[SSHD-846] Use an ephemeral KeyPairGenerator when creating DH KEX key-pair
Project: http://git-wip-us.apache.org/repos/asf/mina-sshd/repo Commit: http://git-wip-us.apache.org/repos/asf/mina-sshd/commit/36853fd0 Tree: http://git-wip-us.apache.org/repos/asf/mina-sshd/tree/36853fd0 Diff: http://git-wip-us.apache.org/repos/asf/mina-sshd/diff/36853fd0 Branch: refs/heads/master Commit: 36853fd00d771db1bce180f10a82941ec9f61f86 Parents: 28c52e9 Author: Goldstein Lyor <[email protected]> Authored: Tue Oct 2 08:49:46 2018 +0300 Committer: Lyor Goldstein <[email protected]> Committed: Wed Oct 3 20:05:17 2018 +0300 ---------------------------------------------------------------------- .../org/apache/sshd/common/kex/AbstractDH.java | 21 ++++++++---- .../java/org/apache/sshd/common/kex/DHG.java | 34 ++++++++------------ .../java/org/apache/sshd/common/kex/ECDH.java | 30 +++++++---------- 3 files changed, 40 insertions(+), 45 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/36853fd0/sshd-core/src/main/java/org/apache/sshd/common/kex/AbstractDH.java ---------------------------------------------------------------------- diff --git a/sshd-core/src/main/java/org/apache/sshd/common/kex/AbstractDH.java b/sshd-core/src/main/java/org/apache/sshd/common/kex/AbstractDH.java index 251de67..d5beccb 100644 --- a/sshd-core/src/main/java/org/apache/sshd/common/kex/AbstractDH.java +++ b/sshd-core/src/main/java/org/apache/sshd/common/kex/AbstractDH.java @@ -18,7 +18,7 @@ */ package org.apache.sshd.common.kex; -import java.math.BigInteger; +import javax.crypto.KeyAgreement; import org.apache.sshd.common.digest.Digest; import org.apache.sshd.common.util.NumberUtils; @@ -28,8 +28,10 @@ import org.apache.sshd.common.util.NumberUtils; */ public abstract class AbstractDH { - protected BigInteger k; // shared secret key - private byte[] k_array; + protected KeyAgreement myKeyAgree; + + private byte[] k_array; // shared secret key + private byte[] e_array; // public key used in the exchange protected AbstractDH() { super(); @@ -37,14 +39,21 @@ public abstract class AbstractDH { public abstract void setF(byte[] e); - public abstract byte[] getE() throws Exception; + protected abstract byte[] calculateE() throws Exception; + + public byte[] getE() throws Exception { + if (e_array == null) { + e_array = calculateE(); + } + + return e_array; + } protected abstract byte[] calculateK() throws Exception; public byte[] getK() throws Exception { - if (k == null) { + if (k_array == null) { k_array = calculateK(); - k = new BigInteger(k_array); } return k_array; } http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/36853fd0/sshd-core/src/main/java/org/apache/sshd/common/kex/DHG.java ---------------------------------------------------------------------- diff --git a/sshd-core/src/main/java/org/apache/sshd/common/kex/DHG.java b/sshd-core/src/main/java/org/apache/sshd/common/kex/DHG.java index 44fa725..6cc1cb8 100644 --- a/sshd-core/src/main/java/org/apache/sshd/common/kex/DHG.java +++ b/sshd-core/src/main/java/org/apache/sshd/common/kex/DHG.java @@ -24,7 +24,7 @@ import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.PublicKey; -import javax.crypto.KeyAgreement; +import javax.crypto.interfaces.DHPublicKey; import javax.crypto.spec.DHParameterSpec; import javax.crypto.spec.DHPublicKeySpec; @@ -38,14 +38,9 @@ import org.apache.sshd.common.util.security.SecurityUtils; * @author <a href="mailto:[email protected]";>Apache MINA SSHD Project</a> */ public class DHG extends AbstractDH { - private BigInteger p; private BigInteger g; - private BigInteger e; // my public key - private byte[] e_array; private BigInteger f; // your public key - private KeyPairGenerator myKpairGen; - private KeyAgreement myKeyAgree; private Factory<? extends Digest> factory; public DHG(Factory<? extends Digest> digestFactory) throws Exception { @@ -53,30 +48,29 @@ public class DHG extends AbstractDH { } public DHG(Factory<? extends Digest> digestFactory, BigInteger pValue, BigInteger