Merge pull request #2224 from hagau/ssh_encode_signature

Encode signature to SSH compatible format in SshAuthenticationService

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/SshPublicKey.java

@@ -27,6 +27,9 @@ import org.sufficientlysecure.keychain.ssh.key.SshDSAPublicKey;
 import org.sufficientlysecure.keychain.ssh.key.SshECDSAPublicKey;
 import org.sufficientlysecure.keychain.ssh.key.SshEd25519PublicKey;
 import org.sufficientlysecure.keychain.ssh.key.SshRSAPublicKey;
+import org.sufficientlysecure.keychain.ssh.utils.SshUtils;
+
+import java.security.NoSuchAlgorithmException;
 
 public class SshPublicKey {
     private final static String TAG = "SshPublicKey";
@@ -37,7 +40,7 @@ public class SshPublicKey {
         mPublicKey = publicKey;
     }
 
-    public String getEncodedKey() throws PgpGeneralException {
+    public String getEncodedKey() throws PgpGeneralException, NoSuchAlgorithmException {
         PGPPublicKey key = mPublicKey.getPublicKey();
 
         switch (key.getAlgorithm()) {
@@ -50,9 +53,8 @@ public class SshPublicKey {
             case PGPPublicKey.DSA:
                 return encodeDSAKey(key);
             default:
-                break;
+                throw new PgpGeneralException("Unknown key algorithm");
         }
-        throw new PgpGeneralException("Unknown algorithm");
     }
 
     private String encodeRSAKey(PGPPublicKey publicKey) {
@@ -63,51 +65,16 @@ public class SshPublicKey {
         return pubkey.getPublicKeyBlob();
     }
 
-    private String encodeECKey(PGPPublicKey publicKey) {
+    private String encodeECKey(PGPPublicKey publicKey) throws NoSuchAlgorithmException {
         ECPublicBCPGKey publicBCPGKey = (ECPublicBCPGKey) publicKey.getPublicKeyPacket().getKey();
 
-        String curveName = getCurveName(publicBCPGKey);
+        String curveName = SshUtils.getCurveName(mPublicKey.getCurveOid());
         SshECDSAPublicKey sshECDSAPublicKey = new SshECDSAPublicKey(curveName, publicBCPGKey.getEncodedPoint());
 
         return sshECDSAPublicKey.getPublicKeyBlob();
     }
 
-    private String getCurveName(ECPublicBCPGKey publicBCPGKey) {
-        String curveOid = publicBCPGKey.getCurveOID().getId();
-        // see RFC5656 section 10.{1,2}
-        switch (curveOid) {
-            // REQUIRED curves
-            case "1.2.840.10045.3.1.7":
-                return "nistp256";
-            case "1.3.132.0.34":
-                return "nistp384";
-            case "1.3.132.0.35":
-                return "nistp521";
-
-            // RECOMMENDED curves
-            case "1.3.132.0.1":
-                return     "1.3.132.0.1";
-            case "1.2.840.10045.3.1.1":
-                return  "1.2.840.10045.3.1.1";
-            case "1.3.132.0.33":
-                return     "1.3.132.0.33";
-            case "1.3.132.0.26":
-                return     "1.3.132.0.26";
-            case "1.3.132.0.27":
-                return     "1.3.132.0.27";
-            case "1.3.132.0.16":
-                return     "1.3.132.0.16";
-            case "1.3.132.0.36":
-                return     "1.3.132.0.36";
-            case "1.3.132.0.37":
-                return     "1.3.132.0.37";
-            case "1.3.132.0.38":
-                return     "1.3.132.0.38";
 
-            default:
-                return null;
-        }
-    }
 
     private String encodeEdDSAKey(PGPPublicKey publicKey) {
         EdDSAPublicBCPGKey publicBCPGKey = (EdDSAPublicBCPGKey) publicKey.getPublicKeyPacket().getKey();

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/SshAuthenticationService.java

