* full support for encrypted PuTTY v3 files (Argon2 library not included)
* simplified the PuTTYKeyDerivation interface and provided an abstract PuTTYArgon2 class for an easy Argon2 integration
* use Argon2 implementation from Bouncy Castle
* missing license header added
* license header again
* unit tests extended to cover all Argon2 variants and non-standard Argon2 parameters; verify the loaded keys
* Enable renaming with flags
The SFTP protocol allows to rename files by specifying
extra flags:
- OVERWRITE
- ATOMIC
- NATIVE
The flags are exposed through a new RenameFlags enum and
can be passed as parameters to the rename() method in
SFTPClient/SFTPEngine.
Relates to #563
* Update RenameFlags.java
* Update RenameFlags.java
* Align license header with all other files
* Make RenameFlags parameter in line with OpenMode(s)
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Update OpenSSH Key V1 parsing using CRT information for RSA Private Keys
* Remove unndeeded BC call.
Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Prefer known algorithm for known host
(#642, #635... 10? issues)
Try to find the Algorithm that was used when a known_host
entry was created and make that the first choice for the
current connection attempt.
If the current connection algorithm matches the
algorithm used when the known_host entry was created
we can get a fair verification.
* Add support for multiple matching hostkeys, in configuration order
Co-authored-by: Bernie Day <bday@jvncomm.com>
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Support v3 PuTTY keys
* add test for putty v3 key
* Format PuTTYKeyFile to fix Codacy warnings
Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Handle @cert-authority in known_hosts.
* Fix ClassCastException when receiving an ECDSA-CERT host key.
* Mention what exactly is not negotiated.
* Verify host key certificates during key exchange.
* Unit and integration tests for host key verification.
* Show sshd logs when integration test finishes.
* Review fixes: extract to private method, change strings.
* Add key types for ECDSA and ED25519 with certificates to implement publickey auth with that keys.
* Read public key certificates in OpenSSHKeyV1KeyFile.
* Fix ClassCastException in ECDSAVariationsAdapter.isECKeyWithFieldSize.
* Introduce an integration test for publickey auth with certificates.
* Refactor: merge copy-paste from OpenSshKey*File.java into an util class.
* Add the license to KeyWithCertificateSpec.groovy
* Add the license to OpenSSHKeyFileUtil.java
* Support writing unsigned integers to buffer, this is required to support channel ids greater than Integer.MAX_VALUE
fixeshierynomus/sshj#690
* Fix incorrect test
* Fix indentation to make codacy happy
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
- Added an override for copy method, allowing the user to specify whether preserve flag is used in the SCP command.
- Propagated the preserveTime boolean to process method to skip preserveTimeIfPossible when it's not desired
* Support ED25519 PuTTY keys.
Fix#659
* PuTTYKeyFile: Use net.schmizz.sshj.common.Buffer instead of own KeyReader.
A tiny refactoring made in order to allow usage of other utility methods which require Buffer.
* Support ECDSA PuTTY keys.
* Some code cleanup
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Loop through security providers to check for BC
Instead of only counting BouncyCastle as being registered if it
is set as the explicit security provider used by SSHJ, count it as
registered if it is available as a provider.
This commit improves Android compatibility, which requires not
specifying an explicit provider.
* Generify BC-specific curve specifiers
The ECNamendCurveGenParameterSpec is a BC-specific workaround for
missing curve tables in Java 1.4 and earlier. For the sake of Android
compatibility, where Conscrypt can't deal with this custom spec class,
replace it with the standard ECGenParameterSpec and update the curve
names to the standard identifiers.
* Implement AES-GCM cipher support
Fixes#217.
A port of AES-GCM cipher support from Apache MINA-SSHD, based on https://github.com/apache/mina-sshd/pull/132.
Included tests for decoding SSH packets sent from Apache MINA-SSHD and OpenSSH (Version 7.9p1 as used by Debian 10).
Manual tests also done on OpenSSH server 7.9p1 running Debian 10 with its available ciphers, including 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com and aes256-gcm@openssh.com.
* Changes per PR feedback
- Fixed variable/statement whitespaces and add back missing braces per coding standard requirement
- Moved Buffer.putLong() and Buffer.getLong() into GcmCipher.CounterGCMParameterSpec since it's the only user
- Moved BaseCipher.authSize into GcmCipher since it is the only cipher that would return a non-zero. BaseCipher will keep return 0 instead
- Made BaseCipher.cipher protected instead of making it publicly accessible
- Combined the three decoding modes in Decoder.decode() into one single method, to reduce code duplication
- Added integration test for the ciphers, along with the newly implemented AES-GCM ciphers
