lgoldstein commented on a change in pull request #119: Add support for openssh host key certificates URL: https://github.com/apache/mina-sshd/pull/119#discussion_r408351310
########## File path: sshd-core/src/main/java/org/apache/sshd/client/kex/DHGClient.java ########## @@ -124,10 +129,67 @@ public boolean next(int cmd, Buffer buffer) throws Exception { buffer = new ByteArrayBuffer(k_s); serverKey = buffer.getRawPublicKey(); - String keyAlg = KeyUtils.getKeyType(serverKey); + PublicKey serverPublicHostKey = serverKey; + + OpenSshCertificate openSshKey = null; + if (serverKey instanceof OpenSshCertificate) { + openSshKey = (OpenSshCertificate) serverKey; + serverPublicHostKey = openSshKey.getServerHostKey(); + + // verify signature + PublicKey signatureKey = openSshKey.getCaPubKey(); + String keyAlg = KeyUtils.getKeyType(signatureKey); + Signature verif = ValidateUtils.checkNotNull( + NamedFactory.create(session.getSignatureFactories(), keyAlg), + "No verifier located for algorithm=%s", keyAlg); + verif.initVerifier(session, signatureKey); + verif.update(session, openSshKey.getMessage()); + if (!verif.verify(session, openSshKey.getSignature())) { + throw new SshException(SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED, + "KeyExchange CA signature verification failed for key type=" + keyAlg); + } + + if (openSshKey.getType() != OpenSshCertificate.SSH_CERT_TYPE_HOST) { + throw new SshException(SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED, + "KeyExchange signature verification failed, not a host key (2): " + + openSshKey.getType()); + } + + long now = System.currentTimeMillis() / 1000; + if (now <= openSshKey.getValidAfter() || now >= openSshKey.getValidBefore()) { + throw new SshException(SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED, + "KeyExchange signature verification failed, CA expired: " + + openSshKey.getValidAfter() + "-" + openSshKey.getValidBefore()); + } + + SocketAddress connectSocketAddress = getClientSession().getConnectAddress(); + if (connectSocketAddress instanceof SshdSocketAddress) { + connectSocketAddress = ((SshdSocketAddress) connectSocketAddress).toInetSocketAddress(); + } + if (connectSocketAddress instanceof InetSocketAddress) { + String hostName = ((InetSocketAddress) connectSocketAddress).getHostString(); + if (!openSshKey.getPrincipals().contains(hostName)) { + throw new SshException(SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED, + "KeyExchange signature verification failed, invalid principal: " + + openSshKey.getPrincipals()); + } + } else { + throw new SshException(SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED, + "KeyExchange signature verification failed, could not determine connect host."); + } + + if (!openSshKey.getCriticalOptions().isEmpty()) { Review comment: Please use `GenericUtils.isEmpty(...getCriticalOptions())` since it is null-safe ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org