Add support for 384 and 521 bit ECSDA keys

Previously only the 256 bit key was generated.

Change-Id: I37b97088537e1508076264c6eeacd0487b15ae3d

gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitSshd.java

@@ -84,7 +84,9 @@ class InitSshd implements InitStep {
         && (!exists(site.ssh_rsa)
             || !exists(site.ssh_dsa)
             || !exists(site.ssh_ed25519)
-            || !exists(site.ssh_ecdsa))) {
+            || !exists(site.ssh_ecdsa_256)
+            || !exists(site.ssh_ecdsa_384)
+            || !exists(site.ssh_ecdsa_521))) {
       System.err.print("Generating SSH host key ...");
       System.err.flush();
 
@@ -160,8 +162,8 @@ class InitSshd implements InitStep {
         }
       }
 
-      if (!exists(site.ssh_ecdsa)) {
-        System.err.print(" ecdsa...");
+      if (!exists(site.ssh_ecdsa_256)) {
+        System.err.print(" ecdsa 256...");
         System.err.flush();
         try {
           new ProcessBuilder(
@@ -169,19 +171,77 @@ class InitSshd implements InitStep {
                   "-q" /* quiet */,
                   "-t",
                   "ecdsa",
+                  "-b",
+                  "256",
                   "-P",
                   emptyPassphraseArg,
                   "-C",
                   comment,
                   "-f",
-                  site.ssh_ecdsa.toAbsolutePath().toString())
+                  site.ssh_ecdsa_256.toAbsolutePath().toString())
               .redirectError(Redirect.INHERIT)
               .redirectOutput(Redirect.INHERIT)
               .start()
               .waitFor();
         } catch (Exception e) {
           // continue since older hosts won't be able to generate ecdsa keys.
-          System.err.print(" Failed to generate ecdsa key, continuing...");
+          System.err.print(" Failed to generate ecdsa 256 key, continuing...");
+          System.err.flush();
+        }
+      }
+
+      if (!exists(site.ssh_ecdsa_384)) {
+        System.err.print(" ecdsa 384...");
+        System.err.flush();
+        try {
+          new ProcessBuilder(
+                  "ssh-keygen",
+                  "-q" /* quiet */,
+                  "-t",
+                  "ecdsa",
+                  "-b",
+                  "384",
+                  "-P",
+                  emptyPassphraseArg,
+                  "-C",
+                  comment,
+                  "-f",
+                  site.ssh_ecdsa_384.toAbsolutePath().toString())
+              .redirectError(Redirect.INHERIT)
+              .redirectOutput(Redirect.INHERIT)
+              .start()
+              .waitFor();
+        } catch (Exception e) {
+          // continue since older hosts won't be able to generate ecdsa keys.
+          System.err.print(" Failed to generate ecdsa 384 key, continuing...");
+          System.err.flush();
+        }
+      }
+
+      if (!exists(site.ssh_ecdsa_521)) {
+        System.err.print(" ecdsa 521...");
+        System.err.flush();
+        try {
+          new ProcessBuilder(
+                  "ssh-keygen",
+                  "-q" /* quiet */,
+                  "-t",
+                  "ecdsa",
+                  "-b",
+                  "521",
+                  "-P",
+                  emptyPassphraseArg,
+                  "-C",
+                  comment,
+                  "-f",
+                  site.ssh_ecdsa_521.toAbsolutePath().toString())
+              .redirectError(Redirect.INHERIT)
+              .redirectOutput(Redirect.INHERIT)
+              .start()
+              .waitFor();
+        } catch (Exception e) {
+          // continue since older hosts won't be able to generate ecdsa keys.
+          System.err.print(" Failed to generate ecdsa 521 key, continuing...");
           System.err.flush();
         }
       }

gerrit-server/src/main/java/com/google/gerrit/server/config/SitePaths.java

@@ -57,7 +57,9 @@ public final class SitePaths {
   public final Path ssh_key;
   public final Path ssh_rsa;
   public final Path ssh_dsa;
-  public final Path ssh_ecdsa;
+  public final Path ssh_ecdsa_256;
+  public final Path ssh_ecdsa_384;
+  public final Path ssh_ecdsa_521;
   public final Path ssh_ed25519;
   public final Path peer_keys;
 
@@ -100,7 +102,9 @@ public final class SitePaths {
     ssh_key = etc_dir.resolve("ssh_host_key");
     ssh_rsa = etc_dir.resolve("ssh_host_rsa_key");
     ssh_dsa = etc_dir.resolve("ssh_host_dsa_key");
-    ssh_ecdsa = etc_dir.resolve("ssh_host_ecdsa_key");
+    ssh_ecdsa_256 = etc_dir.resolve("ssh_host_ecdsa_key");
+    ssh_ecdsa_384 = etc_dir.resolve("ssh_host_ecdsa_384_key");
+    ssh_ecdsa_521 = etc_dir.resolve("ssh_host_ecdsa_521_key");
     ssh_ed25519 = etc_dir.resolve("ssh_host_ed25519_key");
     peer_keys = etc_dir.resolve("peer_keys");
 

gerrit-sshd/src/main/java/com/google/gerrit/sshd/HostKeyProvider.java

@@ -40,18 +40,26 @@ class HostKeyProvider implements Provider<KeyPairProvider> {
     Path objKey = site.ssh_key;
     Path rsaKey = site.ssh_rsa;
     Path dsaKey = site.ssh_dsa;
-    Path ecdsaKey = site.ssh_ecdsa;
+    Path ecdsaKey_256 = site.ssh_ecdsa_256;
+    Path ecdsaKey_384 = site.ssh_ecdsa_384;
+    Path ecdsaKey_521 = site.ssh_ecdsa_521;
     Path ed25519Key = site.ssh_ed25519;
 
-    final List<File> stdKeys = new ArrayList<>(4);
+    final List<File> stdKeys = new ArrayList<>(6);
     if (Files.exists(rsaKey)) {
       stdKeys.add(rsaKey.toAbsolutePath().toFile());
     }
     if (Files.exists(dsaKey)) {
       stdKeys.add(dsaKey.toAbsolutePath().toFile());
     }
-    if (Files.exists(ecdsaKey)) {
-      stdKeys.add(ecdsaKey.toAbsolutePath().toFile());
+    if (Files.exists(ecdsaKey_256)) {
+      stdKeys.add(ecdsaKey_256.toAbsolutePath().toFile());
+    }
+    if (Files.exists(ecdsaKey_384)) {
+      stdKeys.add(ecdsaKey_384.toAbsolutePath().toFile());
+    }
+    if (Files.exists(ecdsaKey_521)) {
+      stdKeys.add(ecdsaKey_521.toAbsolutePath().toFile());
     }
     if (Files.exists(ed25519Key)) {
       stdKeys.add(ed25519Key.toAbsolutePath().toFile());