search

apache / mina-sshd

Apache MINA sshd is a comprehensive Java library for client- and server-side SSH.
https://mina.apache.org/sshd-project/
Apache License 2.0
905 stars 360 forks source link

BouncyCastleGeneratorHostKeyProvider requires BouncyCastleKeyPairResourceParser for EC keys #517

Open ncubede opened 5 months ago

ncubede commented 5 months ago

Version

2.12.1

Bug description

If a BouncyCastleGeneratorHostKeyProvider is set in SshServer.setKeyPairProvider, the generated EC host key cannot be read by Mina's ECDSA PEM reader and a new key is re-generated for every start. Registering BouncyCastleKeyPairResourceParser with SecurityUtils addresses the issue. 

SecurityUtils.setKeyPairResourceParser(BouncyCastleKeyPairResourceParser.INSTANCE);

I would propose to either document this clearly in JavaDoc or have a hook in KeyPairProvider to register the KeyPairResourceParser it requires. It took an annoying amount of time to find.

I have seen people asking about the same issue, but have to found a concise answer, so I had to trace this with the .java documentation.

Actual behavior

14:40:12.598 [main] WARN org.apache.sshd.common.util.security.bouncycastle.BouncyCastleGeneratorHostKeyProvider -- resolveKeyPair(/var/folders/b0/29tsx3jx6vv_fkbw9rsqyy6w0000gn/T/key5380748753361494714pem) Failed (StreamCorruptedException) to load: Invalid DER: object is not an OID: SEQUENCE java.io.StreamCorruptedException: Invalid DER: object is not an OID: SEQUENCE at org.apache.sshd.common.util.io.der.ASN1Object.asOID(ASN1Object.java:233) at org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.parseCurveParameter(ECDSAPEMResourceKeyPairParser.java:267) at org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.parseCurveParameter(ECDSAPEMResourceKeyPairParser.java:238) at org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.decodeECPrivateKeySpec(ECDSAPEMResourceKeyPairParser.java:220) at org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.decodeECPrivateKeySpec(ECDSAPEMResourceKeyPairParser.java:163)

Expected behavior

A cached host key pair should be readable after being written. If a key pair provider needs a specific key pair parser, ensure that both are set in concert or clearly document.

Relevant log output

No response

Other information

I tested 2.9.3, 2.10.0, 2.11.0, 2.12.0, 2.12.1, the issue was in ll of them. I suspect, that bouncycastle 1.78.1 has a PEM EC file format change for named curves in the last security fixes.

mpadilha commented 1 month ago

Same issue here with version 2.13.2. I confirm that registering BouncyCastleKeyPairResourceParser stops the problem.