opendev/gerrit
Code Issues Proposed changes

Get rid of calls to SecurityUtils.isBouncyCastleRegistered()

Browse Source 
Since we now ship BouncyCastle in the .war file, this will always
return true.  Remove the code that is now redundant.

Change-Id: I35d6191b6f5e4cea40a022236cbc848eb01d7ba1
This commit is contained in:
David Pursehouse
2017-05-08 19:44:57 +09:00
parent b139a0c9d4
commit 7b38f47e56
3 changed files with 90 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

222
gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitSshd.java
View File

@@ -14,8 +14,6 @@
package com.google.gerrit.pgm.init; package com.google.gerrit.pgm.init;
import static com.google.gerrit.common.FileUtil.chmod;
import static com.google.gerrit.pgm.init.api.InitUtil.die;
import static com.google.gerrit.pgm.init.api.InitUtil.hostname; import static com.google.gerrit.pgm.init.api.InitUtil.hostname;
import static java.nio.file.Files.exists; import static java.nio.file.Files.exists;
@@ -30,10 +28,6 @@ import com.google.inject.Singleton;
import java.io.IOException; import java.io.IOException;
import java.lang.ProcessBuilder.Redirect; import java.lang.ProcessBuilder.Redirect;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.nio.file.Files;
import java.nio.file.Path;
import org.apache.sshd.common.util.security.SecurityUtils;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
/** Initialize the {@code sshd} configuration section. */ /** Initialize the {@code sshd} configuration section. */
@Singleton @Singleton
@@ -92,139 +86,101 @@ class InitSshd implements InitStep {
System.err.print("Generating SSH host key ..."); System.err.print("Generating SSH host key ...");
System.err.flush(); System.err.flush();
if (SecurityUtils.isBouncyCastleRegistered()) { // Generate the SSH daemon host key using ssh-keygen.
// Generate the SSH daemon host key using ssh-keygen. //
// final String comment = "gerrit-code-review@" + hostname();
final String comment = "gerrit-code-review@" + hostname();
// Workaround for JDK-6518827 - zero-length argument ignored on Win32 // Workaround for JDK-6518827 - zero-length argument ignored on Win32
String emptyPassphraseArg = HostPlatform.isWin32() ? "\"\"" : ""; String emptyPassphraseArg = HostPlatform.isWin32() ? "\"\"" : "";
if (!exists(site.ssh_rsa)) { if (!exists(site.ssh_rsa)) {
System.err.print(" rsa..."); System.err.print(" rsa...");
System.err.flush();
new ProcessBuilder(
"ssh-keygen",
"-q" /* quiet */,
"-t",
"rsa",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_rsa.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
}
if (!exists(site.ssh_dsa)) {
System.err.print(" dsa...");
System.err.flush();
new ProcessBuilder(
"ssh-keygen",
"-q" /* quiet */,
"-t",
"dsa",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_dsa.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
}
if (!exists(site.ssh_ed25519)) {
System.err.print(" ed25519...");
System.err.flush();
try {
new ProcessBuilder(
"ssh-keygen",
"-q" /* quiet */,
"-t",
"ed25519",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_ed25519.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
} catch (Exception e) {
// continue since older hosts won't be able to generate ed25519 keys.
System.err.print(" Failed to generate ed25519 key, continuing...");
System.err.flush();
}
}
if (!exists(site.ssh_ecdsa)) {
System.err.print(" ecdsa...");
System.err.flush();
try {
new ProcessBuilder(
"ssh-keygen",
"-q" /* quiet */,
"-t",
"ecdsa",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_ecdsa.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
} catch (Exception e) {
// continue since older hosts won't be able to generate ecdsa keys.
System.err.print(" Failed to generate ecdsa key, continuing...");
System.err.flush();
}
}
} else {
// Generate the SSH daemon host key ourselves. This is complex
// because SimpleGeneratorHostKeyProvider doesn't mark the data
// file as only readable by us, exposing the private key for a
// short period of time. We try to reduce that risk by creating
// the key within a temporary directory.
//
Path tmpdir = site.etc_dir.resolve("tmp.sshkeygen");
try {
Files.createDirectory(tmpdir);
} catch (IOException e) {
throw die("Cannot create directory " + tmpdir, e);
}
chmod(0600, tmpdir);
Path tmpkey = tmpdir.resolve(site.ssh_key.getFileName().toString());
SimpleGeneratorHostKeyProvider p;
System.err.print(" rsa(simple)...");
System.err.flush(); System.err.flush();
p = new SimpleGeneratorHostKeyProvider(); new ProcessBuilder(
p.setPath(tmpkey.toAbsolutePath()); "ssh-keygen",
p.setAlgorithm("RSA"); "-q" /* quiet */,
p.loadKeys(); // forces the key to generate. "-t",
chmod(0600, tmpkey); "rsa",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_rsa.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
}
if (!exists(site.ssh_dsa)) {
System.err.print(" dsa...");
System.err.flush();
new ProcessBuilder(
"ssh-keygen",
"-q" /* quiet */,
"-t",
"dsa",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_dsa.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
}
if (!exists(site.ssh_ed25519)) {
System.err.print(" ed25519...");
System.err.flush();
try { try {
Files.move(tmpkey, site.ssh_key); new ProcessBuilder(
} catch (IOException e) { "ssh-keygen",
throw die("Cannot rename " + tmpkey + " to " + site.ssh_key, e); "-q" /* quiet */,
"-t",
"ed25519",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_ed25519.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
} catch (Exception e) {
// continue since older hosts won't be able to generate ed25519 keys.
System.err.print(" Failed to generate ed25519 key, continuing...");
System.err.flush();
} }
}
if (!exists(site.ssh_ecdsa)) {
System.err.print(" ecdsa...");
System.err.flush();
try { try {
Files.delete(tmpdir); new ProcessBuilder(
} catch (IOException e) { "ssh-keygen",
throw die("Cannot delete " + tmpdir, e); "-q" /* quiet */,
"-t",
"ecdsa",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_ecdsa.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
} catch (Exception e) {
// continue since older hosts won't be able to generate ecdsa keys.
System.err.print(" Failed to generate ecdsa key, continuing...");
System.err.flush();
} }
} }
System.err.println(" done"); System.err.println(" done");

