Fix: if the client knows CA key, it should send host key algo proposal for certificates

vladimirlagunov · vladimirlagunov · commit d68f27bfba81 · 2021-10-13T16:55:05.000+07:00
diff --git a/src/itest/groovy/com/hierynomus/sshj/signature/KeyWithCertificateSpec.groovy b/src/itest/groovy/com/hierynomus/sshj/signature/KeyWithCertificateSpec.groovy
@@ -90,7 +90,13 @@ class KeyWithCertificateSpec extends IntegrationBaseSpec {
         and:
         def config = new DefaultConfig()
         config.keyAlgorithms = config.keyAlgorithms.stream()
-                .filter { it.name == hostKeyAlgo }
+                .filter {
+                    // This filter is added only because the current integration test infrastructure doesn't allow
+                    // to spawn different sshd on the fly. In reality, few users would specify key algorithms
+                    // explicitly.
+                    // The filter let a bug pass through the tests. Now the filter is as broad as possible.
+                    it.name == hostKeyAlgo || !it.name.contains("cert")
+                }
                 .collect(Collectors.toList())
         SSHClient sshClient = new SSHClient(config)
         sshClient.addHostKeyVerifier(new OpenSSHKnownHosts(knownHosts))
diff --git a/src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java b/src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java
@@ -138,7 +138,19 @@ public List<String> findExistingAlgorithms(String hostname, int port) {
         for (KnownHostEntry e : entries) {
             try {
                 if (e.appliesTo(adjustedHostname)) {
-                    knownHostAlgorithms.add(e.getType().toString());
+                    final KeyType type = e.getType();
+                    if (e instanceof HostEntry && ((HostEntry) e).marker == Marker.CA_CERT) {
+                        // Only the CA key type is known, but the type of the host key is not.
+                        // Adding all supported types for keys with certificates.
+                        for (final KeyType candidate : KeyType.values()) {
+                            if (candidate.getParent() != null) {
+                                knownHostAlgorithms.add(candidate.toString());
+                            }
+                        }
+                    }
+                    else {
+                        knownHostAlgorithms.add(type.toString());
+                    }
                 }
             } catch (IOException ioe) {
             }
