diff options
author | Fabian Henneke <FabianHenneke@users.noreply.github.com> | 2020-08-17 21:58:04 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-18 01:28:04 +0530 |
commit | 14e3754ef33ea0446644d38b3cc0bb812b3ad7dd (patch) | |
tree | 3a4163a3d7ce6e2ec79e52de3a6dd8be64022703 /app/src/main/java | |
parent | 82ae0a8629a42bc169b4b1993bc8257457703e3f (diff) |
Update sshj to 0.30.0 and improve algorithm order (#1026)
Updates sshj to 0.30.0, which brings support for rsa-sha2-* key types
and bugfixes related to RSA certificates and Android Keystore backed
keys.
Along the way, this improves the algorithm preferences to be consistent
with the Mozilla Intermediate SSH configuration (as far as possible,
given that most certificate types and some encryption algorithms are
not yet supported).
We also add "ext-info-c" to the kex algorithm proposal to work around
certain kinds of "user agent sniffing" that limits the support of
rsa-sha2-* key types.
Diffstat (limited to 'app/src/main/java')
-rw-r--r-- | app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt | 37 |
1 files changed, 20 insertions, 17 deletions
diff --git a/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt b/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt index 1ea0359c..6c409329 100644 --- a/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt +++ b/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt @@ -6,17 +6,15 @@ package com.zeapo.pwdstore.git.config import com.github.ajalt.timberkt.Timber import com.github.ajalt.timberkt.d -import com.hierynomus.sshj.signature.SignatureEdDSA +import com.hierynomus.sshj.key.KeyAlgorithms import com.hierynomus.sshj.transport.cipher.BlockCiphers +import com.hierynomus.sshj.transport.kex.ExtInfoClientFactory import com.hierynomus.sshj.transport.mac.Macs import com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile import java.security.Security import net.schmizz.keepalive.KeepAliveProvider import net.schmizz.sshj.ConfigImpl import net.schmizz.sshj.common.LoggerFactory -import net.schmizz.sshj.signature.SignatureECDSA -import net.schmizz.sshj.signature.SignatureRSA -import net.schmizz.sshj.signature.SignatureRSA.FactoryCERT import net.schmizz.sshj.transport.compression.NoneCompression import net.schmizz.sshj.transport.kex.Curve25519SHA256 import net.schmizz.sshj.transport.kex.Curve25519SHA256.FactoryLibSsh @@ -202,7 +200,7 @@ class SshjConfig : ConfigImpl() { version = "OpenSSH_8.2p1 Ubuntu-4ubuntu0.1" initKeyExchangeFactories() - initSignatureFactories() + initKeyAlgorithms() initRandomFactory() initFileKeyProviderFactories() initCipherFactories() @@ -218,17 +216,22 @@ class SshjConfig : ConfigImpl() { ECDHNistP.Factory384(), ECDHNistP.Factory256(), DHGexSHA256.Factory(), + // Sends "ext-info-c" with the list of key exchange algorithms. This is needed to get + // rsa-sha2-* key types to work with some servers (e.g. GitHub). + ExtInfoClientFactory(), ) } - private fun initSignatureFactories() { - signatureFactories = listOf( - SignatureEdDSA.Factory(), - SignatureECDSA.Factory256(), - SignatureECDSA.Factory384(), - SignatureECDSA.Factory521(), - SignatureRSA.Factory(), - FactoryCERT(), + private fun initKeyAlgorithms() { + keyAlgorithms = listOf( + KeyAlgorithms.SSHRSACertV01(), + KeyAlgorithms.EdDSA25519(), + KeyAlgorithms.RSASHA512(), + KeyAlgorithms.RSASHA256(), + KeyAlgorithms.ECDSASHANistp521(), + KeyAlgorithms.ECDSASHANistp384(), + KeyAlgorithms.ECDSASHANistp256(), + KeyAlgorithms.SSHRSA(), ) } @@ -249,18 +252,18 @@ class SshjConfig : ConfigImpl() { private fun initCipherFactories() { cipherFactories = listOf( - BlockCiphers.AES128CTR(), - BlockCiphers.AES192CTR(), BlockCiphers.AES256CTR(), + BlockCiphers.AES192CTR(), + BlockCiphers.AES128CTR(), ) } private fun initMACFactories() { macFactories = listOf( - Macs.HMACSHA2256(), + Macs.HMACSHA2512Etm(), Macs.HMACSHA2256Etm(), Macs.HMACSHA2512(), - Macs.HMACSHA2512Etm(), + Macs.HMACSHA2256(), ) } |