From db627c417779691d7fe5fa925ea63f53babbae01 Mon Sep 17 00:00:00 2001 From: Thomas Wolf Date: Mon, 19 Nov 2018 23:11:13 +0100 Subject: [PATCH] Apache MINA sshd client: enable support for ed25519 keys Include the net.i2p.crypto.eddsa bundle via a hard dependency. Add tests for dealing with ed25519 host keys and user key files. Manual tests: fetching from git.eclipse.org with an ed25519 user key, and pushing this change itself using the same ed25519 key. Note that sshd 2.0.0 does not yet support encrypted ed25519 private keys. Bug: 541272 Change-Id: I7072f4014d9eca755b4a2412e19c086235e5eae9 Signed-off-by: Thomas Wolf --- WORKSPACE | 6 ++++++ lib/BUILD | 9 ++++++++ .../feature.xml | 7 +++++++ org.eclipse.jgit.ssh.apache.test/BUILD | 1 + .../META-INF/MANIFEST.MF | 1 + .../jgit/transport/sshd/ApacheSshTest.java | 21 +++++++++++++++++++ org.eclipse.jgit.ssh.apache/BUILD | 1 + .../META-INF/MANIFEST.MF | 3 ++- org.eclipse.jgit.ssh.apache/pom.xml | 7 +++++++ .../jgit/transport/ssh/SshTestBase.java | 4 +++- 10 files changed, 58 insertions(+), 2 deletions(-) diff --git a/WORKSPACE b/WORKSPACE index 66bdd67cb..0eabeccbc 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -22,6 +22,12 @@ load( "maven_jar", ) +maven_jar( + name = "eddsa", + artifact = "net.i2p.crypto:eddsa:0.3.0", + sha1 = "1901c8d4d8bffb7d79027686cfb91e704217c3e1", +) + maven_jar( name = "jsch", artifact = "com.jcraft:jsch:0.1.54", diff --git a/lib/BUILD b/lib/BUILD index 4803466ec..0f09c1f87 100644 --- a/lib/BUILD +++ b/lib/BUILD @@ -27,6 +27,15 @@ java_library( exports = ["@commons-logging//jar"], ) +java_library( + name = "eddsa", + visibility = [ + "//org.eclipse.jgit.ssh.apache:__pkg__", + "//org.eclipse.jgit.ssh.apache.test:__pkg__", + ], + exports = ["@eddsa//jar"], +) + java_library( name = "gson", visibility = [ diff --git a/org.eclipse.jgit.packaging/org.eclipse.jgit.ssh.apache.feature/feature.xml b/org.eclipse.jgit.packaging/org.eclipse.jgit.ssh.apache.feature/feature.xml index b80ff3799..2f15de18a 100644 --- a/org.eclipse.jgit.packaging/org.eclipse.jgit.ssh.apache.feature/feature.xml +++ b/org.eclipse.jgit.packaging/org.eclipse.jgit.ssh.apache.feature/feature.xml @@ -47,4 +47,11 @@ version="0.0.0" unpack="false"/> + + diff --git a/org.eclipse.jgit.ssh.apache.test/BUILD b/org.eclipse.jgit.ssh.apache.test/BUILD index 3742aff06..a13cf0b30 100644 --- a/org.eclipse.jgit.ssh.apache.test/BUILD +++ b/org.eclipse.jgit.ssh.apache.test/BUILD @@ -8,6 +8,7 @@ junit_tests( srcs = glob(["tst/**/*.java"]), tags = ["sshd"], deps = [ + "//lib:eddsa", "//lib:junit", "//lib:sshd-core", "//lib:sshd-sftp", diff --git a/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF b/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF index 38dc19067..b87ef7cff 100644 --- a/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF +++ b/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF @@ -8,6 +8,7 @@ Bundle-Vendor: %Provider-Name Bundle-RequiredExecutionEnvironment: JavaSE-1.8 Import-Package: org.eclipse.jgit.internal.transport.sshd.proxy;version="[5.2.0,5.3.0)", org.eclipse.jgit.junit;version="[5.2.0,5.3.0)", + org.eclipse.jgit.junit.ssh;version="[5.2.0,5.3.0)", org.eclipse.jgit.lib;version="[5.2.0,5.3.0)", org.eclipse.jgit.transport;version="[5.2.0,5.3.0)", org.eclipse.jgit.transport.ssh;version="[5.2.0,5.3.0)", diff --git a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java index 69a9165aa..ee58083a5 100644 --- a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java +++ b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java @@ -53,6 +53,7 @@ import org.eclipse.jgit.transport.ssh.SshTestBase; import org.eclipse.jgit.transport.sshd.SshdSessionFactory; import