[ 
https://issues.apache.org/jira/browse/SSHD-1314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17641501#comment-17641501
 ] 

Thomas Wolf commented on SSHD-1314:
-----------------------------------

Using Java serialization to store a private key was a very bad idea to begin 
with. The new code is backwards compatible: it can still load already stored 
keys that use Java serialization that were produced by older versions of 
{{SimpleGeneratorHostKeyProvider}}. (Unless some unknown security provider was 
used, and its key classes are not whitelisted.) Only if there isn't a key yet 
and a new key is written, a new format will be used that doesn't require Java 
de-serialization for loading.

The upshot of this is that only code that makes assumptions about the storage 
format used by {{SimpleGeneratorHostKeyProvider}}, such as that Karaf unit 
test, will see a difference in behavior. Such code will have to be changed.

If the test is supposed to test that a key stored via Java serialization can be 
loaded, then please see our {{SimpleGeneratorHostKeyProviderTest}} at [line 
109|https://github.com/apache/mina-sshd/blob/master/sshd-common/src/test/java/org/apache/sshd/server/keyprovider/SimpleGeneratorHostKeyProviderTest.java#L109]:
 don't rely on whatever {{SimpleGeneratorHostKeyProvider}} does but serialize 
the key explicitly.

> OpenSSHKeyPairProvider is not able to load SimpleKey
> ----------------------------------------------------
>
>                 Key: SSHD-1314
>                 URL: https://issues.apache.org/jira/browse/SSHD-1314
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.9.2
>            Reporter: Jean-Baptiste Onofré
>            Priority: Major
>
> Since this commit:
> {code:java}
> commit 5a8fe830b2a2308a2b24ac8115a391af477f64f5
> Author: Thomas Wolf <[email protected]>
> Date:   Sat Nov 5 21:00:40 2022 +0100    Better file handling for host keys
>     
>     Store host keys in the OpenSSH format. This makes it possible to use
>     EdDSA host keys. Also set file permissions and read legacy files more
>     carefully. .../AbstractGeneratorHostKeyProvider.java          |  88 
> ++++++++++++++---
>  .../SimpleGeneratorHostKeyProvider.java            | 109 
> ++++++++++++++++++---
>  .../SimpleGeneratorHostKeyProviderTest.java        |  26 ++++-
>  3 files changed, 194 insertions(+), 29 deletions(-)
>  {code}
> it's not possible to "convert" a simple key to SSH key.
>  
> Basically, the following code worked with sshd 2.9.1:
> {code:java}
> File privateKeyTemp = File.createTempFile(this.getClass().getCanonicalName(), 
> ".priv");
> privateKeyTemp.deleteOnExit();
> File publicKeyTemp = File.createTempFile(this.getClass().getCanonicalName(), 
> ".pub");
> publicKeyTemp.deleteOnExit();
> SimpleGeneratorHostKeyProvider simpleGenerator = new 
> SimpleGeneratorHostKeyProvider(privateKeyTemp.toPath());
> simpleGenerator.setKeySize(2048);
> simpleGenerator.setAlgorithm("DSA");
> List<KeyPair> keys = simpleGenerator.loadKeys(null);
> KeyPair simpleKeyPair = keys.stream().findFirst().get();
> Assert.assertEquals("DSA", simpleKeyPair.getPrivate().getAlgorithm());
> OpenSSHKeyPairProvider provider =
>     new OpenSSHKeyPairProvider(privateKeyTemp.toPath(), 
> publicKeyTemp.toPath(), "DSA", 2048, null);
> KeyPair convertedKeyPair = provider.loadKeys(null).iterator().next();
> Assert.assertEquals("DSA", convertedKeyPair.getPrivate().getAlgorithm());
> Assert.assertArrayEquals(simpleKeyPair.getPrivate().getEncoded(),convertedKeyPair.getPrivate().getEncoded());
> Assert.assertArrayEquals(simpleKeyPair.getPublic().getEncoded(),convertedKeyPair.getPublic().getEncoded());
> //also test that the original file has been replaced
> KeyPair keyPair = 
> KeyPairLoader.getKeyPair(Files.newInputStream(privateKeyTemp.toPath()));
> Assert.assertArrayEquals(simpleKeyPair.getPrivate().getEncoded(),keyPair.getPrivate().getEncoded());
>  {code}
> but it fails now with sshd 2.9.2 with:
> {code:java}
>  INFO: generateKeyPair(DSA) generating host key - size=2048
> Nov 30, 2022 6:12:35 PM 
> org.apache.karaf.shell.ssh.keygenerator.OpenSSHKeyPairProvider loadKeys
> WARNING: Failed to parse keypair in 
> /tmp/org.apache.karaf.shell.ssh.keygenerator.OpenSSHGeneratorKeyFileProviderTest8057592323787152069.priv.
>  Attempting to parse it 'directly'
> Nov 30, 2022 6:12:35 PM 
> org.apache.karaf.shell.ssh.keygenerator.OpenSSHKeyPairProvider loadKeys
> WARNING: Failed to parse keypair in 
> /tmp/org.apache.karaf.shell.ssh.keygenerator.OpenSSHGeneratorKeyFileProviderTest8057592323787152069.priv.
>  Attempting to parse it as a legacy 'simple' key
> Nov 30, 2022 6:12:35 PM 
> org.apache.karaf.shell.ssh.keygenerator.OpenSSHKeyPairProvider loadKeys
> WARNING: 
> /tmp/org.apache.karaf.shell.ssh.keygenerator.OpenSSHGeneratorKeyFileProviderTest8057592323787152069.priv
>  is not a 'simple' key either
> {code}
> because we go on the last try in the {{loadkeys()}} method.
> I will work on a fix.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to