[I] BouncyCastleGeneratorHostKeyProvider requires BouncyCastleKeyPairResourceParser for EC keys [mina-sshd]

Sun, 16 Jun 2024 05:43:22 -0700 


ncubede opened a new issue, #517:
URL: https://github.com/apache/mina-sshd/issues/517

   ### Version
   
   2.12.1
   
   ### Bug description
   
   If a BouncyCastleGeneratorHostKeyProvider is set in 
SshServer.setKeyPairProvider, the generated EC host key cannot be read by 
Mina's ECDSA PEM reader and a new key is re-generated for every start. 
Registering BouncyCastleKeyPairResourceParser with SecurityUtils addresses the 
issue. 
   
       
SecurityUtils.setKeyPairResourceParser(BouncyCastleKeyPairResourceParser.INSTANCE);
   
   I would propose to either document this clearly in JavaDoc or have a hook in 
KeyPairProvider to register the KeyPairResourceParser it requires. It took an 
annoying amount of time to find.
   
   I have seen people asking about the same issue, but have to found a concise 
answer, so I had to trace this with the .java documentation.
   
   ### Actual behavior
   
   14:40:12.598 [main] WARN 
org.apache.sshd.common.util.security.bouncycastle.BouncyCastleGeneratorHostKeyProvider
 -- 
resolveKeyPair(/var/folders/b0/29tsx3jx6vv_fkbw9rsqyy6w0000gn/T/key5380748753361494714pem)
 Failed (StreamCorruptedException) to load: Invalid DER: object is not an OID: 
SEQUENCE
   java.io.StreamCorruptedException: Invalid DER: object is not an OID: SEQUENCE
        at 
org.apache.sshd.common.util.io.der.ASN1Object.asOID(ASN1Object.java:233)
        at 
org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.parseCurveParameter(ECDSAPEMResourceKeyPairParser.java:267)
        at 
org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.parseCurveParameter(ECDSAPEMResourceKeyPairParser.java:238)
        at 
org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.decodeECPrivateKeySpec(ECDSAPEMResourceKeyPairParser.java:220)
        at 
org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.decodeECPrivateKeySpec(ECDSAPEMResourceKeyPairParser.java:163)
   
   
   ### Expected behavior
   
   A cached host key pair should be readable after being written.  If a key 
pair provider needs a specific key pair parser, ensure that both are set in 
concert or clearly document.
   
   ### Relevant log output
   
   _No response_
   
   ### Other information
   
   I tested 2.9.3, 2.10.0, 2.11.0, 2.12.0, 2.12.1, the issue was in ll of them. 
 I suspect, that bouncycastle 1.78.1 has a PEM EC file format change for named 
curves in the last security fixes.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to