From cc9c68b0d1cfa8074334e559ffb75c7c19e0aa47 Mon Sep 17 00:00:00 2001 From: Raymond Lai Date: Sat, 5 Mar 2022 17:46:56 +0800 Subject: [PATCH] Add support for JuiceSSH generated ed25519 keys Reported from https://github.com/TeamAmaze/AmazeFileManager/issues/2976, it was found the key uses aes-128-cbc which is currently not supported by sshj. This change adds support for it. To enable support for this, also eliminated hardcoding byte array size for key and IV, as a result of BCrypt.pbkdf(). --- src/itest/docker-image/authorized_keys | 1 + .../groovy/com/hierynomus/sshj/IntegrationSpec.groovy | 1 + .../resources/keyfiles/id_ed25519_opensshv1_aes128cbc.pem | 3 +++ .../sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java | 8 +++++--- .../net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java | 6 ++++++ src/test/resources/keytypes/ed25519_aes128cbc.pem | 3 +++ src/test/resources/keytypes/ed25519_aes128cbc.pem.pub | 1 + 7 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 src/itest/resources/keyfiles/id_ed25519_opensshv1_aes128cbc.pem create mode 100644 src/test/resources/keytypes/ed25519_aes128cbc.pem create mode 100644 src/test/resources/keytypes/ed25519_aes128cbc.pem.pub diff --git a/src/itest/docker-image/authorized_keys b/src/itest/docker-image/authorized_keys index cf4d9dd4e..1dca6f696 100644 --- a/src/itest/docker-image/authorized_keys +++ b/src/itest/docker-image/authorized_keys @@ -3,6 +3,7 @@ ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHQiZm0w ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDAdJiRkkBM8yC8seTEoAn2PfwbLKrkcahZ0xxPoWICJ root@sshj ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8ww4hJG/gHJYdkjTTBDF1GNz+228nuWprPV+NbQauA ajvanerp@Heimdall.local ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaWrwt3drIOjeBq2LSHRavxAT7ja2f+5soOUJl/zKSI ajvanerp@Heimdall.xebialabs.com +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYfPGSYFOHuSzTJ67H0ynvKJDfgDmwPOj7iJaLGbIBi sshjtest@TranceLove ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoZ9l6Tkm2aL1tSBy2yw4xU5s8BE9MfqS/4J7DzvsYJxF6oQmTIjmStuhH/CT7UjuDtKXdXZUsIhKtafiizxGO8kHSzKDeitpth2RSr8ddMzZKyD6RNs7MfsgjA3UTtrrSrCXEY6O43S2cnuJrWzkPxtwxaQ3zOvDbS2tiulzyq0VzYmuhA/a4CyuQtJBuu+P2oqmu6pU/VB6IzONpvBvYbNPsH1WDmP7zko5wHPihXPCliztspKxS4DRtOZ7BGXyvg44UmIy0Kf4jOkaBV/eCCA4qH7ZHz71/5ceMOpszPcNOEmLGGYhwI+P3OuGMpkrSAv1f8IY6R8spZNncP6UaQ== no-passphrase ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDKRyZAtOJJfAhPU6xE6ZXY564vwErAI3n3Yn4lTHL9bxev9Ily6eCqPLcV0WbSV04pztngFn9MjT7yb8mcXheHpIaWEH569sMpmpOtyfn4p68SceuXBGyyPGMIcfOTknkASd1JYSD4EPkd9rZmCzcx3vEnLu8ChnA/G221xSVQ5VC/jD/c/CgNUayhQ+xbn57qHKKtZwfTa21QmwIabGYJNwlVjlKTCdddeVnZfKqKrG7cxHQApsxd21rhM9IT/C/f4Y/Tx3WUUVeam0iZ265oiPHoPALqJIWSQIUheRYAxYAQqJwSQ0Or9MM8XXun2Iy3RUSGk6eIvrCsFbNURsHNs7Pu0UnpYv6FZ3vCkFep/1pAT6fQvY7pDOOWDHKXArD4watc9gIWaQBH73wDW/KgBcnMRSoGWgQjsYqIamP4oV1+HqUI3lRAsXZaX+eiBGt3+3A5KebP27UJ1YUwhwlzs7wzTKaCu0OaL+hOsP1F2AxAa995bgFksMd23645ux3YCJKXG4sGpJ1Z/Hs49K72gv+QjLZVxXqY623c8+3OUhlixqoEFd4iG7UMc5a552ch/VA+jaspmLZoFhPz99aBRVb1oCSPxSwLw+Q/wxv6pZmT+14rqTzY2farjU53hM+CsUPh7dnWXhGG7RuA5wCdeOXOYjuksfzAoHIZhPqTgQ== ajvanerp@Heimdall.local ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMvfRYSe44VQGwxexOMibcM3+fWeUP1jrBofOxFDRRrzRF8dK/vll2svqTPXMRnITnT1UoemEcB5OHtvH4hzfh/HFeDxJ5S7UncYxoClTSa8MeMFG2Zj9CoUZs1SHbwSGg== root@sshj diff --git a/src/itest/groovy/com/hierynomus/sshj/IntegrationSpec.groovy b/src/itest/groovy/com/hierynomus/sshj/IntegrationSpec.groovy index 060384f08..20c2a2ca1 100644 --- a/src/itest/groovy/com/hierynomus/sshj/IntegrationSpec.groovy +++ b/src/itest/groovy/com/hierynomus/sshj/IntegrationSpec.groovy @@ -74,6 +74,7 @@ class IntegrationSpec extends IntegrationBaseSpec { "id_ecdsa_opensshv1" | null "id_ed25519_opensshv1" | null "id_ed25519_opensshv1_aes256cbc.pem" | "foobar" + "id_ed25519_opensshv1_aes128cbc.pem" | "sshjtest" "id_ed25519_opensshv1_protected" | "sshjtest" "id_rsa" | null "id_rsa_opensshv1" | null diff --git a/src/itest/resources/keyfiles/id_ed25519_opensshv1_aes128cbc.pem b/src/itest/resources/keyfiles/id_ed25519_opensshv1_aes128cbc.pem new file mode 100644 index 000000000..14280b115 --- /dev/null +++ b/src/itest/resources/keyfiles/id_ed25519_opensshv1_aes128cbc.pem @@ -0,0 +1,3 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczEyOC1jYmMAAAAGYmNyeXB0AAAAGAAAABDfrL8SxDyrkNlsJdAmc7Z0AAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAICYfPGSYFOHuSzTJ67H0ynvKJDfgDmwPOj7iJaLGbIBiAAAAkLVqaDIfs+sPBNyy7ytdLnP/xH7Nt5FIXx3Upw6wKuMGdBzbFQLcvu60Le+SFP3uUfXE8TcHramXbH0n+UBMW6raCAKOkHUU1BtrKxPG1eKU/LBx3Bk5FxyKm7fo0XsCUmqSVK25EHOJfYq1QwIbWICkvQUNu+2Hg8/MQKoFJMentI+GqjdaG76f6Wf+aj9UwA== +-----END OPENSSH PRIVATE KEY----- diff --git a/src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java b/src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java index 1e9ee2920..15348bac9 100644 --- a/src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java +++ b/src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java @@ -177,11 +177,11 @@ private void initializeCipher(String kdfName, byte[] kdfOptions, Cipher cipher) Arrays.fill(charBuffer.array(), '\u0000'); Arrays.fill(byteBuffer.array(), (byte) 0); } - byte[] keyiv = new byte[48]; + byte[] keyiv = new byte[cipher.getIVSize()+ cipher.getBlockSize()]; new BCrypt().pbkdf(passphrase, opts.readBytes(), opts.readUInt32AsInt(), keyiv); Arrays.fill(passphrase, (byte) 0); - byte[] key = Arrays.copyOfRange(keyiv, 0, 32); - byte[] iv = Arrays.copyOfRange(keyiv, 32, 48); + byte[] key = Arrays.copyOfRange(keyiv, 0, cipher.getBlockSize()); + byte[] iv = Arrays.copyOfRange(keyiv, cipher.getBlockSize(), cipher.getIVSize() + cipher.getBlockSize()); cipher.init(Cipher.Mode.Decrypt, key, iv); } else { throw new IllegalStateException("No support for KDF '" + kdfName + "'."); @@ -193,6 +193,8 @@ private Cipher createCipher(String cipherName) { return BlockCiphers.AES256CTR().create(); } else if (cipherName.equals(BlockCiphers.AES256CBC().getName())) { return BlockCiphers.AES256CBC().create(); + } else if (cipherName.equals(BlockCiphers.AES128CBC().getName())) { + return BlockCiphers.AES128CBC().create(); } throw new IllegalStateException("Cipher '" + cipherName + "' not currently implemented for openssh-key-v1 format"); } diff --git a/src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java b/src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java index f62ab1dbb..d406198cf 100644 --- a/src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java +++ b/src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java @@ -247,6 +247,12 @@ public void shouldLoadProtectedED25519PrivateKeyAes256CBC() throws IOException { checkOpenSSHKeyV1("src/test/resources/keytypes/ed25519_aes256cbc.pem", "foobar", true); } + @Test + public void shouldLoadProtectedED25519PrivateKeyAes128CBC() throws IOException { + checkOpenSSHKeyV1("src/test/resources/keytypes/ed25519_aes128cbc.pem", "sshjtest", false); + checkOpenSSHKeyV1("src/test/resources/keytypes/ed25519_aes128cbc.pem", "sshjtest", true); + } + @Test(expected = KeyDecryptionFailedException.class) public void shouldFailOnIncorrectPassphraseAfterRetries() throws IOException { OpenSSHKeyV1KeyFile keyFile = new OpenSSHKeyV1KeyFile(); diff --git a/src/test/resources/keytypes/ed25519_aes128cbc.pem b/src/test/resources/keytypes/ed25519_aes128cbc.pem new file mode 100644 index 000000000..14280b115 --- /dev/null +++ b/src/test/resources/keytypes/ed25519_aes128cbc.pem @@ -0,0 +1,3 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczEyOC1jYmMAAAAGYmNyeXB0AAAAGAAAABDfrL8SxDyrkNlsJdAmc7Z0AAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAICYfPGSYFOHuSzTJ67H0ynvKJDfgDmwPOj7iJaLGbIBiAAAAkLVqaDIfs+sPBNyy7ytdLnP/xH7Nt5FIXx3Upw6wKuMGdBzbFQLcvu60Le+SFP3uUfXE8TcHramXbH0n+UBMW6raCAKOkHUU1BtrKxPG1eKU/LBx3Bk5FxyKm7fo0XsCUmqSVK25EHOJfYq1QwIbWICkvQUNu+2Hg8/MQKoFJMentI+GqjdaG76f6Wf+aj9UwA== +-----END OPENSSH PRIVATE KEY----- diff --git a/src/test/resources/keytypes/ed25519_aes128cbc.pem.pub b/src/test/resources/keytypes/ed25519_aes128cbc.pem.pub new file mode 100644 index 000000000..f9c0f0735 --- /dev/null +++ b/src/test/resources/keytypes/ed25519_aes128cbc.pem.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYfPGSYFOHuSzTJ67H0ynvKJDfgDmwPOj7iJaLGbIBi sshjtest@TranceLove \ No newline at end of file