From aa201fa08c57b2f2bfd89e1aa341cd55bf645aeb Mon Sep 17 00:00:00 2001
From: Jeroen van Erp <jeroen@hierynomus.com>
Date: Fri, 16 Nov 2018 10:39:20 +0100
Subject: [PATCH] Add AES256-CBC to OpenSSHKeyV1KeyFile (Fixes #467)

---
 .../keyprovider/OpenSSHKeyV1KeyFile.java         |  5 ++++-
 .../sshj/keyprovider/OpenSSHKeyFileTest.java     | 16 ++++++++++++----
 .../resources/keytypes/ed25519_aes256cbc.pem     |  8 ++++++++
 .../resources/keytypes/ed25519_aes256cbc.pem.pub |  1 +
 4 files changed, 25 insertions(+), 5 deletions(-)
 create mode 100644 src/test/resources/keytypes/ed25519_aes256cbc.pem
 create mode 100644 src/test/resources/keytypes/ed25519_aes256cbc.pem.pub

diff --git a/src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java b/src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java
index 7e46b736..b34cef59 100644
--- a/src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java
+++ b/src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java
@@ -21,6 +21,7 @@ import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
 import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
 import net.schmizz.sshj.common.*;
 import net.schmizz.sshj.common.Buffer.PlainBuffer;
+import net.schmizz.sshj.transport.cipher.BlockCipher;
 import net.schmizz.sshj.transport.cipher.Cipher;
 import net.schmizz.sshj.userauth.keyprovider.BaseFileKeyProvider;
 import net.schmizz.sshj.userauth.keyprovider.FileKeyProvider;
@@ -106,7 +107,7 @@ public class OpenSSHKeyV1KeyFile extends BaseFileKeyProvider {
             logger.debug("Reading unencrypted keypair");
             return readUnencrypted(privateKeyBuffer, publicKey);
         } else {
-            logger.info("Keypair is encrypted with: " + cipherName + ", " + kdfName + ", " + kdfOptions);
+            logger.info("Keypair is encrypted with: " + cipherName + ", " + kdfName + ", " + Arrays.toString(kdfOptions));
             PlainBuffer decrypted = decryptBuffer(privateKeyBuffer, cipherName, kdfName, kdfOptions);
             return readUnencrypted(decrypted, publicKey);
 //            throw new IOException("Cannot read encrypted keypair with " + cipherName + " yet.");
@@ -141,6 +142,8 @@ public class OpenSSHKeyV1KeyFile extends BaseFileKeyProvider {
     private Cipher createCipher(String cipherName) {
         if (cipherName.equals(BlockCiphers.AES256CTR().getName())) {
             return BlockCiphers.AES256CTR().create();
+        } else if (cipherName.equals(BlockCiphers.AES256CBC().getName())) {
+            return BlockCiphers.AES256CBC().create();
         }
         throw new IllegalStateException("Cipher '" + cipherName + "' not currently implemented for openssh-key-v1 format");
     }
diff --git a/src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java b/src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java
index 3969e6d0..1c7a6745 100644
--- a/src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java
+++ b/src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java
@@ -30,7 +30,6 @@ import org.junit.Test;
 
 import java.io.File;
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
 import java.math.BigInteger;
 import java.security.GeneralSecurityException;
 import java.security.PrivateKey;
@@ -189,12 +188,21 @@ public class OpenSSHKeyFileTest {
     }
 
     @Test
-    public void shouldLoadProtectedED25519PrivateKey() throws IOException {
+    public void shouldLoadProtectedED25519PrivateKeyAes256CTR() throws IOException {
+        checkOpenSSHKeyV1("src/test/resources/keytypes/ed25519_protected", "sshjtest");
+    }
+
+    @Test
+    public void shouldLoadProtectedED25519PrivateKeyAes256CBC() throws IOException {
+        checkOpenSSHKeyV1("src/test/resources/keytypes/ed25519_aes256cbc.pem", "foobar");
+    }
+
+    private void checkOpenSSHKeyV1(String key, String password) throws IOException {
         OpenSSHKeyV1KeyFile keyFile = new OpenSSHKeyV1KeyFile();
-        keyFile.init(new File("src/test/resources/keytypes/ed25519_protected"), new PasswordFinder() {
+        keyFile.init(new File(key), new PasswordFinder() {
             @Override
             public char[] reqPassword(Resource<?> resource) {
-                return "sshjtest".toCharArray();
+                return password.toCharArray();
             }
 
             @Override
diff --git a/src/test/resources/keytypes/ed25519_aes256cbc.pem b/src/test/resources/keytypes/ed25519_aes256cbc.pem
new file mode 100644
index 00000000..971d522f
--- /dev/null
+++ b/src/test/resources/keytypes/ed25519_aes256cbc.pem
@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABBLQVXV9f
+Wpw8AL9RTpAr//AAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJ8ww4hJG/gHJYdk
+jTTBDF1GNz+228nuWprPV+NbQauAAAAAoGHEO7x3fSRBohvrIR52U4XD3uqRnhrPYm01k1
+f4HHNNv46m92Zw6JKIB9Trrvp0sdMI8MVb79bN45rbn6mvpABtWl6T5TOTyMnKzDfAOx9c
+FTaasWFmgtgkXOsu5pLrYBAQgCHWbzjjz6KoV1DmD4SAn9Ojf9Oh+YdAEKZcsvklgpu+Kj
+nzN/DR0jt7Nzep2kNCLAS24QEkvQeATVSDiL8=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/src/test/resources/keytypes/ed25519_aes256cbc.pem.pub b/src/test/resources/keytypes/ed25519_aes256cbc.pem.pub
new file mode 100644
index 00000000..14e49020
--- /dev/null
+++ b/src/test/resources/keytypes/ed25519_aes256cbc.pem.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8ww4hJG/gHJYdkjTTBDF1GNz+228nuWprPV+NbQauA ajvanerp@Heimdall.local