From a0d7b7fd41afb0798b7c7c9ef44d21f034543b06 Mon Sep 17 00:00:00 2001 From: Pavel Dionisev Date: Tue, 25 Aug 2020 14:23:46 +0100 Subject: [PATCH] Avoid key lleakage. (#627) In some cases, current code will leak parts or even the whole ssh key if it's slightly malformed. One example of that malformation will be a key, where all newlines are replaced by other character, thus turning a multiline key to a single big string. Then that whole line will be leaked to exception message. --- .../net/schmizz/sshj/userauth/keyprovider/PKCS5KeyFile.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/java/net/schmizz/sshj/userauth/keyprovider/PKCS5KeyFile.java b/src/main/java/net/schmizz/sshj/userauth/keyprovider/PKCS5KeyFile.java index fe8eb9f58..a88b1b9a1 100644 --- a/src/main/java/net/schmizz/sshj/userauth/keyprovider/PKCS5KeyFile.java +++ b/src/main/java/net/schmizz/sshj/userauth/keyprovider/PKCS5KeyFile.java @@ -99,7 +99,7 @@ protected KeyPair readKeyPair() } else if ("DSS".equals(s)) { type = KeyType.DSA; } else { - throw new FormatException("Unrecognized PKCS5 key type: " + s); + throw new FormatException("Unrecognized PKCS5 key type"); } } else { throw new FormatException("Bad header; possibly PKCS8 format?"); @@ -109,12 +109,12 @@ protected KeyPair readKeyPair() } else if (type != null) { if (line.startsWith("Proc-Type: ")) { if (!"4,ENCRYPTED".equals(line.substring(11))) { - throw new FormatException("Unrecognized Proc-Type: " + line.substring(11)); + throw new FormatException("Unrecognized Proc-Type"); } } else if (line.startsWith("DEK-Info: ")) { int ptr = line.indexOf(","); if (ptr == -1) { - throw new FormatException("Unrecognized DEK-Info: " + line.substring(10)); + throw new FormatException("Unrecognized DEK-Info"); } else { String algorithm = line.substring(10, ptr); if ("DES-EDE3-CBC".equals(algorithm)) {