Merge pull request #1429 from flaix/ssh-host-algs

Add new SSH host key types

Author: flaix

.classpath

@@ -51,9 +51,10 @@
 	<classpathentry kind="lib" path="ext/commons-logging-1.1.3.jar" sourcepath="ext/src/commons-logging-1.1.3.jar" />
 	<classpathentry kind="lib" path="ext/commons-codec-1.7.jar" sourcepath="ext/src/commons-codec-1.7.jar" />
 	<classpathentry kind="lib" path="ext/org.eclipse.jgit.http.server-4.5.7.201904151645-r.jar" sourcepath="ext/src/org.eclipse.jgit.http.server-4.5.7.201904151645-r.jar" />
-	<classpathentry kind="lib" path="ext/bcprov-jdk15on-1.57.jar" sourcepath="ext/src/bcprov-jdk15on-1.57.jar" />
-	<classpathentry kind="lib" path="ext/bcmail-jdk15on-1.57.jar" sourcepath="ext/src/bcmail-jdk15on-1.57.jar" />
-	<classpathentry kind="lib" path="ext/bcpkix-jdk15on-1.57.jar" sourcepath="ext/src/bcpkix-jdk15on-1.57.jar" />
+	<classpathentry kind="lib" path="ext/bcprov-jdk15on-1.69.jar" sourcepath="ext/src/bcprov-jdk15on-1.69.jar" />
+	<classpathentry kind="lib" path="ext/bcmail-jdk15on-1.69.jar" sourcepath="ext/src/bcmail-jdk15on-1.69.jar" />
+	<classpathentry kind="lib" path="ext/bcutil-jdk15on-1.69.jar" sourcepath="ext/src/bcutil-jdk15on-1.69.jar" />
+	<classpathentry kind="lib" path="ext/bcpkix-jdk15on-1.69.jar" sourcepath="ext/src/bcpkix-jdk15on-1.69.jar" />
 	<classpathentry kind="lib" path="ext/eddsa-0.2.0.jar" sourcepath="ext/src/eddsa-0.2.0.jar" />
 	<classpathentry kind="lib" path="ext/sshd-core-1.7.0.jar" sourcepath="ext/src/sshd-core-1.7.0.jar" />
 	<classpathentry kind="lib" path="ext/mina-core-2.0.21.jar" sourcepath="ext/src/mina-core-2.0.21.jar" />

build.moxie

@@ -111,7 +111,7 @@ properties: {
   lucene.version : 5.5.2
   jgit.version   : 4.5.7.201904151645-r
   groovy.version : 2.4.4
-  bouncycastle.version : 1.57
+  bouncycastle.version : 1.69
   selenium.version : 2.28.0
   wikitext.version : 1.4
   sshd.version: 1.7.0

gitblit.iml

@@ -508,35 +508,46 @@
       </library>
     </orderEntry>
     <orderEntry type="module-library">
-      <library name="bcprov-jdk15on-1.57.jar">
+      <library name="bcprov-jdk15on-1.69.jar">
         <CLASSES>
-          <root url="jar://$MODULE_DIR$/ext/bcprov-jdk15on-1.57.jar!/" />
+          <root url="jar://$MODULE_DIR$/ext/bcprov-jdk15on-1.69.jar!/" />
         </CLASSES>
         <JAVADOC />
         <SOURCES>
-          <root url="jar://$MODULE_DIR$/ext/src/bcprov-jdk15on-1.57.jar!/" />
+          <root url="jar://$MODULE_DIR$/ext/src/bcprov-jdk15on-1.69.jar!/" />
         </SOURCES>
       </library>
     </orderEntry>
     <orderEntry type="module-library">
-      <library name="bcmail-jdk15on-1.57.jar">
+      <library name="bcmail-jdk15on-1.69.jar">
         <CLASSES>
-          <root url="jar://$MODULE_DIR$/ext/bcmail-jdk15on-1.57.jar!/" />
+          <root url="jar://$MODULE_DIR$/ext/bcmail-jdk15on-1.69.jar!/" />
         </CLASSES>
         <JAVADOC />
         <SOURCES>
-          <root url="jar://$MODULE_DIR$/ext/src/bcmail-jdk15on-1.57.jar!/" />
+          <root url="jar://$MODULE_DIR$/ext/src/bcmail-jdk15on-1.69.jar!/" />
         </SOURCES>
       </library>
     </orderEntry>
     <orderEntry type="module-library">
-      <library name="bcpkix-jdk15on-1.57.jar">
+      <library name="bcutil-jdk15on-1.69.jar">
         <CLASSES>
-          <root url="jar://$MODULE_DIR$/ext/bcpkix-jdk15on-1.57.jar!/" />
+          <root url="jar://$MODULE_DIR$/ext/bcutil-jdk15on-1.69.jar!/" />
         </CLASSES>
         <JAVADOC />
         <SOURCES>
-          <root url="jar://$MODULE_DIR$/ext/src/bcpkix-jdk15on-1.57.jar!/" />
+          <root url="jar://$MODULE_DIR$/ext/src/bcutil-jdk15on-1.69.jar!/" />
+        </SOURCES>
+      </library>
+    </orderEntry>
+    <orderEntry type="module-library">
+      <library name="bcpkix-jdk15on-1.69.jar">
+        <CLASSES>
+          <root url="jar://$MODULE_DIR$/ext/bcpkix-jdk15on-1.69.jar!/" />
+        </CLASSES>
+        <JAVADOC />
+        <SOURCES>
+          <root url="jar://$MODULE_DIR$/ext/src/bcpkix-jdk15on-1.69.jar!/" />
         </SOURCES>
       </library>
     </orderEntry>

