karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KARAF-5809) 'simple' host.key files no longer work
Date Thu, 12 Jul 2018 04:27:00 GMT

    [ https://issues.apache.org/jira/browse/KARAF-5809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16541111#comment-16541111
] 

ASF GitHub Bot commented on KARAF-5809:
---------------------------------------

jbonofre closed pull request #543: [KARAF-5809] fallback for 'simple' host.key
URL: https://github.com/apache/karaf/pull/543
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHKeyPairProvider.java
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHKeyPairProvider.java
index 78a458d6dc..0e6265bfb5 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHKeyPairProvider.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHKeyPairProvider.java
@@ -23,8 +23,10 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.ObjectInputStream;
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
+import java.security.spec.InvalidKeySpecException;
 
 import org.apache.commons.ssl.PKCS8Key;
 import org.apache.sshd.common.keyprovider.AbstractKeyPairProvider;
@@ -58,6 +60,15 @@ public OpenSSHKeyPairProvider(File keyFile, String algorithm, int keySize)
{
             cachedKey = kp;
             return singleton(kp);
         } catch (Exception e) {
+            LOGGER.warn("Failed to parse keypair in {}. Attempting to parse it as a legacy
'simple' key", keyFile);
+            try {
+                KeyPair kp = convertLegacyKey(keyFile);
+                LOGGER.info("Successfully loaded legacy simple key. Converted to PEM format");
+                cachedKey = kp;
+                return singleton(kp);
+            } catch (Exception nested) {
+                LOGGER.warn(keyFile+" is not a 'simple' key either",nested);
+            }
             throw new RuntimeException(e);
         }
     }
@@ -67,7 +78,20 @@ private KeyPair getKeyPair(FileInputStream is) throws GeneralSecurityException,
         KeyPair kp = new KeyPair(pkcs8.getPublicKey(), pkcs8.getPrivateKey());
         return kp;
     }
-    
+
+
+    private KeyPair convertLegacyKey(File keyFile) throws GeneralSecurityException, IOException
{
+        KeyPair keypair = null;
+        try (ObjectInputStream r = new ObjectInputStream(new FileInputStream(keyFile))) {
+            keypair = (KeyPair)r.readObject();
+        }
+        catch (ClassNotFoundException e) {
+            throw new InvalidKeySpecException("Missing classes: " + e.getMessage(), e);
+        }
+        new PemWriter(keyFile).writeKeyPair(algorithm, keypair);
+        return keypair;
+    }
+
     private void createServerKey() {
         try {
             LOGGER.info("Creating ssh server key at " + keyFile);
diff --git a/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHGeneratorKeyFileProviderTest.java
b/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHGeneratorKeyFileProviderTest.java
index ef02e98b99..c6d7d19657 100644
--- a/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHGeneratorKeyFileProviderTest.java
+++ b/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHGeneratorKeyFileProviderTest.java
@@ -19,15 +19,19 @@
 package org.apache.karaf.shell.ssh.keygenerator;
 
 import java.io.File;
+import java.nio.file.Files;
 import java.security.KeyPair;
 import java.security.interfaces.RSAPrivateCrtKey;
+import java.util.List;
 
+import org.apache.commons.ssl.PKCS8Key;
 import org.apache.sshd.common.config.keys.KeyUtils;
+import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
 import org.junit.Assert;
 import org.junit.Test;
 
 public class OpenSSHGeneratorKeyFileProviderTest {
-    
+
     @Test
     public void writeSshKey() throws Exception {
         File temp = File.createTempFile(this.getClass().getCanonicalName(), ".pem");
@@ -42,5 +46,32 @@ public void writeSshKey() throws Exception {
         Assert.assertNotNull(keys);
         Assert.assertTrue("Loaded key is not RSA Key", keys.getPrivate() instanceof RSAPrivateCrtKey);
     }
-    
+
+    @Test
+    public void convertSimpleKey() throws Exception {
+        File temp = File.createTempFile(this.getClass().getCanonicalName(), ".pem");
+        temp.deleteOnExit();
+
+        SimpleGeneratorHostKeyProvider simpleGenerator = new SimpleGeneratorHostKeyProvider(temp);
+        simpleGenerator.setKeySize(2048);
+        simpleGenerator.setAlgorithm("DSA");
+        List<KeyPair> keys = simpleGenerator.loadKeys();
+        KeyPair simpleKeyPair = keys.stream().findFirst().get();
+
+        Assert.assertEquals("DSA", simpleKeyPair.getPrivate().getAlgorithm());
+
+        OpenSSHKeyPairProvider provider = new OpenSSHKeyPairProvider(temp, "DSA", 2048);
+        KeyPair convertedKeyPair = provider.loadKeys().iterator().next();
+        Assert.assertEquals("DSA", convertedKeyPair.getPrivate().getAlgorithm());
+
+        Assert.assertArrayEquals(simpleKeyPair.getPrivate().getEncoded(),convertedKeyPair.getPrivate().getEncoded());
+        Assert.assertArrayEquals(simpleKeyPair.getPublic().getEncoded(),convertedKeyPair.getPublic().getEncoded());
+
+        //also test that the original file has been replaced
+        PKCS8Key pkcs8 = new PKCS8Key(Files.newInputStream(temp.toPath()), null );
+        KeyPair keyPair = new KeyPair(pkcs8.getPublicKey(), pkcs8.getPrivateKey());
+        Assert.assertArrayEquals(simpleKeyPair.getPrivate().getEncoded(),keyPair.getPrivate().getEncoded());
+
+    }
+
 }


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> 'simple' host.key files no longer work
> --------------------------------------
>
>                 Key: KARAF-5809
>                 URL: https://issues.apache.org/jira/browse/KARAF-5809
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-shell
>    Affects Versions: 4.2.0
>            Reporter: Johannes Utzig
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>             Fix For: 4.2.1
>
>
> It seems  that with KARAF-5286 support for the 'simple' host key format was removed.
> If one tries to connect to a karaf instance that still has a 'simple' host.key, it produces
this exception:
> org.apache.commons.ssl.ProbablyNotPKCS8Exception: asn1 parse failure: java.io.IOException:
DER length more than 4 bytes
> It seems that in this case the SSH server generates a new key in memory without persisting
it which means that on each start the client will see a new SSH fingerprint.
> I would like to submit a pull request that falls back to the old format in case the file
is not a valid PEM. If that's successful it would replace the host.key with a PEM version
of that keypair.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message