Alon Bar-Lev has uploaded a new change for review.
Change subject: pki: ssh fingerprint using various algorithms
......................................................................
pki: ssh fingerprint using various algorithms
Change-Id: I3570f622054b83c66431609e01917f27ef5957a4
Signed-off-by: Alon Bar-Lev <alo...@redhat.com>
---
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/utils/EngineSSHClient.java
M
backend/manager/modules/uutils/src/main/java/org/ovirt/engine/core/uutils/ssh/OpenSSHUtils.java
M
backend/manager/modules/uutils/src/test/java/org/ovirt/engine/core/uutils/ssh/OpenSSHUtilsTest.java
3 files changed, 76 insertions(+), 73 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/83/41283/4
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/utils/EngineSSHClient.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/utils/EngineSSHClient.java
index 0e1b20d..ba40325 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/utils/EngineSSHClient.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/utils/EngineSSHClient.java
@@ -87,7 +87,7 @@
* @return fingerprint.
*/
public String getHostFingerprint() throws IOException {
- String fingerprint =
OpenSSHUtils.getKeyFingerprintString(getHostKey());
+ String fingerprint = OpenSSHUtils.getKeyFingerprint(getHostKey(),
"MD5");
if (fingerprint == null) {
throw new IOException("Unable to parse host key");
diff --git
a/backend/manager/modules/uutils/src/main/java/org/ovirt/engine/core/uutils/ssh/OpenSSHUtils.java
b/backend/manager/modules/uutils/src/main/java/org/ovirt/engine/core/uutils/ssh/OpenSSHUtils.java
index 8b5a532..b44250f 100644
---
a/backend/manager/modules/uutils/src/main/java/org/ovirt/engine/core/uutils/ssh/OpenSSHUtils.java
+++
b/backend/manager/modules/uutils/src/main/java/org/ovirt/engine/core/uutils/ssh/OpenSSHUtils.java
@@ -6,13 +6,14 @@
import java.io.DataOutputStream;
import java.io.IOException;
import java.nio.charset.Charset;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
-import org.apache.commons.codec.digest.DigestUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -134,66 +135,37 @@
return keyString;
}
- /**
- * Generate the fingerprint of a public key as used by SSH.
- *
- * @param the public key
- * @return an array of bytes containing the fingerprint of the key
- */
- public static final byte[] getKeyFingerprintBytes(final PublicKey key) {
- if (key == null) {
- log.error("Public key is null, failed to retrieve fingerprint.");
- return null;
- }
+ public static final String getKeyFingerprint(final PublicKey key, String
digest) {
+ try {
+ MessageDigest md = MessageDigest.getInstance("SHA1");
+ md.update(getKeyBytes(key));
- // Get the serialized version of the key:
- final byte[] keyBytes = getKeyBytes(key);
- if (keyBytes == null) {
- log.error("Can't get key bytes, will return null.");
- return null;
- }
-
- // The fingerprint is a MD5 digest of the key bytes:
- final byte[] fingerprintBytes = DigestUtils.md5(keyBytes);
- if (log.isDebugEnabled()) {
- log.debug("Fingerprint bytes are {}.",
Hex.encodeHexString(fingerprintBytes));
- }
-
- return fingerprintBytes;
- }
-
- /**
- * Generate the fingerprint of a public key as used by SSH.
