Update sshj to 0.30.0 and improve algorithm order (#1026)

Updates sshj to 0.30.0, which brings support for rsa-sha2-* key types and bugfixes related to RSA certificates and Android Keystore backed keys. Along the way, this improves the algorithm preferences to be consistent with the Mozilla Intermediate SSH configuration (as far as possible, given that most certificate types and some encryption algorithms are not yet supported). We also add "ext-info-c" to the kex algorithm proposal to work around certain kinds of "user agent sniffing" that limits the support of rsa-sha2-* key types.
2020-08-17 21:58:04 +02:00 · 2020-08-17 21:58:04 +02:00 · 14e3754ef3
commit 14e3754ef3
parent 82ae0a8629
2 changed files with 21 additions and 18 deletions
--- a/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt
+++ b/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt
@ -6,17 +6,15 @@ package com.zeapo.pwdstore.git.config

 import com.github.ajalt.timberkt.Timber
 import com.github.ajalt.timberkt.d
-import com.hierynomus.sshj.signature.SignatureEdDSA
+import com.hierynomus.sshj.key.KeyAlgorithms
 import com.hierynomus.sshj.transport.cipher.BlockCiphers
+import com.hierynomus.sshj.transport.kex.ExtInfoClientFactory
 import com.hierynomus.sshj.transport.mac.Macs
 import com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile
 import java.security.Security
 import net.schmizz.keepalive.KeepAliveProvider
 import net.schmizz.sshj.ConfigImpl
 import net.schmizz.sshj.common.LoggerFactory
-import net.schmizz.sshj.signature.SignatureECDSA
-import net.schmizz.sshj.signature.SignatureRSA
-import net.schmizz.sshj.signature.SignatureRSA.FactoryCERT
 import net.schmizz.sshj.transport.compression.NoneCompression
 import net.schmizz.sshj.transport.kex.Curve25519SHA256
 import net.schmizz.sshj.transport.kex.Curve25519SHA256.FactoryLibSsh
@ -202,7 +200,7 @@ class SshjConfig : ConfigImpl() {
        version = "OpenSSH_8.2p1 Ubuntu-4ubuntu0.1"

        initKeyExchangeFactories()
-        initSignatureFactories()
+        initKeyAlgorithms()
        initRandomFactory()
        initFileKeyProviderFactories()
        initCipherFactories()
@ -218,17 +216,22 @@ class SshjConfig : ConfigImpl() {
            ECDHNistP.Factory384(),
            ECDHNistP.Factory256(),
            DHGexSHA256.Factory(),
+            // Sends "ext-info-c" with the list of key exchange algorithms. This is needed to get
+            // rsa-sha2-* key types to work with some servers (e.g. GitHub).
+            ExtInfoClientFactory(),
        )
    }

-    private fun initSignatureFactories() {
-        signatureFactories = listOf(
-            SignatureEdDSA.Factory(),
-            SignatureECDSA.Factory256(),
-            SignatureECDSA.Factory384(),
-            SignatureECDSA.Factory521(),
-            SignatureRSA.Factory(),
-            FactoryCERT(),
+    private fun initKeyAlgorithms() {
+        keyAlgorithms = listOf(
+            KeyAlgorithms.SSHRSACertV01(),
+            KeyAlgorithms.EdDSA25519(),
+            KeyAlgorithms.RSASHA512(),
+            KeyAlgorithms.RSASHA256(),
+            KeyAlgorithms.ECDSASHANistp521(),
+            KeyAlgorithms.ECDSASHANistp384(),
+            KeyAlgorithms.ECDSASHANistp256(),
+            KeyAlgorithms.SSHRSA(),
        )
    }

@ -249,18 +252,18 @@ class SshjConfig : ConfigImpl() {

    private fun initCipherFactories() {
        cipherFactories = listOf(
-            BlockCiphers.AES128CTR(),
-            BlockCiphers.AES192CTR(),
            BlockCiphers.AES256CTR(),
+            BlockCiphers.AES192CTR(),
+            BlockCiphers.AES128CTR(),
        )
    }

    private fun initMACFactories() {
        macFactories = listOf(
-            Macs.HMACSHA2256(),
+            Macs.HMACSHA2512Etm(),
            Macs.HMACSHA2256Etm(),
            Macs.HMACSHA2512(),
-            Macs.HMACSHA2512Etm(),
+            Macs.HMACSHA2256(),
        )
    }

--- a/buildSrc/src/main/java/Dependencies.kt
+++ b/buildSrc/src/main/java/Dependencies.kt
@ -59,7 +59,7 @@ object Dependencies {
        const val jgit_java7 = "org.eclipse.jgit:org.eclipse.jgit.java7:3.7.1.201504261725-r"
        const val leakcanary = "com.squareup.leakcanary:leakcanary-android:2.4"
        const val plumber = "com.squareup.leakcanary:plumber-android:2.4"
-        const val sshj = "com.hierynomus:sshj:0.29.0"
+        const val sshj = "com.hierynomus:sshj:0.30.0"
        const val ssh_auth = "org.sufficientlysecure:sshauthentication-api:1.0"
        const val timber = "com.jakewharton.timber:timber:4.7.1"
        const val timberkt = "com.github.ajalt:timberkt:1.5.1"