gValue) throws Exception { - myKpairGen = SecurityUtils.getKeyPairGenerator("DH"); myKeyAgree = SecurityUtils.getKeyAgreement("DH"); factory = digestFactory; - p = pValue; - g = gValue; + p = pValue; // do not check for null-ity since in some cases it can be + g = gValue; // do not check for null-ity since in some cases it can be } @Override - public byte[] getE() throws Exception { - if (e == null) { - DHParameterSpec dhSkipParamSpec = new DHParameterSpec(p, g); - myKpairGen.initialize(dhSkipParamSpec); - KeyPair myKpair = myKpairGen.generateKeyPair(); - myKeyAgree.init(myKpair.getPrivate()); - e = ((javax.crypto.interfaces.DHPublicKey) (myKpair.getPublic())).getY(); - e_array = e.toByteArray(); - } - return e_array; + protected byte[] calculateE() throws Exception { + DHParameterSpec dhSkipParamSpec = new DHParameterSpec(p, g); + KeyPairGenerator myKpairGen = SecurityUtils.getKeyPairGenerator("DH"); + myKpairGen.initialize(dhSkipParamSpec); + + KeyPair myKpair = myKpairGen.generateKeyPair(); + myKeyAgree.init(myKpair.getPrivate()); + DHPublicKey pubKey = (DHPublicKey) myKpair.getPublic(); + BigInteger e = pubKey.getY(); + return e.toByteArray(); } @Override protected byte[] calculateK() throws Exception { - KeyFactory myKeyFac = SecurityUtils.getKeyFactory("DH"); DHPublicKeySpec keySpec = new DHPublicKeySpec(f, p, g); + KeyFactory myKeyFac = SecurityUtils.getKeyFactory("DH"); PublicKey yourPubKey = myKeyFac.generatePublic(keySpec); myKeyAgree.doPhase(yourPubKey, true); return stripLeadingZeroes(myKeyAgree.generateSecret()); http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/36853fd0/sshd-core/src/main/java/org/apache/sshd/common/kex/ECDH.java ---------------------------------------------------------------------- diff --git a/sshd-core/src/main/java/org/apache/sshd/common/kex/ECDH.java b/sshd-core/src/main/java/org/apache/sshd/common/kex/ECDH.java index 0fc178e..f5b5070 100644 --- a/sshd-core/src/main/java/org/apache/sshd/common/kex/ECDH.java +++ b/sshd-core/src/main/java/org/apache/sshd/common/kex/ECDH.java @@ -28,8 +28,6 @@ import java.security.spec.ECPoint; import java.security.spec.ECPublicKeySpec; import java.util.Objects; -import javax.crypto.KeyAgreement; - import org.apache.sshd.common.cipher.ECCurves; import org.apache.sshd.common.config.keys.KeyUtils; import org.apache.sshd.common.digest.Digest; @@ -42,13 +40,8 @@ import org.apache.sshd.common.util.security.SecurityUtils; * @author <a href="mailto:[email protected]";>Apache MINA SSHD Project</a> */ public class ECDH extends AbstractDH { - private ECParameterSpec params; - private ECPoint e; - private byte[] e_array; private ECPoint f; - private KeyPairGenerator myKpairGen; - private KeyAgreement myKeyAgree; public ECDH() throws Exception { this((ECParameterSpec) null); @@ -63,22 +56,21 @@ public class ECDH extends AbstractDH { } public ECDH(ECParameterSpec paramSpec) throws Exception { - myKpairGen = SecurityUtils.getKeyPairGenerator(KeyUtils.EC_ALGORITHM); myKeyAgree = SecurityUtils.getKeyAgreement("ECDH"); - params = paramSpec; + params = paramSpec; // do not check for null-ity since in some cases it can be } @Override - public byte[] getE() throws Exception { - if (e == null) { - Objects.requireNonNull(params, "No ECParameterSpec(s)"); - myKpairGen.initialize(params); - KeyPair myKpair = myKpairGen.generateKeyPair(); - myKeyAgree.init(myKpair.getPrivate()); - e = ((ECPublicKey) myKpair.getPublic()).getW(); - e_array = ECCurves.encodeECPoint(e, params); - } - return e_array; + protected byte[] calculateE() throws Exception { + Objects.requireNonNull(params, "No ECParameterSpec(s)"); + KeyPairGenerator myKpairGen = SecurityUtils.getKeyPairGenerator(KeyUtils.EC_ALGORITHM); + myKpairGen.initialize(params); + KeyPair myKpair = myKpairGen.generateKeyPair(); + myKeyAgree.init(myKpair.getPrivate()); + + ECPublicKey pubKey = (ECPublicKey) myKpair.getPublic(); + ECPoint e = pubKey.getW(); + return ECCurves.encodeECPoint(e, params); } @Override
