From 56517ff895564f410cafd4e840bb37ca5913f4fe Mon Sep 17 00:00:00 2001 From: Paladox none Date: Sun, 28 May 2017 17:47:50 +0000 Subject: [PATCH] Add support for 384 and 521 bit ECSDA keys Previously only the 256 bit key was generated. Change-Id: I37b97088537e1508076264c6eeacd0487b15ae3d --- .../com/google/gerrit/pgm/init/InitSshd.java | 70 +++++++++++++++++-- .../gerrit/server/config/SitePaths.java | 8 ++- .../google/gerrit/sshd/HostKeyProvider.java | 16 +++-- 3 files changed, 83 insertions(+), 11 deletions(-) diff --git a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitSshd.java b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitSshd.java index 361e4b643a..0cad722382 100644 --- a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitSshd.java +++ b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitSshd.java @@ -84,7 +84,9 @@ class InitSshd implements InitStep { && (!exists(site.ssh_rsa) || !exists(site.ssh_dsa) || !exists(site.ssh_ed25519) - || !exists(site.ssh_ecdsa))) { + || !exists(site.ssh_ecdsa_256) + || !exists(site.ssh_ecdsa_384) + || !exists(site.ssh_ecdsa_521))) { System.err.print("Generating SSH host key ..."); System.err.flush(); @@ -160,8 +162,8 @@ class InitSshd implements InitStep { } } - if (!exists(site.ssh_ecdsa)) { - System.err.print(" ecdsa..."); + if (!exists(site.ssh_ecdsa_256)) { + System.err.print(" ecdsa 256..."); System.err.flush(); try { new ProcessBuilder( @@ -169,19 +171,77 @@ class InitSshd implements InitStep { "-q" /* quiet */, "-t", "ecdsa", + "-b", + "256", "-P", emptyPassphraseArg, "-C", comment, "-f", - site.ssh_ecdsa.toAbsolutePath().toString()) + site.ssh_ecdsa_256.toAbsolutePath().toString()) .redirectError(Redirect.INHERIT) .redirectOutput(Redirect.INHERIT) .start() .waitFor(); } catch (Exception e) { // continue since older hosts won't be able to generate ecdsa keys. - System.err.print(" Failed to generate ecdsa key, continuing..."); + System.err.print(" Failed to generate ecdsa 256 key, continuing..."); + System.err.flush(); + } + } + + if (!exists(site.ssh_ecdsa_384)) { + System.err.print(" ecdsa 384..."); + System.err.flush(); + try { + new ProcessBuilder( + "ssh-keygen", + "-q" /* quiet */, + "-t", + "ecdsa", + "-b", + "384", + "-P", + emptyPassphraseArg, + "-C", + comment, + "-f", + site.ssh_ecdsa_384.toAbsolutePath().toString()) + .redirectError(Redirect.INHERIT) + .redirectOutput(Redirect.INHERIT) + .start() + .waitFor(); + } catch (Exception e) { + // continue since older hosts won't be able to generate ecdsa keys. + System.err.print(" Failed to generate ecdsa 384 key, continuing..."); + System.err.flush(); + } + } + + if (!exists(site.ssh_ecdsa_521)) { + System.err.print(" ecdsa 521..."); + System.err.flush(); + try { + new ProcessBuilder( + "ssh-keygen", + "-q" /* quiet */, + "-t", + "ecdsa", + "-b", + "521", + "-P", + emptyPassphraseArg, + "-C", + comment, + "-f", + site.ssh_ecdsa_521.toAbsolutePath().toString()) + .redirectError(Redirect.INHERIT) + .redirectOutput(Redirect.INHERIT) + .start() + .waitFor(); + } catch (Exception e) { + // continue since older hosts won't be able to generate ecdsa keys. + System.err.print(" Failed to generate ecdsa 521 key, continuing..."); System.err.flush(); } } diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/SitePaths.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/SitePaths.java index 3673101a40..87f22e06eb 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/config/SitePaths.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/SitePaths.java @@ -57,7 +57,9 @@ public final class SitePaths { public final Path ssh_key; public final Path ssh_rsa; public final Path ssh_dsa; - public final Path ssh_ecdsa; + public final Path ssh_ecdsa_256; + public final Path ssh_ecdsa_384; + public final Path ssh_ecdsa_521; public final Path ssh_ed25519; public final Path peer_keys; @@ -100,7 +102,9 @@ public final class SitePaths { ssh_key = etc_dir.resolve("ssh_host_key"); ssh_rsa = etc_dir.resolve("ssh_host_rsa_key"); ssh_dsa = etc_dir.resolve("ssh_host_dsa_key"); - ssh_ecdsa = etc_dir.resolve("ssh_host_ecdsa_key"); + ssh_ecdsa_256 = etc_dir.resolve("ssh_host_ecdsa_key"); + ssh_ecdsa_384 = etc_dir.resolve("ssh_host_ecdsa_384_key"); + ssh_ecdsa_521 = etc_dir.resolve("ssh_host_ecdsa_521_key"); ssh_ed25519 = etc_dir.resolve("ssh_host_ed25519_key"); peer_keys = etc_dir.resolve("peer_keys"); diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/HostKeyProvider.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/HostKeyProvider.java index 87643574c4..20694b2315 100644 --- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/HostKeyProvider.java +++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/HostKeyProvider.java @@ -40,18 +40,26 @@ class HostKeyProvider implements Provider { Path objKey = site.ssh_key; Path rsaKey = site.ssh_rsa; Path dsaKey = site.ssh_dsa; - Path ecdsaKey = site.ssh_ecdsa; + Path ecdsaKey_256 = site.ssh_ecdsa_256; + Path ecdsaKey_384 = site.ssh_ecdsa_384; + Path ecdsaKey_521 = site.ssh_ecdsa_521; Path ed25519Key = site.ssh_ed25519; - final List stdKeys = new ArrayList<>(4); + final List stdKeys = new ArrayList<>(6); if (Files.exists(rsaKey)) { stdKeys.add(rsaKey.toAbsolutePath().toFile()); } if (Files.exists(dsaKey)) { stdKeys.add(dsaKey.toAbsolutePath().toFile()); } - if (Files.exists(ecdsaKey)) { - stdKeys.add(ecdsaKey.toAbsolutePath().toFile()); + if (Files.exists(ecdsaKey_256)) { + stdKeys.add(ecdsaKey_256.toAbsolutePath().toFile()); + } + if (Files.exists(ecdsaKey_384)) { + stdKeys.add(ecdsaKey_384.toAbsolutePath().toFile()); + } + if (Files.exists(ecdsaKey_521)) { + stdKeys.add(ecdsaKey_521.toAbsolutePath().toFile()); } if (Files.exists(ed25519Key)) { stdKeys.add(ed25519Key.toAbsolutePath().toFile());