.
202 func (r *keyring) Signers() ([]ssh.Signer, error) {
206 return nil, errLocked
210 s := make([]ssh.Signer, 0, len(r.keys))
211 for _, k := range r.keys {
212 s = append(s, k.signer)