Fix: if the client knows CA key, it should send host key algo proposal for certificates (#733)

* Fix: if the client knows CA key, it should send host key algo proposal for certificates * Run specific SSH server in KeyWithCertificateSpec Required to verify the case with wrong host key algorithm proposals. See #733 * Split KeyWithCertificateSpec into HostKeyWithCertificateSpec and PublicKeyAuthWithCertificateSpec Prevents from starting unnecessary SSHD containers, making the tests run a bit faster when they are launched separately.
2025-12-07 15:50:57 +03:00 · 2021-11-11 05:06:07 +07:00
parent d5805a6c64
commit 7c14098f7d
5 changed files with 168 additions and 232 deletions
--- a/src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java
+++ b/src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java
@@ -138,7 +138,19 @@ public class OpenSSHKnownHosts
        for (KnownHostEntry e : entries) {
            try {
                if (e.appliesTo(adjustedHostname)) {
-                    knownHostAlgorithms.add(e.getType().toString());
+                    final KeyType type = e.getType();
+                    if (e instanceof HostEntry && ((HostEntry) e).marker == Marker.CA_CERT) {
+                        // Only the CA key type is known, but the type of the host key is not.
+                        // Adding all supported types for keys with certificates.
+                        for (final KeyType candidate : KeyType.values()) {
+                            if (candidate.getParent() != null) {
+                                knownHostAlgorithms.add(candidate.toString());
+                            }
+                        }
+                    }
+                    else {
+                        knownHostAlgorithms.add(type.toString());
+                    }
                }
            } catch (IOException ioe) {
            }