[JIRA] [gerrit-trigger-plugin] (JENKINS-12690) JenkinsTrigger does not understand SSH Key with a password
Title: Message Title SCM/JIRA link daemon commented on JENKINS-12690 Re: JenkinsTrigger does not understand SSH Key with a password Code changed in jenkins User: Sam Van Oort Path: pom.xml http://jenkins-ci.org/commit/gerrit-trigger-plugin/15e75b0aed6fb521846466e1faa27d2de732b3e8 Log: Fix JENKINS-12690 issue by pulling in gerrit-events version with support for AES encryption passphrase Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [gerrit-trigger-plugin] (JENKINS-12690) JenkinsTrigger does not understand SSH Key with a password
Title: Message Title SCM/JIRA link daemon commented on JENKINS-12690 Re: JenkinsTrigger does not understand SSH Key with a password Code changed in jenkins User: Robert Sandell Path: pom.xml http://jenkins-ci.org/commit/gerrit-trigger-plugin/7cf61197362a7d7a75b74b231480d740203ab823 Log: Merge pull request #250 from jenkinsci/fix-aes-passphrase-issue-jenkins-12690 Fix JENKINS-12690 issue with AES passphrase encryption of keys Compare: https://github.com/jenkinsci/gerrit-trigger-plugin/compare/8e425a49da5f...7cf61197362a Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [gerrit-trigger-plugin] (JENKINS-12690) JenkinsTrigger does not understand SSH Key with a password
Title: Message Title Sam Van Oort resolved as Fixed Released in 2.15.1 Jenkins / JENKINS-12690 JenkinsTrigger does not understand SSH Key with a password Change By: Sam Van Oort Status: In Progress Resolved Resolution: Fixed Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [gerrit-trigger-plugin] (JENKINS-12690) JenkinsTrigger does not understand SSH Key with a password
Title: Message Title Sam Van Oort started work on JENKINS-12690 Change By: Sam Van Oort Status: Open In Progress Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [gerrit-trigger-plugin] (JENKINS-12690) JenkinsTrigger does not understand SSH Key with a password
Title: Message Title Sam Van Oort assigned an issue to Sam Van Oort Jenkins / JENKINS-12690 JenkinsTrigger does not understand SSH Key with a password Change By: Sam Van Oort Assignee: rsandell Sam Van Oort Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [gerrit-trigger-plugin] (JENKINS-12690) JenkinsTrigger does not understand SSH Key with a password
Title: Message Title Sam Van Oort commented on JENKINS-12690 Re: JenkinsTrigger does not understand SSH Key with a password I've got a fix, which takes place in the gerrit-events library (see linked PR). This PR will need to be merged and released, and then the dependency bumped in gerrit trigger, and the issue will be eliminated. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [gerrit-trigger-plugin] (JENKINS-12690) JenkinsTrigger does not understand SSH Key with a password
Title: Message Title
Sam Van Oort edited a comment on JENKINS-12690
Re: JenkinsTrigger does not understand SSH Key with a password
I've investigated this, and it has a fairly simple root cause: unsupported decryption algorithm, in the gerrit-events library. I wrote a trivial test for gerrit-events to decrypt the attached key:{code:java}@Testpublic void testPassphraseParsing() throws Exception {Security.addProvider(new BouncyCastleProvider());// Get locked keyfile as fileURL url = Thread.currentThread().getContextClassLoader().getResource("com/sonymobile/tools/gerrit/gerritevents/id_rsa_passphrase");File file = new File(url.getPath());// Fail if invalid passphrase does not failSshUtil.checkPassPhrase(file, "wrongpassphrase");boolean failure = SshUtil.checkPassPhrase(file, "wrongpassphrase");assertFalse("Passphrase validation should fail!", failure);// Will fail with: Unsupported passphrase algorithm: AES-128-CBCSshPrivateKeyFile keyFile =SshPrivateKeyFile.parse(file);keyFile.toPrivateKey(PASSPHRASE);// THIS SHOULD SUCCEED AND INSTEAD IT FAILS!boolean tested = SshUtil.checkPassPhrase(file, PASSPHRASE);assertTrue("Passphrase validation failed!", tested);}{code}(the encrypted ssh key is in the resources tetWhen run (with the encrypted key in id_rsa_passphrase, and PASSPHRASE = "letmein"):??com.sshtools.j2ssh.transport.publickey.InvalidSshKeyException: Can't read key due to cryptography problems: java.security.NoSuchAlgorithmException: Unsupported passphrase algorithm: AES-128-CBC at com.sshtools.j2ssh.openssh.OpenSSHPrivateKeyFormat.decryptKeyblob(Unknown Source) at com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile.toPrivateKey(Unknown Source)??The issue is that j2ssh ONLY supports DES-EDE3-CBC:{code:java}if (!"DES-EDE3-CBC".equals(keyAlgorithm)) {throw new NoSuchAlgorithmException("Unsupported passphrase algorithm: " + keyAlgorithm);}{code}j2ssh-maverick is a solution for this (it DOES support AES-128-CBC), but requires some dependency changes it is *not* 100% a drop-in replacement for j2ssh (package structure is different, for example). I'm looking at what it takes to add this .