@@ -23,6 +23,7 @@ import android.content.Intent;
 import android.os.IBinder;
 import android.util.Log;
 import org.bouncycastle.bcpg.HashAlgorithmTags;
+import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
 import org.openintents.ssh.authentication.ISshAuthenticationService;
 import org.openintents.ssh.authentication.SshAuthenticationApi;
 import org.openintents.ssh.authentication.SshAuthenticationApiError;
@@ -46,10 +47,14 @@ import org.sufficientlysecure.keychain.ssh.AuthenticationData;
 import org.sufficientlysecure.keychain.ssh.AuthenticationOperation;
 import org.sufficientlysecure.keychain.ssh.AuthenticationParcel;
 import org.sufficientlysecure.keychain.ssh.AuthenticationResult;
+import org.sufficientlysecure.keychain.ssh.signature.SshSignatureConverter;
 
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
-import java.util.*;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
 
 
 public class SshAuthenticationService extends Service {
@@ -141,12 +146,22 @@ public class SshAuthenticationService extends Service {
         CachedPublicKeyRing cachedPublicKeyRing = mKeyRepository.getCachedPublicKeyRing(masterKeyId);
 
         long authSubKeyId;
+        int authSubKeyAlgorithm;
+        String authSubKeyCurveOid = null;
         try {
             // get first usable subkey capable of authentication
             authSubKeyId = cachedPublicKeyRing.getSecretAuthenticationId();
+            // needed for encoding the resulting signature
+            authSubKeyAlgorithm = getPublicKey(masterKeyId).getAlgorithm();
+            if (authSubKeyAlgorithm == PublicKeyAlgorithmTags.ECDSA) {
+                authSubKeyCurveOid = getPublicKey(masterKeyId).getCurveOid();
+            }
         } catch (PgpKeyNotFoundException e) {
             return createExceptionErrorResult(SshAuthenticationApiError.NO_AUTH_KEY,
                     "authentication key for master key id not found in keychain", e);
+        } catch (KeyRepository.NotFoundException e) {
+            return createExceptionErrorResult(SshAuthenticationApiError.NO_SUCH_KEY,
+                    "Key for master key id not found", e);
         }
 
         authData.setAuthenticationSubKeyId(authSubKeyId);
@@ -175,7 +190,19 @@ public class SshAuthenticationService extends Service {
             // return PendingIntent to be executed by client
             return packagePendingIntent(pi);
         } else if (authResult.success()) {
-            return new SigningResponse(authResult.getSignature()).toIntent();
+            byte[] rawSignature = authResult.getSignature();
+            byte[] sshSignature;
+            try {
+                if (authSubKeyAlgorithm == PublicKeyAlgorithmTags.ECDSA) {
+                    sshSignature = SshSignatureConverter.getSshSignatureEcDsa(rawSignature, authSubKeyCurveOid);
+                } else {
+                    sshSignature = SshSignatureConverter.getSshSignature(rawSignature, authSubKeyAlgorithm);
+                }
+            } catch (NoSuchAlgorithmException e) {
+                return createExceptionErrorResult(SshAuthenticationApiError.INTERNAL_ERROR,
+                        "Error converting signature", e);
+            }
+            return new SigningResponse(sshSignature).toIntent();
         } else {
             LogEntryParcel errorMsg = authResult.getLog().getLast();
             return createErrorResult(SshAuthenticationApiError.INTERNAL_ERROR, getString(errorMsg.mType.getMsgId()));
@@ -324,7 +351,7 @@ public class SshAuthenticationService extends Service {
         SshPublicKey sshPublicKey = new SshPublicKey(publicKey);
         try {
             sshPublicKeyBlob = sshPublicKey.getEncodedKey();
-        } catch (PgpGeneralException e) {
+        } catch (PgpGeneralException | NoSuchAlgorithmException e) {
             return createExceptionErrorResult(SshAuthenticationApiError.GENERIC_ERROR,
                     "Error converting public key to SSH format", e);
         }