src/main/java/com/gitblit/transport/ssh/FileKeyPairProvider.java

@@ -18,81 +18,92 @@
  */
 package com.gitblit.transport.ssh;
 
+import java.io.File;
 import java.io.FileInputStream;
 import java.io.InputStreamReader;
+import java.security.KeyFactory;
 import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
 import java.util.Arrays;
 import java.util.Iterator;
 import java.util.NoSuchElementException;
 
+import org.apache.sshd.common.config.keys.PrivateKeyEntryDecoder;
 import org.apache.sshd.common.keyprovider.AbstractKeyPairProvider;
 import org.apache.sshd.common.util.security.SecurityUtils;
-import org.bouncycastle.openssl.PEMDecryptorProvider;
-import org.bouncycastle.openssl.PEMEncryptedKeyPair;
 import org.bouncycastle.openssl.PEMKeyPair;
 import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.PasswordFinder;
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
-import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters;
+import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters;
+import org.bouncycastle.crypto.util.OpenSSHPrivateKeyUtil;
+import org.bouncycastle.crypto.util.OpenSSHPublicKeyUtil;
+import org.bouncycastle.jcajce.spec.OpenSSHPrivateKeySpec;
+import org.bouncycastle.jcajce.spec.OpenSSHPublicKeySpec;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
 
 /**
  * This host key provider loads private keys from the specified files.
- *
+ * <p>
  * Note that this class has a direct dependency on BouncyCastle and won't work
  * unless it has been correctly registered as a security provider.
  *
  * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
  */
-public class FileKeyPairProvider extends AbstractKeyPairProvider {
+public class FileKeyPairProvider extends AbstractKeyPairProvider
+{
 
     private String[] files;
-    private PasswordFinder passwordFinder;
-
-    public FileKeyPairProvider() {
-    }
 
-    public FileKeyPairProvider(String[] files) {
-        this.files = files;
+    public FileKeyPairProvider()
+    {
     }
 
-    public FileKeyPairProvider(String[] files, PasswordFinder passwordFinder) {
+    public FileKeyPairProvider(String[] files)
+    {
         this.files = files;
-        this.passwordFinder = passwordFinder;
     }
 
-    public String[] getFiles() {
+    public String[] getFiles()
+    {
         return files;
     }
 
-    public void setFiles(String[] files) {
+    public void setFiles(String[] files)
+    {
         this.files = files;
     }
 
-    public PasswordFinder getPasswordFinder() {
-        return passwordFinder;
-    }
-
-    public void setPasswordFinder(PasswordFinder passwordFinder) {
-        this.passwordFinder = passwordFinder;
-    }
 
-    public Iterable<KeyPair> loadKeys() {
+    @Override
+    public Iterable<KeyPair> loadKeys()
+    {
         if (!SecurityUtils.isBouncyCastleRegistered()) {
             throw new IllegalStateException("BouncyCastle must be registered as a JCE provider");
         }
-        return new Iterable<KeyPair>() {
+        return new Iterable<KeyPair>()
+        {
             @Override
-			public Iterator<KeyPair> iterator() {
-                return new Iterator<KeyPair>() {
+            public Iterator<KeyPair> iterator()
+            {
+                return new Iterator<KeyPair>()
+                {
                     private final Iterator<String> iterator = Arrays.asList(files).iterator();
                     private KeyPair nextKeyPair;
                     private boolean nextKeyPairSet = false;
+
                     @Override
-					public boolean hasNext() {
+                    public boolean hasNext()
+                    {
                         return nextKeyPairSet || setNextObject();
                     }
+
                     @Override
-					public KeyPair next() {
+                    public KeyPair next()
+                    {
                         if (!nextKeyPairSet) {
                             if (!setNextObject()) {
                                 throw new NoSuchElementException();
@@ -101,13 +112,22 @@ public KeyPair next() {
                         nextKeyPairSet = false;
                         return nextKeyPair;
                     }
+
                     @Override
-					public void remove() {
+                    public void remove()
+                    {
                         throw new UnsupportedOperationException();
                     }
-                    private boolean setNextObject() {
+
+                    private boolean setNextObject()
+                    {
                         while (iterator.hasNext()) {
                             String file = iterator.next();
+                            File f = new File(file);
+                            if (!f.isFile()) {
+                                log.debug("File does not exist, skipping {}", file);
+                                continue;
+                            }
                             nextKeyPair = doLoadKey(file);
                             if (nextKeyPair != null) {
                                 nextKeyPairSet = true;
@@ -122,30 +142,71 @@ private boolean setNextObject() {
         };
     }
 
