tomaswolf commented on code in PR #660:
URL: https://github.com/apache/mina-sshd/pull/660#discussion_r1937856705
##########
sshd-core/src/test/java/org/apache/sshd/common/auth/PublicKeyAuthenticationTest.java:
##########
@@ -459,4 +460,78 @@ void rsaAuthenticationOldServer() throws Exception {
}
}
}
+
Review Comment:
The test needs to be formatted. Run the maven build; it'll format the
source. Then commit the formatting change.
##########
sshd-core/src/main/java/org/apache/sshd/server/auth/pubkey/UserAuthPublicKey.java:
##########
@@ -176,7 +180,7 @@ public Boolean doAuth(Buffer buffer, boolean init) throws
Exception {
username, session, alg, KeyUtils.getFingerPrint(key));
}
- return Boolean.TRUE;
+ return key instanceof OpenSshCertificate;
Review Comment:
This is wrong. Change back to `return Boolean.TRUE`. The method is supposed
to return TRUE if authentication was successful, FALSE if unsuccessful, and
null if not complete yet.
##########
sshd-core/src/test/java/org/apache/sshd/common/auth/PublicKeyAuthenticationTest.java:
##########
@@ -459,4 +460,78 @@ void rsaAuthenticationOldServer() throws Exception {
}
}
}
+
+ @ParameterizedTest(name = "test certificates issued using the {0}
algorithm")
+ @MethodSource("certificateAlgorithms")
+ void testCertificateWithDifferentAlgorithms(String keyAlgorithm, int
keySize, String signatureAlgorithm) throws Exception {
+ // 1. Generating a user key pair
+ KeyPair userkey = CommonTestSupportUtils.generateKeyPair(keyAlgorithm,
keySize);
+ // 2. Generating CA key pair
+ KeyPair caKeypair =
CommonTestSupportUtils.generateKeyPair(keyAlgorithm, keySize);
+
+ // 3. Building openSshCertificate
+ OpenSshCertificate signedCert =
OpenSshCertificateBuilder.userCertificate()
+ .serial(System.currentTimeMillis())
+ .publicKey(userkey.getPublic())
+ .id("test-cert-" + keyAlgorithm)
+ .validBefore(System.currentTimeMillis() +
TimeUnit.HOURS.toMillis(1))
+ .principals(Collections.singletonList("user01"))
+ .criticalOptions(Collections.emptyList())
+ .extensions(Arrays.asList(
+ new
OpenSshCertificate.CertificateOption("permit-X11-forwarding"),
+ new
OpenSshCertificate.CertificateOption("permit-agent-forwarding")))
+ .sign(caKeypair, signatureAlgorithm);
+
+ // 4. Configuring the ssh server
+ sshd.setPasswordAuthenticator(RejectAllPasswordAuthenticator.INSTANCE);
+
sshd.setKeyboardInteractiveAuthenticator(KeyboardInteractiveAuthenticator.NONE);
+ CoreTestSupportUtils.setupFullSignaturesSupport(sshd);
+
+ sshd.setUserAuthFactories(Collections.singletonList(
+ new
org.apache.sshd.server.auth.pubkey.UserAuthPublicKeyFactory()));
+
+ AtomicInteger authAttempts = new AtomicInteger(0);
+ sshd.setPublickeyAuthenticator((username, key, session) -> {
+ authAttempts.incrementAndGet();
+ if (key instanceof OpenSshCertificate) {
+ OpenSshCertificate cert = (OpenSshCertificate) key;
+ return KeyUtils.compareKeys(cert.getCaPubKey(),
caKeypair.getPublic());
+ }
+ return false;
+ });
+
+ // 5. Testing Client Authentication
+ try (SshClient client = setupTestClient()) {
+ CoreTestSupportUtils.setupFullSignaturesSupport(client);
+ client.setUserAuthFactories(Collections.singletonList(
+ new
org.apache.sshd.client.auth.pubkey.UserAuthPublicKeyFactory()));
+
+ client.start();
+
+ try (ClientSession session = client.connect("user01",
TEST_LOCALHOST, port)
+ .verify(CONNECT_TIMEOUT)
+ .getSession()) {
+
+ KeyPair certKeyPair = new KeyPair(signedCert,
userkey.getPrivate());
+ session.addPublicKeyIdentity(certKeyPair);
+
+ AuthFuture auth = session.auth();
+ assertTrue(auth.verify(AUTH_TIMEOUT).isSuccess());
+ assertEquals(2, authAttempts.get(), "There should be two
attempts to authenticate using the certificate");
+ } finally {
+ client.stop();
+ }
+ }
+ }
+
+ private static Stream<Arguments> certificateAlgorithms() {
+ return Stream.of(
+ // 算法名称、密钥大小、签名算法
Review Comment:
This project uses English throughout. Please remove this comment, or write
it in English: key algorithm, key size, signature algorithm
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