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ssh/signature/SshSignatureConverter.java

@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2017 Christian Hagau <ach@hagau.se>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package org.sufficientlysecure.keychain.ssh.signature;
+
+import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
+import org.bouncycastle.util.BigIntegers;
+import org.sufficientlysecure.keychain.ssh.key.SshEncodedData;
+import org.sufficientlysecure.keychain.ssh.utils.SshUtils;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.NoSuchAlgorithmException;
+
+public class SshSignatureConverter {
+
+    private static String getSignatureType(int algorithm) throws NoSuchAlgorithmException {
+        switch (algorithm) {
+            case PublicKeyAlgorithmTags.RSA_SIGN:
+            case PublicKeyAlgorithmTags.RSA_GENERAL:
+                return "ssh-rsa";
+
+            case PublicKeyAlgorithmTags.EDDSA:
+                return "ssh-ed25519";
+
+            case PublicKeyAlgorithmTags.DSA:
+                return "ssh-dss";
+
+            default:
+                throw new NoSuchAlgorithmException("Unknown algorithm");
+        }
+    }
+
+    private static byte[] getSignatureBlob(byte[] rawSignature, int algorithm) throws NoSuchAlgorithmException {
+        switch (algorithm) {
+            case PublicKeyAlgorithmTags.RSA_SIGN:
+            case PublicKeyAlgorithmTags.RSA_GENERAL:
+                return rawSignature;
+
+            case PublicKeyAlgorithmTags.EDDSA:
+                return rawSignature;
+
+            case PublicKeyAlgorithmTags.DSA:
+                return getDsaSignatureBlob(rawSignature);
+
+            default:
+                throw new NoSuchAlgorithmException("Unknown algorithm");
+        }
+    }
+
+    private static byte[] getEcDsaSignatureBlob(byte[] rawSignature) {
+        BigInteger r = getR(rawSignature);
+        BigInteger s = getS(rawSignature);
+
+        SshEncodedData rsBlob = new SshEncodedData();
+        rsBlob.putMPInt(r);
+        rsBlob.putMPInt(s);
+
+        return rsBlob.getBytes();
+    }
+
+    private static BigInteger getR(byte[] rawSignature) {
+        ASN1Sequence asn1Sequence = getASN1Sequence(rawSignature);
+        return ASN1Integer.getInstance(asn1Sequence.getObjectAt(0)).getValue();
+    }
+
+    private static BigInteger getS(byte[] rawSignature) {
+        ASN1Sequence asn1Sequence = getASN1Sequence(rawSignature);
+        return ASN1Integer.getInstance(asn1Sequence.getObjectAt(1)).getValue();
+    }
+
+    private static ASN1Sequence getASN1Sequence(byte[] rawSignature) {
+        try {
+            return (ASN1Sequence) ASN1Primitive.fromByteArray(rawSignature);
+        } catch (IOException e) {
+            throw new IllegalArgumentException("Could not read ASN.1 object", e);
+        }
+    }
+
+    private static byte[] getDsaSignatureBlob(byte[] rawSignature) {
+        BigInteger r = getR(rawSignature);
+        BigInteger s = getS(rawSignature);
+
+        byte[] rByte = BigIntegers.asUnsignedByteArray(r);
+        byte[] sByte = BigIntegers.asUnsignedByteArray(s);
+
+        int integerLength = getDsaSignatureLength(rByte.length > sByte.length ? rByte.length : sByte.length);
+        int rPaddingLength = integerLength - rByte.length;
+        int sPaddingLength = integerLength - sByte.length;
+
+        byte[] rsBlob = new byte[2 * integerLength];
+        System.arraycopy(rByte, 0, rsBlob, rPaddingLength, rByte.length);
+        System.arraycopy(sByte, 0, rsBlob, integerLength + sPaddingLength, sByte.length);
+
+        return rsBlob;
+    }
+
+    private static int getDsaSignatureLength(int inLength) {
+        if (inLength <= 20) {
+            return 20;
+        } else {
+            return 32;
+        }
+    }
+
+    public static byte[] getSshSignature(byte[] rawSignature, int algorithm) throws NoSuchAlgorithmException {
+        SshEncodedData signature = new SshEncodedData();
+        signature.putString(getSignatureType(algorithm));
+        signature.putString(getSignatureBlob(rawSignature, algorithm));
+
+        return signature.getBytes();
+    }
+
+    public static byte[] getSshSignatureEcDsa(byte[] rawSignature, String curveOid) throws NoSuchAlgorithmException {
+        SshEncodedData signature = new SshEncodedData();
+        signature.putString("ecdsa-sha2-" + SshUtils.getCurveName(curveOid));
+        signature.putString(getEcDsaSignatureBlob(rawSignature));
+
+        return signature.getBytes();
+    }
+}

