From ce18111eb9db325ebcc2524312289e96d0223b60 Mon Sep 17 00:00:00 2001
From: Vladimir Lagunov <vladimir.lagunov@jetbrains.com>
Date: Wed, 13 Oct 2021 15:21:52 +0700
Subject: [PATCH] Fix: if the client knows CA key, it should send host key algo
 proposal for certificates

---
 .../sshj/signature/KeyWithCertificateSpec.groovy     |  8 +++++++-
 .../transport/verification/OpenSSHKnownHosts.java    | 12 +++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/itest/groovy/com/hierynomus/sshj/signature/KeyWithCertificateSpec.groovy b/src/itest/groovy/com/hierynomus/sshj/signature/KeyWithCertificateSpec.groovy
index 78fbb8a0..f7ffd2a3 100644
--- a/src/itest/groovy/com/hierynomus/sshj/signature/KeyWithCertificateSpec.groovy
+++ b/src/itest/groovy/com/hierynomus/sshj/signature/KeyWithCertificateSpec.groovy
@@ -90,7 +90,13 @@ class KeyWithCertificateSpec extends IntegrationBaseSpec {
         and:
         def config = new DefaultConfig()
         config.keyAlgorithms = config.keyAlgorithms.stream()
-                .filter { it.name == hostKeyAlgo }
+                .filter {
+                    // This filter is added only because the current integration test infrastructure doesn't allow
+                    // to spawn different sshd on the fly. In reality, few users would specify key algorithms
+                    // explicitly.
+                    // The filter let a bug pass through the tests. Now the filter is as broad as possible.
+                    it.name == hostKeyAlgo || !it.name.contains("cert")
+                }
                 .collect(Collectors.toList())
         SSHClient sshClient = new SSHClient(config)
         sshClient.addHostKeyVerifier(new OpenSSHKnownHosts(knownHosts))
diff --git a/src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java b/src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java
index 7c271d62..bd1314e3 100644
--- a/src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java
+++ b/src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java
@@ -138,7 +138,17 @@ public List<String> findExistingAlgorithms(String hostname, int port) {
         for (KnownHostEntry e : entries) {
             try {
                 if (e.appliesTo(adjustedHostname)) {
-                    knownHostAlgorithms.add(e.getType().toString());
+                    final KeyType type = e.getType();
+                    if (e instanceof HostEntry && ((HostEntry) e).marker == Marker.CA_CERT) {
+                        for (final KeyType superiorType : KeyType.values()) {
+                            if (superiorType.getParent() == type) {
+                                knownHostAlgorithms.add(superiorType.toString());
+                            }
+                        }
+                    }
+                    else {
+                        knownHostAlgorithms.add(type.toString());
+                    }
                 }
             } catch (IOException ioe) {
             }