search

sshtools / maverick-synergy

Next Generation Java SSH API
https://jadaptive.com
GNU Lesser General Public License v3.0
96 stars 26 forks source link

Unable to generate certificate using rsa-sha2-512 algorithm #77

Closed marshmello-275 closed 11 months ago

marshmello-275 commented 1 year ago

Unable to generate Certificate using rsa-sha2-512 algorithm. Tried debugging it in latest version1.7.52. There no support for rsa-sha2-512 version in OpenSshCertificate implementations.

SshKeyPair pair = SshKeyUtils.makeRSAWithSHA256Signature(SshKeyPairGenerator.generateKeyPair(SshKeyPairGenerator.SSH2_RSA)); SshKeyPair ca = SshKeyUtils.makeRSAWithSHA256Signature(SshKeyPairGenerator.generateKeyPair(SshKeyPairGenerator.SSH2_RSA)); SshCertificate cert = SshCertificateAuthority.generateCertificate(pair, 0L,OpenSshCertificate.SSH_CERT_TYPE_USER, "KEY-IDENTITY","john", 365,new CertificateExtension.Builder().defaultExtensions().build(), ca); SshKeyUtils.savePrivateKey(pair, "", "User SHA2", new File("test")); SshKeyUtils.saveCertificate(cert, "", "Cert SHA2", new File("test"));

When tried this, getting below exception. Unsupported certificate type rsa-sha2-256 generated an error at com.sshtools.publickey.SshCertificateAuthority.generateCertificate(SshCertificateAuthority.java:137)

marshmello-275 commented 1 year ago

Also when tried with SshKeyPairGeneration.ECDSA, able to generate key pair and sign certificate. But unable to authenticate to the server. Using the generated certificate, im able to manually connect to the machine using ssh -o ssh -o CertificateFile=userkey-cert.pub -i userkey username@hostname This connects to the server.

But unable to connect using below maverick java api,

SshConnector conn = SshConnector.createInstance(SecurityLevel.STRONG, true); SshClient ssh = conn.connect(new SocketTransport("hostip", 22), "username"); PublicKeyAuthentication pk = CertificateAuthorityFactory.getPubKeyAuth(new File("user-cert.pub"), new File("user"), "user"); if(ssh.authenticate(pk) == SshAuthentication.COMPLETE) { System.out.println("*success**"); } else { System.out.println("*failure**"); }

getting failure

ludup commented 1 year ago

rsa-sha2-512 is a signature type, not a certificate type, and even the associated rsa-sha2-512-cert-v01@openssh.com is not supposed to be written in keys at rest. The API requires special handling to adapt existing ssh-rsa based certificates to use the new signing method, which the current version does not support.

However, this feature is available in the develop branch 3.1.0-SNAPSHOT. If you use ssh-rsa certificates with a server that supports the new signature types they will be automatically upgraded to the new signature method.