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ssh/utils/SshUtils.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2017 Christian Hagau <ach@hagau.se>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package org.sufficientlysecure.keychain.ssh.utils;
+
+import java.security.NoSuchAlgorithmException;
+
+public class SshUtils {
+
+    public static String getCurveName(String curveOid) throws NoSuchAlgorithmException {
+        // see RFC5656 section 10.{1,2}
+        switch (curveOid) {
+            // REQUIRED curves
+            case "1.2.840.10045.3.1.7":
+                return "nistp256";
+            case "1.3.132.0.34":
+                return "nistp384";
+            case "1.3.132.0.35":
+                return "nistp521";
+
+            // RECOMMENDED curves
+            case "1.3.132.0.1":
+                return "1.3.132.0.1";
+            case "1.2.840.10045.3.1.1":
+                return "1.2.840.10045.3.1.1";
+            case "1.3.132.0.33":
+                return "1.3.132.0.33";
+            case "1.3.132.0.26":
+                return "1.3.132.0.26";
+            case "1.3.132.0.27":
+                return "1.3.132.0.27";
+            case "1.3.132.0.16":
+                return "1.3.132.0.16";
+            case "1.3.132.0.36":
+                return "1.3.132.0.36";
+            case "1.3.132.0.37":
+                return "1.3.132.0.37";
+            case "1.3.132.0.38":
+                return "1.3.132.0.38";
+
+            default:
+                throw new NoSuchAlgorithmException("Can't translate curve OID to SSH curve identifier");
+        }
+    }
+}

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/ViewKeyAdvShareFragment.java

@@ -69,6 +69,7 @@ import java.io.BufferedWriter;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.OutputStreamWriter;
+import java.security.NoSuchAlgorithmException;
 
 public class ViewKeyAdvShareFragment extends LoaderFragment implements
         LoaderManager.LoaderCallbacks<Cursor> {
@@ -223,7 +224,8 @@ public class ViewKeyAdvShareFragment extends LoaderFragment implements
     }
 
     private String getShareKeyContent(boolean asSshKey)
-            throws PgpKeyNotFoundException, KeyRepository.NotFoundException, IOException, PgpGeneralException {
+            throws PgpKeyNotFoundException, KeyRepository.NotFoundException, IOException, PgpGeneralException,
+            NoSuchAlgorithmException {
 
         KeyRepository keyRepository = KeyRepository.create(getContext());
 
@@ -303,7 +305,7 @@ public class ViewKeyAdvShareFragment extends LoaderFragment implements
             Intent shareChooser = Intent.createChooser(sendIntent, title);
 
             startActivity(shareChooser);
-        } catch (PgpGeneralException | IOException e) {
+        } catch (PgpGeneralException | IOException | NoSuchAlgorithmException e) {
             Log.e(Constants.TAG, "error processing key!", e);
             Notify.create(activity, R.string.error_key_processing, Notify.Style.ERROR).show();
         } catch (PgpKeyNotFoundException | KeyRepository.NotFoundException e) {

