Fix: if the client knows CA key, it should send host key algo proposa…

…l for certificates
hierynomus · Oct 13, 2021 · ce18111 · ce18111
1 parent 3256f53
commit ce18111
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/src/itest/groovy/com/hierynomus/sshj/signature/KeyWithCertificateSpec.groovy b/src/itest/groovy/com/hierynomus/sshj/signature/KeyWithCertificateSpec.groovy
@@ -90,7 +90,13 @@ class KeyWithCertificateSpec extends IntegrationBaseSpec {
         and:
         def config = new DefaultConfig()
         config.keyAlgorithms = config.keyAlgorithms.stream()
-                .filter { it.name == hostKeyAlgo }
+                .filter {
+                    // This filter is added only because the current integration test infrastructure doesn't allow
+                    // to spawn different sshd on the fly. In reality, few users would specify key algorithms
+                    // explicitly.
+                    // The filter let a bug pass through the tests. Now the filter is as broad as possible.
+                    it.name == hostKeyAlgo || !it.name.contains("cert")
+                }
                 .collect(Collectors.toList())
         SSHClient sshClient = new SSHClient(config)
         sshClient.addHostKeyVerifier(new OpenSSHKnownHosts(knownHosts))

diff --git a/src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java b/src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java
@@ -138,7 +138,17 @@ public List<String> findExistingAlgorithms(String hostname, int port) {
         for (KnownHostEntry e : entries) {
             try {
                 if (e.appliesTo(adjustedHostname)) {
-                    knownHostAlgorithms.add(e.getType().toString());
+                    final KeyType type = e.getType();
+                    if (e instanceof HostEntry && ((HostEntry) e).marker == Marker.CA_CERT) {
+                        for (final KeyType superiorType : KeyType.values()) {
+                            if (superiorType.getParent() == type) {
+                                knownHostAlgorithms.add(superiorType.toString());
+                            }
+                        }
+                    }
+                    else {
+                        knownHostAlgorithms.add(type.toString());
+                    }
                 }
             } catch (IOException ioe) {
             }