Apache MINA sshd client: enable support for ed25519 keys

Include the net.i2p.crypto.eddsa bundle via a hard dependency.

Add tests for dealing with ed25519 host keys and user key files.

Manual tests: fetching from git.eclipse.org with an ed25519 user key,
and pushing this change itself using the same ed25519 key.

Note that sshd 2.0.0 does not yet support encrypted ed25519 private
keys.

Bug: 541272
Change-Id: I7072f4014d9eca755b4a2412e19c086235e5eae9
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>

diff --git a/WORKSPACE b/WORKSPACE
index 66bdd67cb2bfe2a58356249a6eac827ec705806e..0eabeccbc5a86a4399267dfe79d598b1bd866dd8 100644 (file)
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -22,6 +22,12 @@ load(
     "maven_jar",
 )
 
+maven_jar(
+    name = "eddsa",
+    artifact = "net.i2p.crypto:eddsa:0.3.0",
+    sha1 = "1901c8d4d8bffb7d79027686cfb91e704217c3e1",
+)
+
 maven_jar(
     name = "jsch",
     artifact = "com.jcraft:jsch:0.1.54",

diff --git a/lib/BUILD b/lib/BUILD
index 4803466eca9ca78c86ccccecc7d90a36aa03c5a3..0f09c1f87ad06b1a9d91a64bf23f0f004b51d3b4 100644 (file)
--- a/lib/BUILD
+++ b/lib/BUILD
@@ -27,6 +27,15 @@ java_library(
     exports = ["@commons-logging//jar"],
 )
 
+java_library(
+    name = "eddsa",
+    visibility = [
+        "//org.eclipse.jgit.ssh.apache:__pkg__",
+        "//org.eclipse.jgit.ssh.apache.test:__pkg__",
+    ],
+    exports = ["@eddsa//jar"],
+)
+
 java_library(
     name = "gson",
     visibility = [

diff --git a/org.eclipse.jgit.packaging/org.eclipse.jgit.ssh.apache.feature/feature.xml b/org.eclipse.jgit.packaging/org.eclipse.jgit.ssh.apache.feature/feature.xml
index b80ff3799c905fc6ddef6be8ee2b71d538ad5d26..2f15de18a4bd92364120b6083b6cb4e38894b673 100644 (file)
--- a/org.eclipse.jgit.packaging/org.eclipse.jgit.ssh.apache.feature/feature.xml
+++ b/org.eclipse.jgit.packaging/org.eclipse.jgit.ssh.apache.feature/feature.xml
@@ -47,4 +47,11 @@
          version="0.0.0"
          unpack="false"/>
 
+   <plugin
+         id="net.i2p.crypto.eddsa"
+         download-size="0"
+         install-size="0"
+         version="0.0.0"
+         unpack="false"/>
+
 </feature>

diff --git a/org.eclipse.jgit.ssh.apache.test/BUILD b/org.eclipse.jgit.ssh.apache.test/BUILD
index 3742aff06dfc8841dc030fb7815cf5201aa1d3ee..a13cf0b30f50c3f452567ef5b616ab66889f21f6 100644 (file)
--- a/org.eclipse.jgit.ssh.apache.test/BUILD
+++ b/org.eclipse.jgit.ssh.apache.test/BUILD
@@ -8,6 +8,7 @@ junit_tests(
     srcs = glob(["tst/**/*.java"]),
     tags = ["sshd"],
     deps = [
+        "//lib:eddsa",
         "//lib:junit",
         "//lib:sshd-core",
         "//lib:sshd-sftp",

diff --git a/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF b/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF
index 38dc1906794ee689f88185fdb62b9cd74758de64..b87ef7cffae9e9599e42daeac8578f586ee02ab6 100644 (file)
--- a/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF
+++ b/org.eclipse.jgit.ssh.apache.test/META-INF/MANIFEST.MF
@@ -8,6 +8,7 @@ Bundle-Vendor: %Provider-Name
 Bundle-RequiredExecutionEnvironment: JavaSE-1.8
 Import-Package: org.eclipse.jgit.internal.transport.sshd.proxy;version="[5.2.0,5.3.0)",
  org.eclipse.jgit.junit;version="[5.2.0,5.3.0)",
+ org.eclipse.jgit.junit.ssh;version="[5.2.0,5.3.0)",
  org.eclipse.jgit.lib;version="[5.2.0,5.3.0)",
  org.eclipse.jgit.transport;version="[5.2.0,5.3.0)",
  org.eclipse.jgit.transport.ssh;version="[5.2.0,5.3.0)",

diff --git a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java
index 69a9165aa7b0724997420bdde107e5a7b2fa7edb..ee58083a5a357ecf5dee8e30bb7cf5d3e03b591f 100644 (file)
--- a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java
+++ b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java
@@ -53,6 +53,7 @@ import org.eclipse.jgit.transport.SshSessionFactory;
 import org.eclipse.jgit.transport.ssh.SshTestBase;
 import org.eclipse.jgit.transport.sshd.SshdSessionFactory;
 import org.eclipse.jgit.util.FS;
+import org.junit.Test;
 import org.junit.experimental.theories.Theories;
 import org.junit.runner.RunWith;
 