OpenKeychain/src/test/java/org/sufficientlysecure/keychain/ssh/signature/SshSignatureConverterTest.java

@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2017 Christian Hagau <ach@hagau.se>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package org.sufficientlysecure.keychain.ssh.signature;
+
+
+import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
+import org.bouncycastle.util.encoders.Hex;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.sufficientlysecure.keychain.KeychainTestRunner;
+
+
+@RunWith(KeychainTestRunner.class)
+public class SshSignatureConverterTest {
+
+    private final static String CURVE_OID_NIST_P_256 = "1.2.840.10045.3.1.7";
+
+    private final static byte[] RAW_ECDSA_SIGNATURE = Hex.decode(
+            "3046" +
+                    "0221" +
+                    "00949fa9151d71495d9c020635dcedac6a" +
+                    "8665d079b4f721b05a9408771e455fe2" +
+                    "0221" +
+                    "00df9c7a5ae59e5d2e42d3767e1525c825" +
+                    "7cff82ac2664b6419ff66f6e8b9669a0");
+
+    private final static byte[] SSH_ECDSA_SIGNATURE = Hex.decode(
+            "00000013" +
+                    "65636473612d736861322d6e6973747032" +
+                    "3536" +
+                    "0000004a" +
+                    "00000021" +
+                    "00949fa9151d71495d9c020635dcedac6a" +
+                    "8665d079b4f721b05a9408771e455fe2" +
+                    "00000021" +
+                    "00df9c7a5ae59e5d2e42d3767e1525c825" +
+                    "7cff82ac2664b6419ff66f6e8b9669a0"
+    );
+
+    private final static byte[] RAW_RSA_SIGNATURE = Hex.decode(
+            "1c975c37a4137e9c861d20d9d40b6db16d" +
+                    "1da8b17e360311b6a4ebcb3f1ff51d4906" +
+                    "28b80de0dece08a1b5ebe8a5894ea2fea7" +
+                    "40741e7c83c241a0d2bd9bdb3a2f3942ca" +
+                    "e8ccc3bda7a17b40b00a0e214a5da76542" +
+                    "11f5fc49b45d16b1e46fa80ce777969c51" +
+                    "9f09bb45e312e4109b3af0c3133ffa221d" +
+                    "a9e3c9e03fa2fdb70df03e6c83ee71f106" +
+                    "b8f24fd72bad5e4e68123dda656ddba8ee" +
+                    "11f9106154d1e1370bff3ba22e3c25b7d9" +
+                    "334d903e4dd79a7389da41e9437e79ddd8" +
+                    "a3335d2c217f01059bde2f3450f8933f38" +
+                    "be10cd59467e9c9332c7794ccb9d19cb65" +
+                    "a179b0166cd0e583e17f8f312222259ae3" +
+                    "1b13e61fcae4da5c5554e2355218a0eb07" +
+                    "19"
+    );
+
+    private final static byte[] SSH_RSA_SIGNATURE = Hex.decode(
+            "00000007" +
+                    "7373682d727361" +
+                    "00000100" +
+                    "1c975c37a4137e9c861d20d9d40b6db16d" +
+                    "1da8b17e360311b6a4ebcb3f1ff51d4906" +
+                    "28b80de0dece08a1b5ebe8a5894ea2fea7" +
+                    "40741e7c83c241a0d2bd9bdb3a2f3942ca" +
+                    "e8ccc3bda7a17b40b00a0e214a5da76542" +
+                    "11f5fc49b45d16b1e46fa80ce777969c51" +
+                    "9f09bb45e312e4109b3af0c3133ffa221d" +
+                    "a9e3c9e03fa2fdb70df03e6c83ee71f106" +
+                    "b8f24fd72bad5e4e68123dda656ddba8ee" +
