* Fix RSA certificate key determination.
Fixes#599.
* Correct serialization of RSA certificates with unlimited dates.
* The test for connecting with RSA certificate.
* Remove redundant change in TransportImpl.java
* Add forgotten test keys.
* Make net.schmizz.sshj.common.KeyType.CertUtils.epochFromDate readable.
Co-authored-by: Vladimir Lagunov <vladimir.lagunov@jetbrains.com>
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Fix matching of pubkeys to key algorithms
Allow all configured key algorithms for pubkey authentication, even if
these algorithms are not supported as host key algorithms by the
server.
Preference is given to the modern rsa-sha2-* signature algorithms if
the server indicates support for them as host keys signature
algorithms.
* Replace Boolean with primitive boolean
* Add integration tests for ecdsa-sha2-nistp384/521
* Remove redundant import
* Clean up Transport interface
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
SignatureECDSA.encode() does not correctly handle signatures longer
than 128 bytes, which affects signatures using the nistp521 curve.
This commits fixes the issue by replacing the ad-hoc ASN.1 DER
parsing with a use of ASN1InputStream.
Some SSH servers will not honor the negotiated rsa-sha2-256 algorithms
if the client does not indicate support for SSH_MSG_EXT_INFO messages.
Since we only need to accept these messages, but are free to ignore
their contents, adding support amounts to sending "ext-info-c" with our
kex algorithm proposal.
* Don't specify JcaPEMKeyConverter provider as null
If no provider is set in the `SecurityUtils`, no named provider should be set for the `JcaPEMKeyConverter` as this would cause a `missing provider` exception.
* Don't specify JcePEMDecryptorProviderBuilder provider as null
If no provider is set in the `SecurityUtils`, no named provider should be set for the `JcePEMDecryptorProviderBuilder` as this would cause a missing provider exception. This currently breaks `PKCS8KeyFile` if `SecurityUtils.setSecurityProvider(null)` and `SecurityUtils.setRegisterBouncyCastle(false)` is used.
* Make KeyType compatible with Android Keystore
Android Keystore private keys do not implement PrivateKey since the
raw key material is not available to applications.
With this commit, sshj's KeyType correctly detects the algorithm
associated with Android Keystore keys, which makes them usable for SSH
authentication.
* Extract RSA, DSA, ECDSA and EC into constants
* Fix license lint issue
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Add pwdf retry logic to OpenSSHKeyV1KeyFile
While PKCS8KeyFile uses PasswordFinder's shouldRetry to determine
whether it should call reqPassword again if decryption of they key file
fails, OpenSSHKeyV1KeyFile simply gives up and throws an exception.
With this commit, retry logic similar to that of PKCS8KeyFile is added
to OpenSSHKeyV1KeyFile. The PasswordFinder's reqPassword is called
again if the validation of the "checkint" fails, which indicates an
incorrect passphrase.
* Use new exception to signal incorrect passphrase
* Throw common exception on key decryption failure
* Add test coverage for retry logic
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Added comment field in HostEntry for end-of-line comments in known_hosts file.
* Also modified the getLine() method to return the comment, if it exists.
* Fixed implementation
* Add CODEOWNERS file
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Forgive redundant spaces in OpenSSHv2 public keys and known_hosts
Sometimes users copy-pastes private and public keys in text editors. It leads to redundant spaces
and newlines. OpenSSH can easily read such keys, so users expect from SSHJ the same.
* Fixed bugs in OpenSSH key file and known_hosts parsers
* OpenSSHKnownHosts should not throw errors while parsing corrupted records
