Skip to content

Commit

Permalink
Fix: if the client knows CA key, it should send host key algo proposa…
Browse files Browse the repository at this point in the history
…l for certificates
  • Loading branch information
vladimirlagunov committed Oct 13, 2021
1 parent 3256f53 commit d68f27b
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,13 @@ class KeyWithCertificateSpec extends IntegrationBaseSpec {
and:
def config = new DefaultConfig()
config.keyAlgorithms = config.keyAlgorithms.stream()
.filter { it.name == hostKeyAlgo }
.filter {
// This filter is added only because the current integration test infrastructure doesn't allow
// to spawn different sshd on the fly. In reality, few users would specify key algorithms
// explicitly.
// The filter let a bug pass through the tests. Now the filter is as broad as possible.
it.name == hostKeyAlgo || !it.name.contains("cert")
}
.collect(Collectors.toList())
SSHClient sshClient = new SSHClient(config)
sshClient.addHostKeyVerifier(new OpenSSHKnownHosts(knownHosts))
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,19 @@ public List<String> findExistingAlgorithms(String hostname, int port) {
for (KnownHostEntry e : entries) {
try {
if (e.appliesTo(adjustedHostname)) {
knownHostAlgorithms.add(e.getType().toString());
final KeyType type = e.getType();
if (e instanceof HostEntry && ((HostEntry) e).marker == Marker.CA_CERT) {
// Only the CA key type is known, but the type of the host key is not.
// Adding all supported types for keys with certificates.
for (final KeyType candidate : KeyType.values()) {
if (candidate.getParent() != null) {
knownHostAlgorithms.add(candidate.toString());
}
}
}
else {
knownHostAlgorithms.add(type.toString());
}
}
} catch (IOException ioe) {
}
Expand Down

0 comments on commit d68f27b

Please sign in to comment.