8
gerrit-sshd/src/main/java/com/google/gerrit/sshd/HostKeyProvider.java
View File

@@ -25,7 +25,6 @@ import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.apache.sshd.common.keyprovider.FileKeyPairProvider; import org.apache.sshd.common.keyprovider.FileKeyPairProvider;
import org.apache.sshd.common.keyprovider.KeyPairProvider; import org.apache.sshd.common.keyprovider.KeyPairProvider;
import org.apache.sshd.common.util.security.SecurityUtils;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider; import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
class HostKeyProvider implements Provider<KeyPairProvider> { class HostKeyProvider implements Provider<KeyPairProvider> {
@@ -73,13 +72,6 @@ class HostKeyProvider implements Provider<KeyPairProvider> {
if (stdKeys.isEmpty()) { if (stdKeys.isEmpty()) {
throw new ProvisionException("No SSH keys under " + site.etc_dir); throw new ProvisionException("No SSH keys under " + site.etc_dir);
} }
if (!SecurityUtils.isBouncyCastleRegistered()) {
throw new ProvisionException(
"Bouncy Castle Crypto not installed;"
+ " needed to read server host keys: "
+ stdKeys
+ "");
}
FileKeyPairProvider kp = new FileKeyPairProvider(); FileKeyPairProvider kp = new FileKeyPairProvider();
kp.setFiles(stdKeys); kp.setFiles(stdKeys);
return kp; return kp;

11
gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
View File

@@ -84,7 +84,6 @@ import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory;
import org.apache.sshd.common.kex.KeyExchange; import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.keyprovider.KeyPairProvider; import org.apache.sshd.common.keyprovider.KeyPairProvider;
import org.apache.sshd.common.mac.Mac; import org.apache.sshd.common.mac.Mac;
import org.apache.sshd.common.random.JceRandomFactory;
import org.apache.sshd.common.random.Random; import org.apache.sshd.common.random.Random;
import org.apache.sshd.common.random.SingletonRandomFactory; import org.apache.sshd.common.random.SingletonRandomFactory;
import org.apache.sshd.common.session.ConnectionService; import org.apache.sshd.common.session.ConnectionService;
@@ -217,11 +216,7 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
? MinaServiceFactoryFactory.class.getName() ? MinaServiceFactoryFactory.class.getName()
: Nio2ServiceFactoryFactory.class.getName()); : Nio2ServiceFactoryFactory.class.getName());
if (SecurityUtils.isBouncyCastleRegistered()) { initProviderBouncyCastle(cfg);
initProviderBouncyCastle(cfg);
} else {
initProviderJce();
}
initCiphers(cfg); initCiphers(cfg);
initKeyExchanges(cfg); initKeyExchanges(cfg);
initMacs(cfg); initMacs(cfg);
@@ -526,10 +521,6 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
} }
} }
private void initProviderJce() {
setRandomFactory(new SingletonRandomFactory(JceRandomFactory.INSTANCE));
}
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
private void initCiphers(final Config cfg) { private void initCiphers(final Config cfg) {
final List<NamedFactory<Cipher>> a = BaseBuilder.setUpDefaultCiphers(true); final List<NamedFactory<Cipher>> a = BaseBuilder.setUpDefaultCiphers(true);