lgoldstein commented on a change in pull request #119: Add support for openssh
host key certificates
URL: https://github.com/apache/mina-sshd/pull/119#discussion_r408351310
##########
File path: sshd-core/src/main/java/org/apache/sshd/client/kex/DHGClient.java
##########
@@ -124,10 +129,67 @@ public boolean next(int cmd, Buffer buffer) throws
Exception {
buffer = new ByteArrayBuffer(k_s);
serverKey = buffer.getRawPublicKey();
- String keyAlg = KeyUtils.getKeyType(serverKey);
+ PublicKey serverPublicHostKey = serverKey;
+
+ OpenSshCertificate openSshKey = null;
+ if (serverKey instanceof OpenSshCertificate) {
+ openSshKey = (OpenSshCertificate) serverKey;
+ serverPublicHostKey = openSshKey.getServerHostKey();
+
+ // verify signature
+ PublicKey signatureKey = openSshKey.getCaPubKey();
+ String keyAlg = KeyUtils.getKeyType(signatureKey);
+ Signature verif = ValidateUtils.checkNotNull(
+ NamedFactory.create(session.getSignatureFactories(),
keyAlg),
+ "No verifier located for algorithm=%s", keyAlg);
+ verif.initVerifier(session, signatureKey);
+ verif.update(session, openSshKey.getMessage());
+ if (!verif.verify(session, openSshKey.getSignature())) {
+ throw new
SshException(SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED,
+ "KeyExchange CA signature verification failed for key
type=" + keyAlg);
+ }
+
+ if (openSshKey.getType() != OpenSshCertificate.SSH_CERT_TYPE_HOST)
{
+ throw new
SshException(SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED,
+ "KeyExchange signature verification failed, not a host
key (2): "
+ + openSshKey.getType());
+ }
+
+ long now = System.currentTimeMillis() / 1000;
+ if (now <= openSshKey.getValidAfter() || now >=
openSshKey.getValidBefore()) {
+ throw new
SshException(SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED,
+ "KeyExchange signature verification failed, CA
expired: "
+ + openSshKey.getValidAfter() + "-" +
openSshKey.getValidBefore());
+ }
+
+ SocketAddress connectSocketAddress =
getClientSession().getConnectAddress();
+ if (connectSocketAddress instanceof SshdSocketAddress) {
+ connectSocketAddress = ((SshdSocketAddress)
connectSocketAddress).toInetSocketAddress();
+ }
+ if (connectSocketAddress instanceof InetSocketAddress) {
+ String hostName = ((InetSocketAddress)
connectSocketAddress).getHostString();
+ if (!openSshKey.getPrincipals().contains(hostName)) {
+ throw new
SshException(SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED,
+ "KeyExchange signature verification failed,
invalid principal: "
+ + openSshKey.getPrincipals());
+ }
+ } else {
+ throw new
SshException(SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED,
+ "KeyExchange signature verification failed, could not
determine connect host.");
+ }
+
+ if (!openSshKey.getCriticalOptions().isEmpty()) {
Review comment:
Please use `GenericUtils.isEmpty(...getCriticalOptions())` since it is
null-safe
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
