- Added KeyDerivationFunction interface for PuTTY Key Files
- Moved Argon2 Key Derivation to Version 3 implementation class to separate Bouncy Castle dependency references
- Replaced Bouncy Castle Hex references with ByteArrayUtils
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
- Bouncy Castle provides Ed25519 support using standard Java Security classes
- Removed net.i2p.crypto:eddsa:0.3.0 dependency
- Removed Ed25519PublicKey extension of EdDSAPublicKey class from eddsa library
- Added Ed25519KeyFactory for generating Java PublicKey and PrivateKey objects from raw encoded key byte arrays
- Refactored key parsing to use Ed25519KeyFactory
- Refactored SignatureEdDSA to use Java Signature class with Ed25519
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
- Replaced Bouncy Castle PKCS8 parsing with Java Security components and hierynomus ASN.1
- Added PEMKeyReader with separate implementation for historical OpenSSL password-based encryption using Bouncy Castle components
- Added class-based detection of support for historical encryption for optional use of Bouncy Castle components
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
- Removed unnecessary addition of Bouncy Castle Provider from several tests
- Replaced Bouncy Castle Hex.toHexString() with SSHD BufferUtils.toHex()
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Upgraded Gradle to 8.12.1 and other dependencies
- Upgraded Bouncy Castle from 1.78.1 to 1.80
- Upgraded Apache SSHD from 2.12.1 to 2.14.0
- Upgraded SLF4J from 2.0.13 to 2.0.16
- Upgraded Logback from 1.3.14 to 1.3.15
- Upgraded Testcontainers from 1.19.8 to 1.20.4
* Upgraded github-info plugin from 1.5.0 to 2.0.0
* Upgraded Gradle Wrapper scripts for 8.12.1
---------
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
- Modified Curve25519 negotiation to determine algorithm identifier length based on PublicKey.getEncoded() length instead of hard-coded value of 44
- Runtime length determination avoids differences in X25519 implementations on Java 11
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
- Upgraded Bouncy Castle from 1.78 to 1.78.1
- Upgraded SLF4J from 2.0.7 to 2.0.13
- Upgraded SSHD from 2.10.0 to 2.12.1
- Upgraded Logback from 1.3.8 to 1.3.14
- Upgraded Testcontainers from 1.18.3 to 1.19.8
- Upgraded setup-java action to version 4
- Upgraded checkout action to version 4
* Fix for issue #910: Bad packet received by server when hearbeat is enabled
* Address re-keying case too
---------
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
Bouncy Caste version before 1.78 have
CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.
Is sshj impacted by this vulnerability?
* Wrap IllegalArgumentException thrown by Base64 decoder
Some time ago, there had been `net.schmizz.sshj.common.Base64`. This class used to throw `IOException` in case of any problem. Although `IOException` isn't an appropriate class for indicating on parsing issues, a lot of code has been expecting `IOException` from Base64.
Once, the old Base64 decoder was replaced with the one, bundled into Java 14 (see f35c2bd4ce). Copy-paste elimination and switching to standard implementations is undoubtedly a good decision.
Unfortunately, `java.util.Base64.Decoder` brought a pesky issue. It throws `IllegalArgumentException` in case of any problem. Since it is an unchecked exception, it was quite challenging to notice it. It's especially challenging because the error appears during processing malformed base64 strings. So, a lot of places in the code kept expecting `IOException`. Sudden `IllegalArgumentException` led to authentication termination in cases where everything used to work perfectly.
One of such issues is already found and fixed: 03f8b2224d
This commit represents a work, based on revising every change made in f35c2bd4ce. It should fix all other similar issues.
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
Rename Base64DecodeError -> Base64DecodingException
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
A better warning message in KnownHostMatchers
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
A better error message in OpenSSHKeyFileUtil
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
A better error message in OpenSSHKeyV1KeyFile
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
Get rid of unnecessary `throws IOException` in Base64Decoder
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
Better error messages in OpenSSHKeyFileUtil and PuTTYKeyFile
* adds fallback to posix-rename@openssh.com extension if possible and communicates possible problems with flags to the developer
* Adds '{}' around if/else statements
* adds basic tests for file rename
* fix comments
* fixes indentation
* adds helper methods to make existing sftp rename tests more concise
* adds basic test for atomic rewrite
* adds possibility to request a specific client version (e.g. for testing purposes)
* adds testcases for SFTP rename flags fallback behaviour
* refactoring to make SFTPEngine.init(int requestedVersion) protected
---------
Co-authored-by: Florian Klemenz <florian.klemenz@fau.de>
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Add ChaCha20-Poly1305 Support for OpenSSH Keys
- Updated ChachaPolyCipher to support decryption without Additional Authenticated Data
* Added test for ChachaPolyCipher without AAD
* Streamlined ChachaPolyCipher.update() method
* Added DefaultSecurityProviderConfig with Bouncy Castle disabled
* Upgrade test to junit jupiter
---------
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
