Refine

Author: martinpaljak

src/main/java/com/hardssh/provider/FIDOSignatureParameters.java

@@ -4,6 +4,7 @@
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.Objects;
 
+@SuppressWarnings("ArrayRecordComponent")
 public record FIDOSignatureParameters(byte[] appdata, int counter, byte flags) implements AlgorithmParameterSpec {
 
     public FIDOSignatureParameters {

src/main/java/com/hardssh/provider/SSHKeyStoreSpi.java

@@ -98,6 +98,7 @@ public KeyStore.Entry engineGetEntry(String alias, KeyStore.ProtectionParameter
         return resolveAlias(alias);
     }
 
+    @SuppressWarnings("JavaUtilDate")
     @Override
     public Date engineGetCreationDate(String alias) {
         var e = resolveAlias(alias);
@@ -219,7 +220,7 @@ public void engineStore(OutputStream stream, char[] password) throws IOException
         throw new UnsupportedOperationException("SSH agent keystore is read-only, in-memory");
     }
 
-    private Collection<SSHIdentityWithComment<? extends SSHIdentity>> fetchIdentities() {
+    private Set<SSHIdentityWithComment<? extends SSHIdentity>> fetchIdentities() {
 
         try {
             var reply = runCommand(socket, new RequestIdentities());
@@ -232,10 +233,10 @@ private Collection<SSHIdentityWithComment<? extends SSHIdentity>> fetchIdentitie
             } else {
                 log.warning("Could not list identities: " + AgentMessage.name(type));
             }
-            return found;
+            return Collections.unmodifiableSet(found);
         } catch (IOException e) {
             log.warning("Could not list identities: " + e.getMessage());
-            return Collections.emptyList();
+            return Collections.emptySet();
         }
     }
 

src/main/java/com/hardssh/provider/SSHSIGSignatureSpi.java

@@ -9,6 +9,7 @@
 import java.nio.ByteBuffer;
 import java.security.*;
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.Locale;
 import java.util.Map;
 import java.util.logging.Logger;
 
@@ -117,7 +118,7 @@ protected byte[] engineSign() throws SignatureException {
         digest.reset();
 
         // The hash name in ssh lingo (tolower and remove -)
-        var hash_algo = digest.getAlgorithm().toLowerCase().replace("-", "");
+        var hash_algo = digest.getAlgorithm().toLowerCase(Locale.ENGLISH).replace("-", "");
 
         try {
             // The key type is the signature type as well, unless it is RSA, when it depends on used hash.
@@ -161,7 +162,7 @@ protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
         var hash = digest.digest();
         digest.reset();
 
-        var hash_algo = digest.getAlgorithm().toLowerCase().replace("-", "");
+        var hash_algo = digest.getAlgorithm().toLowerCase(Locale.ENGLISH).replace("-", "");
 
         try {
             var sshsig = SSHSIG.PARSER.fromBytes(sigBytes);
@@ -176,7 +177,7 @@ protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
                 }
             } else {
                 // verify that the hash in sshsig matches the hash we use
-                var paramhash = params.hash().toLowerCase().replace("-", "");
+                var paramhash = params.hash().toLowerCase(Locale.ENGLISH).replace("-", "");
                 if (!paramhash.equals(sshsig.hash_algorithm())) {
                     throw new SignatureException("SSHSIG hash mismatch: " + sshsig.hash_algorithm() + " != " + paramhash);
                 }