Skip to content

Commit

Permalink
apacheGH-590: Try decrypting encrypted PKCS8 PEM keys only with BC
Browse files Browse the repository at this point in the history 
Override canExtractKeyPairs so that we don't even try the parser if BC
is not registered.

The decryption is implemented only for Bouncy Castle because many Java
versions have various bugs and limitations regarding PBES2.
  • Loading branch information
@tomaswolf
tomaswolf committed Sep 1, 2024
1 parent 40a08a4 commit ad546f6
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions ...ain/java/org/apache/sshd/common/config/keys/loader/pem/PKCS8PEMResourceKeyPairParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
import org.apache.sshd.common.cipher.ECCurves;
import org.apache.sshd.common.config.keys.FilePasswordProvider;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.loader.KeyPairResourceParser;
import org.apache.sshd.common.session.SessionContext;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.common.util.ValidateUtils;
Expand Down Expand Up @@ -73,6 +74,13 @@ public PKCS8PEMResourceKeyPairParser() {
super(PKCS8_FORMAT, PKCS8_FORMAT, BEGINNERS, ENDERS);
}

@Override
public boolean canExtractKeyPairs(NamedResource resourceKey, List<String> lines)
throws IOException, GeneralSecurityException {
return KeyPairResourceParser.containsMarkerLine(lines, BEGIN_MARKER) || SecurityUtils.isBouncyCastleRegistered()
&& KeyPairResourceParser.containsMarkerLine(lines, BEGIN_ENCRYPTED_MARKER);
}

@Override
public Collection<KeyPair> extractKeyPairs(
SessionContext session, NamedResource resourceKey,
Expand Down

0 comments on commit ad546f6

Please sign in to comment.