+                    "11f9106154d1e1370bff3ba22e3c25b7d9" +
+                    "334d903e4dd79a7389da41e9437e79ddd8" +
+                    "a3335d2c217f01059bde2f3450f8933f38" +
+                    "be10cd59467e9c9332c7794ccb9d19cb65" +
+                    "a179b0166cd0e583e17f8f312222259ae3" +
+                    "1b13e61fcae4da5c5554e2355218a0eb07" +
+                    "19"
+    );
+
+    private final static byte[] RAW_EDDSA_SIGNATURE = Hex.decode(
+            "554946e827c6fd4b21b7a81a977a745331" +
+                    "0e18c005403bfa4ddd87158b56b140fd61" +
+                    "0bf15d7f38a32b55713fd38087ac8612dc" +
+                    "1456cec315e4643b6d2489070a"
+    );
+
+    private final static byte[] SSH_EDDSA_SIGNATURE = Hex.decode(
+            "0000000b" +
+                    "7373682d65643235353139" +
+                    "00000040" +
+                    "554946e827c6fd4b21b7a81a977a745331" +
+                    "0e18c005403bfa4ddd87158b56b140fd61" +
+                    "0bf15d7f38a32b55713fd38087ac8612dc" +
+                    "1456cec315e4643b6d2489070a"
+    );
+
+    private final static byte[] RAW_DSA_SIGNATURE = Hex.decode(
+            "3046" +
+                    "0221" +
+                    "00defdb8a25fb8660a3cab24510a200a01" +
+                    "3eb9c677e4caed19a349a9af3b8c971a" +
+                    "0221" +
+                    "00e7e4d5b8f08ab5cb4d445f03c458ccce" +
+                    "3dff26a20fb314508604d1ca3e2c9125"
+    );
+
+    private final static byte[] SSH_DSA_SIGNATURE = Hex.decode(
+            "00000007" +
+                    "7373682d647373" +
+                    "00000040" +
+                    "defdb8a25fb8660a3cab24510a200a013e" +
+                    "b9c677e4caed19a349a9af3b8c971ae7e4" +
+                    "d5b8f08ab5cb4d445f03c458ccce3dff26" +
+                    "a20fb314508604d1ca3e2c9125"
+    );
+
+    @Test
+    public void testEcDsa() throws Exception {
+        byte[] out = SshSignatureConverter.getSshSignatureEcDsa(RAW_ECDSA_SIGNATURE, CURVE_OID_NIST_P_256);
+
+        Assert.assertArrayEquals(SSH_ECDSA_SIGNATURE, out);
+    }
+
+    @Test
+    public void testRsa() throws Exception {
+        byte[] out = SshSignatureConverter.getSshSignature(RAW_RSA_SIGNATURE, PublicKeyAlgorithmTags.RSA_SIGN);
+
+        Assert.assertArrayEquals(SSH_RSA_SIGNATURE, out);
+    }
+
+    @Test
+    public void testEdDsa() throws Exception {
+        byte[] out = SshSignatureConverter.getSshSignature(RAW_EDDSA_SIGNATURE, PublicKeyAlgorithmTags.EDDSA);
+
+        Assert.assertArrayEquals(SSH_EDDSA_SIGNATURE, out);
+    }
+
+    @Test
+    public void testDsa() throws Exception {
+        byte[] out = SshSignatureConverter.getSshSignature(RAW_DSA_SIGNATURE, PublicKeyAlgorithmTags.DSA);
+
+        Assert.assertArrayEquals(SSH_DSA_SIGNATURE, out);
+    }
+}

sshauthentication-api/src/main/java/org/openintents/ssh/authentication/SshAuthenticationApi.java

@@ -42,6 +42,10 @@ public class SshAuthenticationApi {
      *
      * Sign a given challenge
      *
+     * returns the encoded signature as described in
+     * RFC4253, RFC5656 & draft-ietf-curdle-ssh-ed25519
+     * and their respective updates
+     *
      * required extras:
      * String        EXTRA_KEY_ID
      * byte[]        EXTRA_CHALLENGE