motiejus
/
jgit
1
Fork 0
Code Releases Activity

Apache MINA sshd client: test reading encrypted ed25519 keys 

Add encrypted ed25519 keys in the tests; sshd 2.2.0 can finally
decrypt encrypted new-style OpenSSH key files. (Needs the "unlimited
strength" JCE, which is the default since Java 8u161. On older JREs,
users should install the policy files available from Oracle.)

The "expensive" key added has been generated with OpenSSH's
ssh-keygen -t ed25519 -a 256, i.e., with 256 bcrypt KDF rounds
instead of the default 16. On my machine it takes about 2sec to
decrypt.

Bug: 541703
Change-Id: Id3872ca2fd75d8f009cbc932eeb6357d3d1f267c
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
This commit is contained in:
Thomas Wolf 2019-01-15 19:50:12 +01:00 committed by Matthias Sohn
parent 86cee68e0d
commit c33d2bfb9f
5 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF
View File

@ -51,6 +51,7 @@ Import-Package: net.i2p.crypto.eddsa;version="[0.3.0,0.4.0)",
org.apache.sshd.common.compression;version="[2.2.0,2.3.0)",
org.apache.sshd.common.config.keys;version="[2.2.0,2.3.0)",
org.apache.sshd.common.config.keys.loader;version="[2.2.0,2.3.0)",
org.apache.sshd.common.config.keys.loader.openssh.kdf;version="[2.2.0,2.3.0)",
org.apache.sshd.common.digest;version="[2.2.0,2.3.0)",
org.apache.sshd.common.forward;version="[2.2.0,2.3.0)",
org.apache.sshd.common.future;version="[2.2.0,2.3.0)",

6
org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java
View File

@ -70,6 +70,7 @@
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.compression.BuiltinCompressions;
import org.apache.sshd.common.config.keys.FilePasswordProvider;
import org.apache.sshd.common.config.keys.loader.openssh.kdf.BCryptKdfOptions;
import org.apache.sshd.common.keyprovider.KeyIdentityProvider;
import org.eclipse.jgit.annotations.NonNull;
import org.eclipse.jgit.errors.TransportException;
@ -157,6 +158,11 @@ public SshdSessionFactory(KeyCache keyCache, ProxyDataFactory proxies) {
super();
this.keyCache = keyCache;
this.proxies = proxies;
// sshd limits the number of BCrypt KDF rounds to 255 by default.
// Decrypting such a key takes about two seconds on my machine.
// I consider this limit too low. The time increases linearly with the
// number of rounds.
BCryptKdfOptions.setMaxAllowedRounds(16384);
}
/** A simple general map key. */

8
org.eclipse.jgit.test/resources/org/eclipse/jgit/transport/ssh/id_ed25519_expensive_testpass Normal file
View File

@ -0,0 +1,8 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAsFN8vig
Nw4/Ow6xbb7MAZAAABAAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIEZXZRjuttLufaP8
wFD/i4lYPnKk01z46Jwv/9U4mPioAAAAkHLErPaXeC179rzXMaSwClstzsKvJ/Gqh2cY8d
cWzymXtKZcivWMKesRHbC+1qRx53ofx15IzT5Fmg6NuNk4sm2s+lH8x8HN3CPWBfjGIelP
iQUR6M6Y91mPigpRC2HUJmJIaFNdrRqFF84a5+qyK//tdy1fv4gNMLi5yPdXiL/Ttw05FS
LkFikjfvSGZSO/MA==
-----END OPENSSH PRIVATE KEY-----

1
org.eclipse.jgit.test/resources/org/eclipse/jgit/transport/ssh/id_ed25519_expensive_testpass.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZXZRjuttLufaP8wFD/i4lYPnKk01z46Jwv/9U4mPio test

4
org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java
View File

@ -89,7 +89,9 @@ public abstract class SshTestBase extends SshTestHarness {
"id_rsa_4096_testpass", //
"id_ecdsa_256_testpass", //
"id_ecdsa_384_testpass", //
"id_ecdsa_521_testpass" };
"id_ecdsa_521_testpass", //
"id_ed25519_testpass", //
"id_ed25519_expensive_testpass" };
protected File defaultCloneDir;