-    protected KeyPair doLoadKey(String file) {
+
+    private KeyPair doLoadKey(String file)
+    {
         try {
-            PEMParser r = new PEMParser(new InputStreamReader(new FileInputStream(file)));
-            try {
+
+            try (PemReader r = new PemReader(new InputStreamReader(new FileInputStream(file)))) {
+                PemObject pemObject = r.readPemObject();
+                if ("OPENSSH PRIVATE KEY".equals(pemObject.getType())) {
+                    // This reads a properly OpenSSH formatted ed25519 private key file.
+                    // It is currently unused because the SSHD library in play doesn't work with proper keys.
+                    // This is kept in the hope that in the future the library offers proper support.
+                    try {
+                        byte[] privateKeyContent = pemObject.getContent();
+                        AsymmetricKeyParameter privateKeyParameters = OpenSSHPrivateKeyUtil.parsePrivateKeyBlob(privateKeyContent);
+                        if (privateKeyParameters instanceof Ed25519PrivateKeyParameters) {
+                            OpenSSHPrivateKeySpec privkeySpec = new OpenSSHPrivateKeySpec(privateKeyContent);
+
+                            Ed25519PublicKeyParameters publicKeyParameters = ((Ed25519PrivateKeyParameters)privateKeyParameters).generatePublicKey();
+                            OpenSSHPublicKeySpec pubKeySpec = new OpenSSHPublicKeySpec(OpenSSHPublicKeyUtil.encodePublicKey(publicKeyParameters));
+
+                            KeyFactory kf = KeyFactory.getInstance("Ed25519", "BC");
+                            PrivateKey privateKey = kf.generatePrivate(privkeySpec);
+                            PublicKey publicKey = kf.generatePublic(pubKeySpec);
+                            return new KeyPair(publicKey, privateKey);
+                        }
+                        else {
+                            log.warn("OpenSSH format is only supported for Ed25519 key type. Unable to read key " + file);
+                        }
+                    }
+                    catch (Exception e) {
+                        log.warn("Unable to read key " + file, e);
+                    }
+                    return null;
+                }
+
+                if ("EDDSA PRIVATE KEY".equals(pemObject.getType())) {
+                    // This reads the ed25519 key from a file format that we created in SshDaemon.
+                    // The type EDDSA PRIVATE KEY was given by us and nothing official.
+                    byte[] privateKeyContent = pemObject.getContent();
+                    PrivateKeyEntryDecoder<? extends PublicKey,? extends PrivateKey> decoder = SecurityUtils.getOpenSSHEDDSAPrivateKeyEntryDecoder();
+                    PrivateKey privateKey = decoder.decodePrivateKey(null, privateKeyContent, 0, privateKeyContent.length);
+                    PublicKey publicKey = SecurityUtils. recoverEDDSAPublicKey(privateKey);
+                    return new KeyPair(publicKey, privateKey);
+                }
+            }
+
+            try (PEMParser r = new PEMParser(new InputStreamReader(new FileInputStream(file)))) {
                 Object o = r.readObject();
 
                 JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter();
                 pemConverter.setProvider("BC");
-                if (passwordFinder != null && o instanceof PEMEncryptedKeyPair) {
-                    JcePEMDecryptorProviderBuilder decryptorBuilder = new JcePEMDecryptorProviderBuilder();
-                    PEMDecryptorProvider pemDecryptor = decryptorBuilder.build(passwordFinder.getPassword());
-                    o = pemConverter.getKeyPair(((PEMEncryptedKeyPair) o).decryptKeyPair(pemDecryptor));
-                }
-
                 if (o instanceof PEMKeyPair) {
                     o = pemConverter.getKeyPair((PEMKeyPair)o);
-                    return (KeyPair) o;
-                } else if (o instanceof KeyPair) {
-                    return (KeyPair) o;
+                    return (KeyPair)o;
+                }
+                else if (o instanceof KeyPair) {
+                    return (KeyPair)o;
+                }
+                else {
+                    log.warn("Cannot read unsupported PEM object of type: " + o.getClass().getCanonicalName());
                 }
-            } finally {
-                r.close();
             }
-        } catch (Exception e) {
+
+        }
+        catch (Exception e) {
             log.warn("Unable to read key " + file, e);
         }
         return null;