@@ -81,4 +82,24 @@ public class ApacheSshTest extends SshTestBase {
                }
        }
 
+       // Using an ed25519 (unencrypted) user key is tested in the super class in
+       // testSshKeys(). sshd 2.0.0 cannot yet read encrypted ed25519 keys.
+
+       @Test
+       public void testEd25519HostKey() throws Exception {
+               File newHostKey = new File(getTemporaryDirectory(), "newhostkey");
+               copyTestResource("id_ed25519", newHostKey);
+               server.addHostKey(newHostKey.toPath(), true);
+               File newHostKeyPub = new File(getTemporaryDirectory(),
+                               "newhostkey.pub");
+               copyTestResource("id_ed25519.pub", newHostKeyPub);
+               createKnownHostsFile(knownHosts, "localhost", testPort, newHostKeyPub);
+               cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, //
+                               "Host git", //
+                               "HostName localhost", //
+                               "Port " + testPort, //
+                               "User " + TEST_USER, //
+                               "IdentityFile " + privateKey1.getAbsolutePath());
+       }
+
 }

diff --git a/org.eclipse.jgit.ssh.apache/BUILD b/org.eclipse.jgit.ssh.apache/BUILD
index d6a145381c56ceff174165540407200278a95e40..a1a6c8e24cf692b4bf7d7e9f37a0ab701a27bbb4 100644 (file)
--- a/org.eclipse.jgit.ssh.apache/BUILD
+++ b/org.eclipse.jgit.ssh.apache/BUILD
@@ -10,6 +10,7 @@ java_library(
     resource_strip_prefix = "org.eclipse.jgit.ssh.apache/resources",
     resources = RESOURCES,
     deps = [
+        "//lib:eddsa",
         "//lib:slf4j-api",
         "//lib:sshd-core",
         "//lib:sshd-sftp",

diff --git a/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF b/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF
index e5d66536fc25545624e2aa025769e81806b57a68..1246518157e181ec067ffcb5b50312c1d52429dc 100644 (file)
--- a/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF
+++ b/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF
@@ -31,7 +31,8 @@ Export-Package: org.eclipse.jgit.internal.transport.sshd;version="5.2.0";x-inter
    org.eclipse.jgit.util,
    org.apache.sshd.client.session,
    org.apache.sshd.client.keyverifier"
-Import-Package: org.apache.sshd.agent;version="[2.0.0,2.1.0)",
+Import-Package: net.i2p.crypto.eddsa;version="[0.3.0,0.4.0)",
+ org.apache.sshd.agent;version="[2.0.0,2.1.0)",
  org.apache.sshd.client;version="[2.0.0,2.1.0)",
  org.apache.sshd.client.auth;version="[2.0.0,2.1.0)",
  org.apache.sshd.client.auth.keyboard;version="[2.0.0,2.1.0)",

diff --git a/org.eclipse.jgit.ssh.apache/pom.xml b/org.eclipse.jgit.ssh.apache/pom.xml
index f9100855efdec2c69d56a9d9c6aa09587c010f0f..366c393e4234f4bec8c7989f5caaf8f1eba7107d 100644 (file)
--- a/org.eclipse.jgit.ssh.apache/pom.xml
+++ b/org.eclipse.jgit.ssh.apache/pom.xml
@@ -63,6 +63,7 @@
   <properties>
     <translate-qualifier/>
     <source-bundle-manifest>${project.build.directory}/META-INF/SOURCE-MANIFEST.MF</source-bundle-manifest>
+    <eddsa-version>0.3.0</eddsa-version>
   </properties>
 
   <dependencies>
@@ -84,6 +85,12 @@
       <version>${apache-sshd-version}</version>
     </dependency>
 
+    <dependency>
+      <groupId>net.i2p.crypto</groupId>
+      <artifactId>eddsa</artifactId>
+      <version>${eddsa-version}</version>
+    </dependency>
+
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>

diff --git a/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java b/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java
index 92a2fbd27586e578da55cf0f3c55463b1a9a0e73..dde55b6d79bea52003180a0e9b9ca9d133d9a9d5 100644 (file)
--- a/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java
+++ b/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java
@@ -80,6 +80,7 @@ public abstract class SshTestBase extends SshTestHarness {
                        "id_ecdsa_256", //
                        "id_ecdsa_384", //
                        "id_ecdsa_521", //
+                       "id_ed25519", //
                        // And now encrypted. Passphrase is "testpass".
                        "id_dsa_testpass", //
                        "id_rsa_1024_testpass", //
@@ -805,7 +806,8 @@ public abstract class SshTestBase extends SshTestHarness {
                // JSch fails on ECDSA 384/521 keys. Compare
                // https://sourceforge.net/p/jsch/patches/10/
                assumeTrue(!(getSessionFactory() instanceof JschConfigSessionFactory
-                               && (keyName.startsWith("id_ecdsa_384")
+                               && (keyName.contains("ed25519")
+                                               || keyName.startsWith("id_ecdsa_384")
                                                || keyName.startsWith("id_ecdsa_521"))));
                File cloned = new File(getTemporaryDirectory(), "cloned");
                String keyFileName = keyName + "_key";