org.eclipse.jgit.util.FS; +import org.junit.Test; import org.junit.experimental.theories.Theories; import org.junit.runner.RunWith; @@ -81,4 +82,24 @@ protected void installConfig(String... config) { } } + // Using an ed25519 (unencrypted) user key is tested in the super class in + // testSshKeys(). sshd 2.0.0 cannot yet read encrypted ed25519 keys. + + @Test + public void testEd25519HostKey() throws Exception { + File newHostKey = new File(getTemporaryDirectory(), "newhostkey"); + copyTestResource("id_ed25519", newHostKey); + server.addHostKey(newHostKey.toPath(), true); + File newHostKeyPub = new File(getTemporaryDirectory(), + "newhostkey.pub"); + copyTestResource("id_ed25519.pub", newHostKeyPub); + createKnownHostsFile(knownHosts, "localhost", testPort, newHostKeyPub); + cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, // + "Host git", // + "HostName localhost", // + "Port " + testPort, // + "User " + TEST_USER, // + "IdentityFile " + privateKey1.getAbsolutePath()); + } + } diff --git a/org.eclipse.jgit.ssh.apache/BUILD b/org.eclipse.jgit.ssh.apache/BUILD index d6a145381..a1a6c8e24 100644 --- a/org.eclipse.jgit.ssh.apache/BUILD +++ b/org.eclipse.jgit.ssh.apache/BUILD @@ -10,6 +10,7 @@ java_library( resource_strip_prefix = "org.eclipse.jgit.ssh.apache/resources", resources = RESOURCES, deps = [ + "//lib:eddsa", "//lib:slf4j-api", "//lib:sshd-core", "//lib:sshd-sftp", diff --git a/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF b/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF index e5d66536f..124651815 100644 --- a/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF +++ b/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF @@ -31,7 +31,8 @@ Export-Package: org.eclipse.jgit.internal.transport.sshd;version="5.2.0";x-inter org.eclipse.jgit.util, org.apache.sshd.client.session, org.apache.sshd.client.keyverifier" -Import-Package: org.apache.sshd.agent;version="[2.0.0,2.1.0)", +Import-Package: net.i2p.crypto.eddsa;version="[0.3.0,0.4.0)", + org.apache.sshd.agent;version="[2.0.0,2.1.0)", org.apache.sshd.client;version="[2.0.0,2.1.0)", org.apache.sshd.client.auth;version="[2.0.0,2.1.0)", org.apache.sshd.client.auth.keyboard;version="[2.0.0,2.1.0)", diff --git a/org.eclipse.jgit.ssh.apache/pom.xml b/org.eclipse.jgit.ssh.apache/pom.xml index f9100855e..366c393e4 100644 --- a/org.eclipse.jgit.ssh.apache/pom.xml +++ b/org.eclipse.jgit.ssh.apache/pom.xml @@ -63,6 +63,7 @@ ${project.build.directory}/META-INF/SOURCE-MANIFEST.MF + 0.3.0 @@ -84,6 +85,12 @@ ${apache-sshd-version} + + net.i2p.crypto + eddsa + ${eddsa-version} + + org.slf4j slf4j-api diff --git a/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java b/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java index 92a2fbd27..dde55b6d7 100644 --- a/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java +++ b/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java @@ -80,6 +80,7 @@ public abstract class SshTestBase extends SshTestHarness { "id_ecdsa_256", // "id_ecdsa_384", // "id_ecdsa_521", // + "id_ed25519", // // And now encrypted. Passphrase is "testpass". "id_dsa_testpass", // "id_rsa_1024_testpass", // @@ -805,7 +806,8 @@ public void testSshKeys(String keyName) throws Exception { // JSch fails on ECDSA 384/521 keys. Compare // https://sourceforge.net/p/jsch/patches/10/ assumeTrue(!(getSessionFactory() instanceof JschConfigSessionFactory - && (keyName.startsWith("id_ecdsa_384") + && (keyName.contains("ed25519") + || keyName.startsWith("id_ecdsa_384") || keyName.startsWith("id_ecdsa_521")))); File cloned = new File(getTemporaryDirectory(), "cloned"); String keyFileName = keyName + "_key";