Bump com.hierynomus:sshj from 0.32.0 to 0.36.0 in /prime-router (#11246)

* Bump com.hierynomus:sshj from 0.32.0 to 0.36.0 in /prime-router Bumps [com.hierynomus:sshj](https://github.com/hierynomus/sshj) from 0.32.0 to 0.36.0. - [Commits](hierynomus/sshj@v0.32.0...v0.36.0) --- updated-dependencies: - dependency-name: com.hierynomus:sshj dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * update for hierynomus/sshj#879 * Modified SftpTransport to be able to handle SSHRSA as older version * Modified SftpTransport to be able to handle SSHRSA as older version --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Nesman <[email protected]> Co-authored-by: Ott Sathngam <[email protected]>
CDCgov · Sep 28, 2023 · 4819ffa · 4819ffa
1 parent aa8ecf4
commit 4819ffa
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 4 deletions.
diff --git a/prime-router/build.gradle.kts b/prime-router/build.gradle.kts
@@ -838,7 +838,7 @@ dependencies {
     implementation("com.github.kittinunf.fuel:fuel-json:2.3.1")
     implementation("org.json:json:20230618")
     // DO NOT INCREMENT SSHJ to a newer version without first thoroughly testing it locally.
-    implementation("com.hierynomus:sshj:0.32.0")
+    implementation("com.hierynomus:sshj:0.36.0")
     implementation("com.jcraft:jsch:0.1.55")
     implementation("org.apache.poi:poi:5.2.3")
     implementation("org.apache.commons:commons-csv:1.10.0")

diff --git a/prime-router/src/main/kotlin/transport/RESTTransport.kt b/prime-router/src/main/kotlin/transport/RESTTransport.kt
@@ -53,10 +53,10 @@ import io.ktor.serialization.kotlinx.json.json
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.runBlocking
 import kotlinx.serialization.json.Json
-import net.schmizz.sshj.common.Base64
 import org.json.JSONObject
 import java.io.InputStream
 import java.security.KeyStore
+import java.util.Base64
 import java.util.logging.Logger
 import javax.net.ssl.KeyManagerFactory
 import javax.net.ssl.SSLContext
@@ -405,7 +405,7 @@ class RESTTransport(private val httpClient: HttpClient? = null) : ITransport {
             if (restUrl.contains("dataingestion.datateam-cdc-nbs")) {
                 val idTokenInfoString: String = client.post(restUrl) {
                     val credentialString = credential.user + ":" + credential.pass
-                    val basicAuth = "Basic " + Base64.encodeBytes(credentialString.encodeToByteArray())
+                    val basicAuth = "Basic " + Base64.getEncoder().encodeToString(credentialString.encodeToByteArray())
                     expectSuccess = true // throw an exception if not successful
                     postHeaders(
                         mapOf(
@@ -549,7 +549,7 @@ class RESTTransport(private val httpClient: HttpClient? = null) : ITransport {
          */
         private fun getSslContext(jksCredential: UserJksCredential): SSLContext? {
             // Open the keystore in the UserJksCredential, it's a PKCS12 type
-            val jksDecoded = Base64.decode(jksCredential.jks)
+            val jksDecoded = Base64.getDecoder().decode(jksCredential.jks)
             val inStream: InputStream = jksDecoded.inputStream()
             val jksPasscode = jksCredential.jksPasscode.toCharArray()
             val keyStore: KeyStore = KeyStore.getInstance("PKCS12")

diff --git a/prime-router/src/main/kotlin/transport/SftpTransport.kt b/prime-router/src/main/kotlin/transport/SftpTransport.kt
@@ -1,6 +1,7 @@
 package gov.cdc.prime.router.transport
 
 import com.google.common.base.Preconditions
+import com.hierynomus.sshj.key.KeyAlgorithms
 import com.microsoft.azure.functions.ExecutionContext
 import gov.cdc.prime.router.Receiver
 import gov.cdc.prime.router.Report
@@ -306,6 +307,29 @@ class SftpTransport : ITransport, Logging {
         // allow us to mock SSHClient because there is no dependency injection in this class
         fun createDefaultSSHClient(): SSHClient {
             val sshConfig = DefaultConfig()
+
+            // Started from version 0.33.0, SSHJ doesn't try to determine RSA-SHA2-* support on fly.
+            // Instead, it looks only config.getKeyAlgorithms(), which may or may not contain ssh-rsa
+            // and rsa-sha2-* in any order.  The default config stops working with old servers like
+            // Apache SSHD that doesn't rsa-sha2-* signatures.  To make it works with old servers,
+            // we need to include the KeyAlgorithms.SSHRSA at the top of the list or have higher
+            // priority than other as below.
+            sshConfig.keyAlgorithms = listOf(
+                KeyAlgorithms.SSHRSA(),
+                KeyAlgorithms.EdDSA25519CertV01(),
+                KeyAlgorithms.EdDSA25519(),
+                KeyAlgorithms.ECDSASHANistp521CertV01(),
+                KeyAlgorithms.ECDSASHANistp521(),
+                KeyAlgorithms.ECDSASHANistp384CertV01(),
+                KeyAlgorithms.ECDSASHANistp384(),
+                KeyAlgorithms.ECDSASHANistp256CertV01(),
+                KeyAlgorithms.ECDSASHANistp256(),
+                KeyAlgorithms.RSASHA512(),
+                KeyAlgorithms.RSASHA256(),
+                KeyAlgorithms.SSHRSACertV01(),
+                KeyAlgorithms.SSHDSSCertV01(),
+                KeyAlgorithms.SSHDSA()
+            )
             return SSHClient(sshConfig)
         }
     }