From c33d2bfb9f5d0f407bb736fafe2fa8ff93309e93 Mon Sep 17 00:00:00 2001 From: Thomas Wolf Date: Tue, 15 Jan 2019 19:50:12 +0100 Subject: [PATCH] Apache MINA sshd client: test reading encrypted ed25519 keys Add encrypted ed25519 keys in the tests; sshd 2.2.0 can finally decrypt encrypted new-style OpenSSH key files. (Needs the "unlimited strength" JCE, which is the default since Java 8u161. On older JREs, users should install the policy files available from Oracle.) The "expensive" key added has been generated with OpenSSH's ssh-keygen -t ed25519 -a 256, i.e., with 256 bcrypt KDF rounds instead of the default 16. On my machine it takes about 2sec to decrypt. Bug: 541703 Change-Id: Id3872ca2fd75d8f009cbc932eeb6357d3d1f267c Signed-off-by: Thomas Wolf --- org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF | 1 + .../eclipse/jgit/transport/sshd/SshdSessionFactory.java | 6 ++++++ .../jgit/transport/ssh/id_ed25519_expensive_testpass | 8 ++++++++ .../jgit/transport/ssh/id_ed25519_expensive_testpass.pub | 1 + .../src/org/eclipse/jgit/transport/ssh/SshTestBase.java | 4 +++- 5 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 org.eclipse.jgit.test/resources/org/eclipse/jgit/transport/ssh/id_ed25519_expensive_testpass create mode 100644 org.eclipse.jgit.test/resources/org/eclipse/jgit/transport/ssh/id_ed25519_expensive_testpass.pub diff --git a/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF b/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF index d1f7d4982..5d344f494 100644 --- a/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF +++ b/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF @@ -51,6 +51,7 @@ Import-Package: net.i2p.crypto.eddsa;version="[0.3.0,0.4.0)", org.apache.sshd.common.compression;version="[2.2.0,2.3.0)", org.apache.sshd.common.config.keys;version="[2.2.0,2.3.0)", org.apache.sshd.common.config.keys.loader;version="[2.2.0,2.3.0)", + org.apache.sshd.common.config.keys.loader.openssh.kdf;version="[2.2.0,2.3.0)", org.apache.sshd.common.digest;version="[2.2.0,2.3.0)", org.apache.sshd.common.forward;version="[2.2.0,2.3.0)", org.apache.sshd.common.future;version="[2.2.0,2.3.0)", diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java index 2f9691ed6..90dc8ca50 100644 --- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java +++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java @@ -70,6 +70,7 @@ import org.apache.sshd.common.NamedFactory; import org.apache.sshd.common.compression.BuiltinCompressions; import org.apache.sshd.common.config.keys.FilePasswordProvider; +import org.apache.sshd.common.config.keys.loader.openssh.kdf.BCryptKdfOptions; import org.apache.sshd.common.keyprovider.KeyIdentityProvider; import org.eclipse.jgit.annotations.NonNull; import org.eclipse.jgit.errors.TransportException; @@ -157,6 +158,11 @@ public SshdSessionFactory(KeyCache keyCache, ProxyDataFactory proxies) { super(); this.keyCache = keyCache; this.proxies = proxies; + // sshd limits the number of BCrypt KDF rounds to 255 by default. + // Decrypting such a key takes about two seconds on my machine. + // I consider this limit too low. The time increases linearly with the + // number of rounds. + BCryptKdfOptions.setMaxAllowedRounds(16384); } /** A simple general map key. */ diff --git a/org.eclipse.jgit.test/resources/org/eclipse/jgit/transport/ssh/id_ed25519_expensive_testpass b/org.eclipse.jgit.test/resources/org/eclipse/jgit/transport/ssh/id_ed25519_expensive_testpass new file mode 100644 index 000000000..904cf302c --- /dev/null +++ b/org.eclipse.jgit.test/resources/org/eclipse/jgit/transport/ssh/id_ed25519_expensive_testpass @@ -0,0 +1,8 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAsFN8vig +Nw4/Ow6xbb7MAZAAABAAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIEZXZRjuttLufaP8 +wFD/i4lYPnKk01z46Jwv/9U4mPioAAAAkHLErPaXeC179rzXMaSwClstzsKvJ/Gqh2cY8d +cWzymXtKZcivWMKesRHbC+1qRx53ofx15IzT5Fmg6NuNk4sm2s+lH8x8HN3CPWBfjGIelP +iQUR6M6Y91mPigpRC2HUJmJIaFNdrRqFF84a5+qyK//tdy1fv4gNMLi5yPdXiL/Ttw05FS +LkFikjfvSGZSO/MA== +-----END OPENSSH PRIVATE KEY----- diff --git a/org.eclipse.jgit.test/resources/org/eclipse/jgit/transport/ssh/id_ed25519_expensive_testpass.pub b/org.eclipse.jgit.test/resources/org/eclipse/jgit/transport/ssh/id_ed25519_expensive_testpass.pub new file mode 100644 index 000000000..65038b5f4 --- /dev/null +++ b/org.eclipse.jgit.test/resources/org/eclipse/jgit/transport/ssh/id_ed25519_expensive_testpass.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZXZRjuttLufaP8wFD/i4lYPnKk01z46Jwv/9U4mPio test diff --git a/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java b/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java index 2f367ba51..b8c90b2a4 100644 --- a/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java +++ b/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java @@ -89,7 +89,9 @@ public abstract class SshTestBase extends SshTestHarness { "id_rsa_4096_testpass", // "id_ecdsa_256_testpass", // "id_ecdsa_384_testpass", // - "id_ecdsa_521_testpass" }; + "id_ecdsa_521_testpass", // + "id_ed25519_testpass", // + "id_ed25519_expensive_testpass" }; protected File defaultCloneDir;