Skip to content

[JENKINS-76058] Fix OpenSSH Certificate Hostkey handling + Improve verifier #1141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vwagh-dev merged 5 commits into from
Sep 8, 2025
Merged

[JENKINS-76058] Fix OpenSSH Certificate Hostkey handling + Improve verifier #1141

vwagh-dev merged 5 commits into from
Sep 8, 2025

Conversation

@Dohbedoh
Copy link
Contributor

@Dohbedoh Dohbedoh commented Sep 4, 2025
edited
Loading

  • Fix OpenSshCertificate public key handling. If the a PublicKey of type OpenSsfCertificate is passed by SSHD verifier, then we must unwrap the getCertPubKey for host key verification. (see bugfix: fix cert auth failed bug apache/mina-sshd#660)
  • Only manipulate the PublicKey to a HostKey if necessary (that would prevent future problem related to Algorithm type handling when No Verification is selected).

Testing done

  • Added unit tests
  • No manual testing done yet

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests that demonstrate the feature works or the issue is fixed

@Dohbedoh Dohbedoh changed the title Jenkins 76058 [JENKINS-76058] Fix OpenSSH Certificate Hostkey handling + Improve verifier Sep 4, 2025
@jglick
Copy link
Member

jglick commented Sep 4, 2025

Required by jenkinsci/mina-sshd-api-plugin#177 IIUC.

jglick
jglick reviewed Sep 4, 2025
View reviewed changes
src/main/java/hudson/plugins/ec2/util/KeyHelper.java Outdated
Properties.setThreadOverride(Properties.EMULATE_ORACLE, true);
// Generate MD5 fingerprint just like ssh-keygen
byte[] rawFingerprint = KeyUtils.getRawFingerprint(BuiltinDigests.md5.get(), serverKey);
return BufferUtils.toHex(':', rawFingerprint).toLowerCase();
Copy link
Member

@jglick jglick Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommend Locale.ROOT as a general practice, though in this case I guess a hex string could not contain I.

jglick
jglick reviewed Sep 4, 2025
View reviewed changes
src/main/java/hudson/plugins/ec2/util/KeyHelper.java
Comment on lines 175 to 176
} catch (Exception e) {
return "";
Copy link
Member

@jglick jglick Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is some exception expected here? Seems like it should at least log a warning.

Copy link
Contributor Author

@Dohbedoh Dohbedoh Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not expected. It all goes does to implementation of Digest / decoder I guess.
We can add a warning.

@Dohbedoh
Copy link
Contributor Author

Dohbedoh commented Sep 4, 2025

Thanks @jglick

olamy
olamy approved these changes Sep 5, 2025
View reviewed changes
Copy link
Member

@olamy olamy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

vwagh-dev
vwagh-dev approved these changes Sep 8, 2025
View reviewed changes
Copy link
Contributor

@vwagh-dev vwagh-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vwagh-dev vwagh-dev merged commit 50458f4 into jenkinsci:master Sep 8, 2025
16 checks passed
Dohbedoh
Dohbedoh commented Sep 10, 2025
View reviewed changes
src/main/java/hudson/plugins/ec2/ssh/verifiers/HostKeyHelper.java
return null;
}
AsymmetricKeyParameter parameters = PublicKeyFactory.createKey(serverKey.getEncoded());
return new HostKey(serverKey.getAlgorithm(), OpenSSHPublicKeyUtil.encodePublicKey(parameters));
Copy link
Contributor Author

@Dohbedoh Dohbedoh Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not be serverKey.getAlgorithm() but sshAlgorithm. This is causing an issue https://issues.jenkins.io/browse/JENKINS-76077

@Dohbedoh Dohbedoh deleted the JENKINS-76058 branch September 10, 2025 03:19
@Dohbedoh Dohbedoh mentioned this pull request Sep 10, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vwagh-dev vwagh-dev vwagh-dev approved these changes

+2 more reviewers

@jglick jglick jglick left review comments

@olamy olamy olamy approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

regression

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Dohbedoh @jglick @olamy @vwagh-dev