Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BouncyCastleGeneratorHostKeyProvider requires BouncyCastleKeyPairResourceParser for EC keys #517

Open
ncubede opened this issue Jun 16, 2024 · 1 comment
Open

BouncyCastleGeneratorHostKeyProvider requires BouncyCastleKeyPairResourceParser for EC keys #517

ncubede opened this issue Jun 16, 2024 · 1 comment

Comments

@ncubede
Copy link

ncubede commented Jun 16, 2024

Version

2.12.1

Bug description

If a BouncyCastleGeneratorHostKeyProvider is set in SshServer.setKeyPairProvider, the generated EC host key cannot be read by Mina's ECDSA PEM reader and a new key is re-generated for every start. Registering BouncyCastleKeyPairResourceParser with SecurityUtils addresses the issue.

SecurityUtils.setKeyPairResourceParser(BouncyCastleKeyPairResourceParser.INSTANCE);

I would propose to either document this clearly in JavaDoc or have a hook in KeyPairProvider to register the KeyPairResourceParser it requires. It took an annoying amount of time to find.

I have seen people asking about the same issue, but have to found a concise answer, so I had to trace this with the .java documentation.

Actual behavior

14:40:12.598 [main] WARN org.apache.sshd.common.util.security.bouncycastle.BouncyCastleGeneratorHostKeyProvider -- resolveKeyPair(/var/folders/b0/29tsx3jx6vv_fkbw9rsqyy6w0000gn/T/key5380748753361494714pem) Failed (StreamCorruptedException) to load: Invalid DER: object is not an OID: SEQUENCE
java.io.StreamCorruptedException: Invalid DER: object is not an OID: SEQUENCE
at org.apache.sshd.common.util.io.der.ASN1Object.asOID(ASN1Object.java:233)
at org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.parseCurveParameter(ECDSAPEMResourceKeyPairParser.java:267)
at org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.parseCurveParameter(ECDSAPEMResourceKeyPairParser.java:238)
at org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.decodeECPrivateKeySpec(ECDSAPEMResourceKeyPairParser.java:220)
at org.apache.sshd.common.config.keys.loader.pem.ECDSAPEMResourceKeyPairParser.decodeECPrivateKeySpec(ECDSAPEMResourceKeyPairParser.java:163)

Expected behavior

A cached host key pair should be readable after being written. If a key pair provider needs a specific key pair parser, ensure that both are set in concert or clearly document.

Relevant log output

No response

Other information

I tested 2.9.3, 2.10.0, 2.11.0, 2.12.0, 2.12.1, the issue was in ll of them. I suspect, that bouncycastle 1.78.1 has a PEM EC file format change for named curves in the last security fixes.
@mpadilha
Copy link

mpadilha commented Sep 15, 2024
edited
Loading

Same issue here with version 2.13.2.
I confirm that registering BouncyCastleKeyPairResourceParser stops the problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mpadilha @ncubede