(mina-sshd) 16/19: GH-502: Do not load/create EdDSASecurityProvider reflectively

Sun, 21 Sep 2025 03:52:13 -0700 

This is an automated email from the ASF dual-hosted git repository.

twolf pushed a commit to branch dev_3.0
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git

commit ca8b8645eb506dd43eafb5ad26086d87af2328ce
Author: Thomas Wolf <tw...@apache.org>
AuthorDate: Sat Sep 20 20:28:22 2025 +0200

    GH-502: Do not load/create EdDSASecurityProvider reflectively
    
    It's not necessary since we have the optional dependency anyway. So
    standard classloading is good enough. We also mark the registrar as
    supported only if we can load net.i2p.crypto.eddsa.EdDSAKey normally,
    so reflection and considering the thread context classloader is simply
    not necessary at all.
---
 .../common/util/security/eddsa/EdDSAAccessor.java  | 28 +++++++++++++++++++++-
 .../eddsa/EdDSASecurityProviderRegistrar.java      | 15 ++++++++++--
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git 
a/sshd-common/src/main/java/org/apache/sshd/common/util/security/eddsa/EdDSAAccessor.java
 
b/sshd-common/src/main/java/org/apache/sshd/common/util/security/eddsa/EdDSAAccessor.java
index 257c110d3..9a1dc6c5c 100644
--- 
a/sshd-common/src/main/java/org/apache/sshd/common/util/security/eddsa/EdDSAAccessor.java
+++ 
b/sshd-common/src/main/java/org/apache/sshd/common/util/security/eddsa/EdDSAAccessor.java
@@ -18,7 +18,10 @@
  */
 package org.apache.sshd.common.util.security.eddsa;
 
+import java.security.Provider;
+
 import net.i2p.crypto.eddsa.EdDSAKey;
+import net.i2p.crypto.eddsa.EdDSASecurityProvider;
 
 final class EdDSAAccessor {
 
@@ -31,9 +34,32 @@ final class EdDSAAccessor {
     public boolean isSupported() {
         try {
             // Just something that forces class loading.
-            return EdDSAKey.class != null;
+            return Inner.isSupported();
         } catch (Throwable t) {
             return false;
         }
     }
+
+    public Provider createProvider() {
+        try {
+            return Inner.createProvider();
+        } catch (Throwable t) {
+            return null;
+        }
+    }
+
+    private static final class Inner {
+
+        private Inner() {
+            super();
+        }
+
+        static boolean isSupported() {
+            return EdDSAKey.class != null;
+        }
+
+        static Provider createProvider() {
+            return new EdDSASecurityProvider();
+        }
+    }
 }
diff --git 
a/sshd-common/src/main/java/org/apache/sshd/common/util/security/eddsa/EdDSASecurityProviderRegistrar.java
 
b/sshd-common/src/main/java/org/apache/sshd/common/util/security/eddsa/EdDSASecurityProviderRegistrar.java
index 4134f204d..dd9a5f5c0 100644
--- 
a/sshd-common/src/main/java/org/apache/sshd/common/util/security/eddsa/EdDSASecurityProviderRegistrar.java
+++ 
b/sshd-common/src/main/java/org/apache/sshd/common/util/security/eddsa/EdDSASecurityProviderRegistrar.java
@@ -28,6 +28,7 @@ import java.security.Signature;
 import java.util.concurrent.atomic.AtomicReference;
 
 import org.apache.sshd.common.util.ExceptionUtils;
+import org.apache.sshd.common.util.ValidateUtils;
 import org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar;
 import org.apache.sshd.common.util.security.SecurityEntityFactory;
 import org.apache.sshd.common.util.security.SecurityUtils;
@@ -98,6 +99,16 @@ public class EdDSASecurityProviderRegistrar extends 
AbstractSecurityProviderRegi
         return supported.booleanValue();
     }
 
+    @Override
+    protected Provider createProviderInstance(String providerClassName) throws 
ReflectiveOperationException {
+        ValidateUtils.checkTrue(PROVIDER_CLASS.equals(providerClassName), 
"Unexpected class name %s", providerClassName);
+        Provider result = EdDSAAccessor.INSTANCE.createProvider();
+        if (result == null) {
+            throw new ReflectiveOperationException("Cannot instantiate " + 
PROVIDER_CLASS);
+        }
+        return result;
+    }
+
     @Override
     public <F> SecurityEntityFactory<F> getFactory(Class<F> entityType) throws 
ReflectiveOperationException {
         // Return factories that map the algorithm names to the non-standard 
ones used by net.i2p.
@@ -108,7 +119,7 @@ public class EdDSASecurityProviderRegistrar extends 
AbstractSecurityProviderRegi
                 @Override
                 protected String effectiveAlgorithm(String originalAlgorithm) {
                     if 
(SecurityUtils.ED25519.equalsIgnoreCase(originalAlgorithm)) {
-                        return "EdDSA";
+                        return SecurityUtils.EDDSA;
                     }
                     return originalAlgorithm;
                 }
@@ -130,7 +141,7 @@ public class EdDSASecurityProviderRegistrar extends 
AbstractSecurityProviderRegi
 
     @Override
     public PublicKey getPublicKey(PrivateKey key) {
-        if (isEnabled() && isSupported() && "EdDSA".equals(key.getAlgorithm())
+        if (isEnabled() && isSupported() && 
SecurityUtils.EDDSA.equals(key.getAlgorithm())
                 && 
key.getClass().getPackage().getName().startsWith("net.i2p.")) {
             return EdDSAPublicKeyFactory.INSTANCE.getPublicKey(key);
         }

Reply via email to