Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RSA certificate key determination is broken #599

Closed
vladimirlagunov opened this issue Jun 15, 2020 · 3 comments · Fixed by #602
Closed

RSA certificate key determination is broken #599

vladimirlagunov opened this issue Jun 15, 2020 · 3 comments · Fixed by #602

Comments

@vladimirlagunov
Copy link
Contributor

vladimirlagunov commented Jun 15, 2020
edited
Loading

net.schmizz.sshj.common.KeyType#fromKey iterates over these values:

  • 0 = {KeyType$1@22968} "ssh-rsa"
  • 1 = {KeyType$2@25838} "ssh-dss"
  • 2 = {KeyType$3@25839} "ecdsa-sha2-nistp256"
  • 3 = {KeyType$4@25840} "ecdsa-sha2-nistp384"
  • 4 = {KeyType$5@25841} "ecdsa-sha2-nistp521"
  • 5 = {KeyType$6@25842} "ssh-ed25519"
  • 6 = {KeyType$7@25349} "ssh-rsa-cert-v01@openssh.com"
  • 7 = {KeyType$8@25843} "ssh-dss-cert-v01@openssh.com"
  • 8 = {KeyType$9@25844} "unknown"

Supposing there's attempt to determine the type of a ssh-rsa-cert-v01@openssh.com. KeyProvider.getPublic() would return an instance of com.hierynomus.sshj.userauth.certificate.Certificate.

The first iteration checks that KeyAlgorithm.RSA.equals(key.getAlgorithm()) and returns true. So, KeyType.fromKey decides that it's KeyType.RSA, but KeyType.RSA_CERT is expected.
@hierynomus
Copy link
Owner

Ouch, good find. The unit tests are missing a test I think ;)

vladimirlagunov added a commit to vladimirlagunov/sshj that referenced this issue Jun 15, 2020
@vladimirlagunov
Fix RSA certificate key determination.
39f8656 
hierynomus#599
vladimirlagunov added a commit to vladimirlagunov/sshj that referenced this issue Jun 15, 2020
@vladimirlagunov
Fix RSA certificate key determination.
033e495 
Fixes hierynomus#599.
@vladimirlagunov vladimirlagunov mentioned this issue Jun 15, 2020
Merged
@vladimirlagunov
Copy link
Contributor Author

Just for information. Having switched to the actual master of SSHJ, some of our private integration tests have started failing because of various No KeyAlgorithm configured for key ecdsa-sha2-nistp384. I haven't managed to find the cause yet.

@fmeum
Copy link
Contributor

fmeum commented Jun 15, 2020

Just for information. Having switched to the actual master of SSHJ, some of our private integration tests have started failing because of various No KeyAlgorithm configured for key ecdsa-sha2-nistp384. I haven't managed to find the cause yet.

I also noticed this in #600. The reason seems to be that the KeyAlgorithms used for pubkey auth are not all the ones configured, but only the ones that the server advertises a host key for.

hierynomus added a commit that referenced this issue Jul 31, 2020
@vladimirlagunov @hierynomus
Fix RSA certificate key determination. (#602)
0e0d730 
* Fix RSA certificate key determination.

Fixes #599.

* Correct serialization of RSA certificates with unlimited dates.

* The test for connecting with RSA certificate.

* Remove redundant change in TransportImpl.java

* Add forgotten test keys.

* Make net.schmizz.sshj.common.KeyType.CertUtils.epochFromDate readable.

Co-authored-by: Vladimir Lagunov <vladimir.lagunov@jetbrains.com>
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix RSA certificate key determination. vladimirlagunov/sshj
3 participants
@hierynomus @vladimirlagunov @fmeum