Add Comment
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
[JIRA] [gerrit-trigger-plugin] (JENKINS-12690) JenkinsTrigger does not understand SSH Key with a password
Title: Message Title
Sam Van Oort edited a comment on JENKINS-12690
Re: JenkinsTrigger does not understand SSH Key with a password
I've investigated this, and it has a fairly simple root cause: unsupported decryption algorithm, in the gerrit-events library. I wrote a trivial test for gerrit-events to decrypt the attached key:{code:java}@Testpublic void testPassphraseParsing() throws Exception {Security.addProvider(new BouncyCastleProvider());// Get locked keyfile as fileURL url = Thread.currentThread().getContextClassLoader().getResource("com/sonymobile/tools/gerrit/gerritevents/id_rsa_passphrase");File file = new File(url.getPath());// Fail if invalid passphrase does not failSshUtil.checkPassPhrase(file, "wrongpassphrase");boolean failure = SshUtil.checkPassPhrase(file, "wrongpassphrase");assertFalse("Passphrase validation should fail!", failure);// Will fail with: Unsupported passphrase algorithm: AES-128-CBCSshPrivateKeyFile keyFile =SshPrivateKeyFile.parse(file);keyFile.toPrivateKey(PASSPHRASE);// THIS SHOULD SUCCEED AND INSTEAD IT FAILS!boolean tested = SshUtil.checkPassPhrase(file, PASSPHRASE);assertTrue("Passphrase validation failed!", tested);}{code}(the encrypted ssh key is in the resources tetWhen run (with the encrypted key in id_rsa_passphrase, and PASSPHRASE = "letmein"):??com.sshtools.j2ssh.transport.publickey.InvalidSshKeyException: Can't read key due to cryptography problems: java.security.NoSuchAlgorithmException: Unsupported passphrase algorithm: AES-128-CBC at com.sshtools.j2ssh.openssh.OpenSSHPrivateKeyFormat.decryptKeyblob(Unknown Source) at com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile.toPrivateKey(Unknown Source)??The issue is that j2ssh ONLY supports DES-EDE3-CBC:{code:java}if (!"DES-EDE3-CBC".equals(keyAlgorithm)) {throw new NoSuchAlgorithmException("Unsupported passphrase algorithm: " + keyAlgorithm);}{code}j2ssh-maverick is a solution for this (it DOES support AES-128-CBC), but it is *not* 100% a drop-in replacement for j2ssh (package structure is different, for example). I'm looking at what it takes to add this.In the meantime, keys can be converted to use DES-EDE3-CBC encryption and should work just fine with that. *Edit:* It appears that the use of ssh-tools in gerrit-events are just confined to ssh-util, so with a few changes there, this can be supported.
Add Comment
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
[JIRA] [gerrit-trigger-plugin] (JENKINS-12690) JenkinsTrigger does not understand SSH Key with a password
Title: Message Title
Sam Van Oort commented on JENKINS-12690
Re: JenkinsTrigger does not understand SSH Key with a password
I've investigated this, and it has a fairly simple root cause: unsupported decryption algorithm, in the gerrit-events library. I wrote a trivial test for gerrit-events to decrypt the attached key:
@Test
public void testPassphraseParsing() throws Exception {
Security.addProvider(new BouncyCastleProvider());
// Get locked keyfile as file
URL url = "" class="code-object" style="color: #910091">Thread.currentThread().getContextClassLoader().getResource("com/sonymobile/tools/gerrit/gerritevents/id_rsa_passphrase");
File file = new File(url.getPath());
// Fail if invalid passphrase does not fail
SshUtil.checkPassPhrase(file, "wrongpassphrase");
boolean failure = SshUtil.checkPassPhrase(file, "wrongpassphrase");
assertFalse("Passphrase validation should fail!", failure);
// Will fail with: Unsupported passphrase algorithm: AES-128-CBC
SshPrivateKeyFile keyFile =SshPrivateKeyFile.parse(file);
keyFile.toPrivateKey(PASSPHRASE);
// THIS SHOULD SUCCEED AND INSTEAD IT FAILS!
