opendev/gerrit
Code Issues Proposed changes

Add support for 384 and 521 bit ECSDA keys

Browse Source 
Previously only the 256 bit key was generated.

Change-Id: I37b97088537e1508076264c6eeacd0487b15ae3d
This commit is contained in:
Paladox none 2017-05-28 17:47:50 +00:00 committed by David Pursehouse
parent 797d4cc7ff
commit 56517ff895
3 changed files with 83 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitSshd.java
View File

@ -84,7 +84,9 @@ class InitSshd implements InitStep {
&& (!exists(site.ssh_rsa) && (!exists(site.ssh_rsa)
|| !exists(site.ssh_dsa) || !exists(site.ssh_dsa)
|| !exists(site.ssh_ed25519) || !exists(site.ssh_ed25519)
|| !exists(site.ssh_ecdsa))) { || !exists(site.ssh_ecdsa_256)
|| !exists(site.ssh_ecdsa_384)
|| !exists(site.ssh_ecdsa_521))) {
System.err.print("Generating SSH host key ..."); System.err.print("Generating SSH host key ...");
System.err.flush(); System.err.flush();
@ -160,8 +162,8 @@ class InitSshd implements InitStep {
} }
} }
if (!exists(site.ssh_ecdsa)) { if (!exists(site.ssh_ecdsa_256)) {
System.err.print(" ecdsa..."); System.err.print(" ecdsa 256...");
System.err.flush(); System.err.flush();
try { try {
new ProcessBuilder( new ProcessBuilder(
@ -169,19 +171,77 @@ class InitSshd implements InitStep {
"-q" /* quiet */, "-q" /* quiet */,
"-t", "-t",
"ecdsa", "ecdsa",
"-b",
"256",
"-P", "-P",
emptyPassphraseArg, emptyPassphraseArg,
"-C", "-C",
comment, comment,
"-f", "-f",
site.ssh_ecdsa.toAbsolutePath().toString()) site.ssh_ecdsa_256.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT) .redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT) .redirectOutput(Redirect.INHERIT)
.start() .start()
.waitFor(); .waitFor();
} catch (Exception e) { } catch (Exception e) {
// continue since older hosts won't be able to generate ecdsa keys. // continue since older hosts won't be able to generate ecdsa keys.
System.err.print(" Failed to generate ecdsa key, continuing..."); System.err.print(" Failed to generate ecdsa 256 key, continuing...");
System.err.flush();
}
}
if (!exists(site.ssh_ecdsa_384)) {
System.err.print(" ecdsa 384...");
System.err.flush();
try {
new ProcessBuilder(
"ssh-keygen",
"-q" /* quiet */,
"-t",
"ecdsa",
"-b",
"384",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_ecdsa_384.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
} catch (Exception e) {
// continue since older hosts won't be able to generate ecdsa keys.
System.err.print(" Failed to generate ecdsa 384 key, continuing...");
System.err.flush();
}
}
if (!exists(site.ssh_ecdsa_521)) {
System.err.print(" ecdsa 521...");
System.err.flush();
try {
new ProcessBuilder(
"ssh-keygen",
"-q" /* quiet */,
"-t",
"ecdsa",
"-b",
"521",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_ecdsa_521.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
} catch (Exception e) {
// continue since older hosts won't be able to generate ecdsa keys.
System.err.print(" Failed to generate ecdsa 521 key, continuing...");
System.err.flush(); System.err.flush();
} }
} }

8
gerrit-server/src/main/java/com/google/gerrit/server/config/SitePaths.java
View File

@ -57,7 +57,9 @@ public final class SitePaths {
public final Path ssh_key; public final Path ssh_key;
public final Path ssh_rsa; public final Path ssh_rsa;
public final Path ssh_dsa; public final Path ssh_dsa;
public final Path ssh_ecdsa; public final Path ssh_ecdsa_256;
public final Path ssh_ecdsa_384;
public final Path ssh_ecdsa_521;
public final Path ssh_ed25519; public final Path ssh_ed25519;
public final Path peer_keys; public final Path peer_keys;
@ -100,7 +102,9 @@ public final class SitePaths {
ssh_key = etc_dir.resolve("ssh_host_key"); ssh_key = etc_dir.resolve("ssh_host_key");
ssh_rsa = etc_dir.resolve("ssh_host_rsa_key"); ssh_rsa = etc_dir.resolve("ssh_host_rsa_key");
ssh_dsa = etc_dir.resolve("ssh_host_dsa_key"); ssh_dsa = etc_dir.resolve("ssh_host_dsa_key");
ssh_ecdsa = etc_dir.resolve("ssh_host_ecdsa_key"); ssh_ecdsa_256 = etc_dir.resolve("ssh_host_ecdsa_key");
ssh_ecdsa_384 = etc_dir.resolve("ssh_host_ecdsa_384_key");
ssh_ecdsa_521 = etc_dir.resolve("ssh_host_ecdsa_521_key");
ssh_ed25519 = etc_dir.resolve("ssh_host_ed25519_key"); ssh_ed25519 = etc_dir.resolve("ssh_host_ed25519_key");
peer_keys = etc_dir.resolve("peer_keys"); peer_keys = etc_dir.resolve("peer_keys");

16
gerrit-sshd/src/main/java/com/google/gerrit/sshd/HostKeyProvider.java
View File

@ -40,18 +40,26 @@ class HostKeyProvider implements Provider<KeyPairProvider> {
Path objKey = site.ssh_key; Path objKey = site.ssh_key;
Path rsaKey = site.ssh_rsa; Path rsaKey = site.ssh_rsa;
Path dsaKey = site.ssh_dsa; Path dsaKey = site.ssh_dsa;
Path ecdsaKey = site.ssh_ecdsa; Path ecdsaKey_256 = site.ssh_ecdsa_256;
Path ecdsaKey_384 = site.ssh_ecdsa_384;
Path ecdsaKey_521 = site.ssh_ecdsa_521;
Path ed25519Key = site.ssh_ed25519; Path ed25519Key = site.ssh_ed25519;
final List<File> stdKeys = new ArrayList<>(4); final List<File> stdKeys = new ArrayList<>(6);
if (Files.exists(rsaKey)) { if (Files.exists(rsaKey)) {
stdKeys.add(rsaKey.toAbsolutePath().toFile()); stdKeys.add(rsaKey.toAbsolutePath().toFile());
} }
if (Files.exists(dsaKey)) { if (Files.exists(dsaKey)) {
stdKeys.add(dsaKey.toAbsolutePath().toFile()); stdKeys.add(dsaKey.toAbsolutePath().toFile());
} }
if (Files.exists(ecdsaKey)) { if (Files.exists(ecdsaKey_256)) {
stdKeys.add(ecdsaKey.toAbsolutePath().toFile()); stdKeys.add(ecdsaKey_256.toAbsolutePath().toFile());
}
if (Files.exists(ecdsaKey_384)) {
stdKeys.add(ecdsaKey_384.toAbsolutePath().toFile());
}
if (Files.exists(ecdsaKey_521)) {
stdKeys.add(ecdsaKey_521.toAbsolutePath().toFile());
} }
if (Files.exists(ed25519Key)) { if (Files.exists(ed25519Key)) {
stdKeys.add(ed25519Key.toAbsolutePath().toFile()); stdKeys.add(ed25519Key.toAbsolutePath().toFile());