Re: [PR] bugfix: fix cert auth failed bug [mina-sshd]

Fri, 31 Jan 2025 11:47:10 -0800 


tomaswolf commented on code in PR #660:
URL: https://github.com/apache/mina-sshd/pull/660#discussion_r1937856705


##########
sshd-core/src/test/java/org/apache/sshd/common/auth/PublicKeyAuthenticationTest.java:
##########
@@ -459,4 +460,78 @@ void rsaAuthenticationOldServer() throws Exception {
             }
         }
     }
+

Review Comment:
   The test needs to be formatted. Run the maven build; it'll format the 
source. Then commit the formatting change.



##########
sshd-core/src/main/java/org/apache/sshd/server/auth/pubkey/UserAuthPublicKey.java:
##########
@@ -176,7 +180,7 @@ public Boolean doAuth(Buffer buffer, boolean init) throws 
Exception {
                     username, session, alg, KeyUtils.getFingerPrint(key));
         }
 
-        return Boolean.TRUE;
+        return key instanceof OpenSshCertificate;

Review Comment:
   This is wrong. Change back to `return Boolean.TRUE`.  The method is supposed 
to return TRUE if authentication was successful, FALSE if unsuccessful, and 
null if not complete yet.



##########
sshd-core/src/test/java/org/apache/sshd/common/auth/PublicKeyAuthenticationTest.java:
##########
@@ -459,4 +460,78 @@ void rsaAuthenticationOldServer() throws Exception {
             }
         }
     }
+
+    @ParameterizedTest(name = "test certificates issued using the {0} 
algorithm")
+    @MethodSource("certificateAlgorithms")
+    void testCertificateWithDifferentAlgorithms(String keyAlgorithm, int 
keySize, String signatureAlgorithm) throws Exception {
+        // 1. Generating a user key pair
+        KeyPair userkey = CommonTestSupportUtils.generateKeyPair(keyAlgorithm, 
keySize);
+        // 2. Generating CA key pair
+        KeyPair caKeypair = 
CommonTestSupportUtils.generateKeyPair(keyAlgorithm, keySize);
+        
+        // 3. Building openSshCertificate
+        OpenSshCertificate signedCert = 
OpenSshCertificateBuilder.userCertificate()
+                .serial(System.currentTimeMillis())
+                .publicKey(userkey.getPublic())
+                .id("test-cert-" + keyAlgorithm)
+                .validBefore(System.currentTimeMillis() + 
TimeUnit.HOURS.toMillis(1))
+                .principals(Collections.singletonList("user01"))
+                .criticalOptions(Collections.emptyList())
+                .extensions(Arrays.asList(
+                        new 
OpenSshCertificate.CertificateOption("permit-X11-forwarding"),
+                        new 
OpenSshCertificate.CertificateOption("permit-agent-forwarding")))
+                .sign(caKeypair, signatureAlgorithm);
+
+        // 4. Configuring the ssh server
+        sshd.setPasswordAuthenticator(RejectAllPasswordAuthenticator.INSTANCE);
+        
sshd.setKeyboardInteractiveAuthenticator(KeyboardInteractiveAuthenticator.NONE);
+        CoreTestSupportUtils.setupFullSignaturesSupport(sshd);
+        
+        sshd.setUserAuthFactories(Collections.singletonList(
+                new 
org.apache.sshd.server.auth.pubkey.UserAuthPublicKeyFactory()));
+
+        AtomicInteger authAttempts = new AtomicInteger(0);
+        sshd.setPublickeyAuthenticator((username, key, session) -> {
+            authAttempts.incrementAndGet();
+            if (key instanceof OpenSshCertificate) {
+                OpenSshCertificate cert = (OpenSshCertificate) key;
+                return KeyUtils.compareKeys(cert.getCaPubKey(), 
caKeypair.getPublic());
+            }
+            return false;
+        });
+
+        // 5. Testing Client Authentication
+        try (SshClient client = setupTestClient()) {
+            CoreTestSupportUtils.setupFullSignaturesSupport(client);
+            client.setUserAuthFactories(Collections.singletonList(
+                    new 
org.apache.sshd.client.auth.pubkey.UserAuthPublicKeyFactory()));
+
+            client.start();
+
+            try (ClientSession session = client.connect("user01", 
TEST_LOCALHOST, port)
+                    .verify(CONNECT_TIMEOUT)
+                    .getSession()) {
+
+                KeyPair certKeyPair = new KeyPair(signedCert, 
userkey.getPrivate());
+                session.addPublicKeyIdentity(certKeyPair);
+
+                AuthFuture auth = session.auth();
+                assertTrue(auth.verify(AUTH_TIMEOUT).isSuccess());
+                assertEquals(2, authAttempts.get(), "There should be two 
attempts to authenticate using the certificate");
+            } finally {
+                client.stop();
+            }
+        }
+    }
+
+    private static Stream<Arguments> certificateAlgorithms() {
+        return Stream.of(
+            // 算法名称、密钥大小、签名算法

Review Comment:
   This project uses English throughout. Please remove this comment, or write 
it in English: key algorithm, key size, signature algorithm



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to