boolean tested = SshUtil.checkPassPhrase(file, PASSPHRASE);
assertTrue("Passphrase validation failed!", tested);
}
(the encrypted ssh key is in the resources tet
When run (with the encrypted key in id_rsa_passphrase, and PASSPHRASE = "letmein"):
??com.sshtools.j2ssh.transport.publickey.InvalidSshKeyException: Can't read key due to cryptography problems: java.security.NoSuchAlgorithmException: Unsupported passphrase algorithm: AES-128-CBC at com.sshtools.j2ssh.openssh.OpenSSHPrivateKeyFormat.decryptKeyblob(Unknown Source) at com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile.toPrivateKey(Unknown Source)??
The issue is that j2ssh ONLY supports DES-EDE3-CBC:
if (!"DES-EDE3-CBC".equals(keyAlgorithm)) {
throw new NoSuchAlgorithmException(
"Unsupported passphrase algorithm: " + keyAlgorithm);
}
j2ssh-maverick is a solution for this (it DOES support AES-128-CBC), but requires some dependency changes to add.
Add Comment
[JIRA] [gerrit-trigger-plugin] (JENKINS-12690) JenkinsTrigger does not understand SSH Key with a password
Title: Message Title
Sam Van Oort edited a comment on JENKINS-12690
Re: JenkinsTrigger does not understand SSH Key with a password
I've investigated this, and it has a fairly simple root cause: unsupported decryption algorithm, in the gerrit-events library. I wrote a trivial test for gerrit-events to decrypt the attached key:{code:java}@Testpublic void testPassphraseParsing() throws Exception {Security.addProvider(new BouncyCastleProvider());// Get locked keyfile as fileURL url = Thread.currentThread().getContextClassLoader().getResource("com/sonymobile/tools/gerrit/gerritevents/id_rsa_passphrase");File file = new File(url.getPath());// Fail if invalid passphrase does not failSshUtil.checkPassPhrase(file, "wrongpassphrase");boolean failure = SshUtil.checkPassPhrase(file, "wrongpassphrase");assertFalse("Passphrase validation should fail!", failure);// Will fail with: Unsupported passphrase algorithm: AES-128-CBCSshPrivateKeyFile keyFile =SshPrivateKeyFile.parse(file);keyFile.toPrivateKey(PASSPHRASE);// THIS SHOULD SUCCEED AND INSTEAD IT FAILS!boolean tested = SshUtil.checkPassPhrase(file, PASSPHRASE);assertTrue("Passphrase validation failed!", tested);}{code}(the encrypted ssh key is in the resources tetWhen run (with the encrypted key in id_rsa_passphrase, and PASSPHRASE = "letmein"):??com.sshtools.j2ssh.transport.publickey.InvalidSshKeyException: Can't read key due to cryptography problems: java.security.NoSuchAlgorithmException: Unsupported passphrase algorithm: AES-128-CBC at com.sshtools.j2ssh.openssh.OpenSSHPrivateKeyFormat.decryptKeyblob(Unknown Source) at com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile.toPrivateKey(Unknown Source)??The issue is that j2ssh ONLY supports DES-EDE3-CBC:{code:java}if (!"DES-EDE3-CBC".equals(keyAlgorithm)) {throw new NoSuchAlgorithmException("Unsupported passphrase algorithm: " + keyAlgorithm);}{code}j2ssh-maverick is a solution for this (it DOES support AES-128-CBC), but it is *not* 100% a drop-in replacement for j2ssh (package structure is different, for example). I'm looking at what it takes to add this. In the meantime, keys can be converted to use DES-EDE3-CBC encryption and should work just fine with that.
Add Comment
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