- *
- * @param the public key
- * @return a string containing the fingerprint of the key
- */
- public static final String getKeyFingerprintString(final PublicKey key) {
- // Get the key bytes:
- final byte[] fingerprintBytes = getKeyFingerprintBytes(key);
- if (fingerprintBytes == null) {
- log.error("Can't get key bytes, will return null.");
- return null;
- }
-
- // Generate the string representation as two hex characters per byte
- // separated by colons:
- final StringBuilder buffer = new StringBuilder(fingerprintBytes.length
* 3 -1);
- boolean first = true;
- for (byte b : fingerprintBytes) {
- if (!first) {
- buffer.append(':');
+ String fingerprint;
+ if ("MD5".equals(digest)) {
+ StringBuilder s = new StringBuilder();
+ for (byte b : md.digest()) {
+ if (s.length() > 0) {
+ s.append(':');
+ }
+ s.append(String.format("%02x", b));
+ }
+ fingerprint = s.toString();
+ } else {
+ fingerprint = String.format(
+ "%s:%s",
+ digest.toUpperCase().replace("-", ""),
+ new Base64(0).encodeToString(md.digest())
+ );
}
- final String s = String.format("%02x", b);
- buffer.append(s);
- first = false;
- }
- final String fingerprintString = buffer.toString();
- if (log.isDebugEnabled()) {
- log.debug("Fingerprint string is '{}'.", fingerprintString);
- }
- return fingerprintString;
+ if (log.isDebugEnabled()) {
+ log.debug("Fingerprint: {}", fingerprint);
+ }
+
+ return fingerprint;
+ } catch (GeneralSecurityException e) {
+ throw new RuntimeException(e);
+ }
}
private static boolean verifyByteArray(DataInputStream dataInputStream,
byte[] expected) throws IOException {
diff --git
a/backend/manager/modules/uutils/src/test/java/org/ovirt/engine/core/uutils/ssh/OpenSSHUtilsTest.java
b/backend/manager/modules/uutils/src/test/java/org/ovirt/engine/core/uutils/ssh/OpenSSHUtilsTest.java
index a648678..eb72f2f 100644
---
a/backend/manager/modules/uutils/src/test/java/org/ovirt/engine/core/uutils/ssh/OpenSSHUtilsTest.java
+++
b/backend/manager/modules/uutils/src/test/java/org/ovirt/engine/core/uutils/ssh/OpenSSHUtilsTest.java
@@ -18,16 +18,17 @@
return factory.generatePublic(spec);
}
- private static void testFingerprintString(final String keyEncoding, final
String goodFingerprintString) throws Exception {
+ private static void testFingerprintString(final String keyEncoding, final
String goodFingerprintString, String algo) throws Exception {
final PublicKey key = decodeKey(keyEncoding);
- final String fingerprintString =
OpenSSHUtils.getKeyFingerprintString(key);
+ final String fingerprintString = OpenSSHUtils.getKeyFingerprint(key,
algo);
assertEquals(goodFingerprintString, fingerprintString);
}
@Test
public void testFingerprintStrings() throws Exception {
for (String[] key : KEYS) {
- testFingerprintString(key[0], key[1]);
+ testFingerprintString(key[0], key[1], "MD5");
+ testFingerprintString(key[0], key[2], "SHA-256");
}
}
@@ -40,7 +41,7 @@
@Test
public void testKeyStrings() throws Exception {
for (String[] key : KEYS) {
- testKeyString(key[0], key[2]);
+ testKeyString(key[0], key[3]);
}
}
@@ -87,8 +88,11 @@
"2Mx+DapWIHxEhDR2fBAlQgxB9/+XyNzSxWwrrNFox7tlvNmCEqN5HxdBR5fxqw4O"
+
"ODNh3JfzLcVNzqDsqwIDAQAB",
- // Fingerprint:
+ // Fingerprint MD5
"16:e1:9e:89:1e:ed:cc:3d:d8:af:d1:83:6e:b0:da:ae",
+
+ // Fingerprint SHA256
+ "SHA256:I4ud9yJLWcxsanCu0bXL6SxjTxj9/wbPi4JqtR1ophw",
// SSH:
"ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCa3+YrPFsT7orhMQx0VIs+xqj/zcVBN6zLv2lzIZIW/sDQ+sKmZKIT4wWj0GIW8ShD2dW3QNS/18GSq/MXeaih9kUJ2Mx+DapWIHxEhDR2fBAlQgxB9/+XyNzSxWwrrNFox7tlvNmCEqN5HxdBR5fxqw4OODNh3JfzLcVNzqDsqw==\n",
@@ -100,8 +104,11 @@
"qjbpQUjSwiDrXTLUiU4MJcDAFsFWabbj3cZksVSTuqxR6ljdXMLJd8lrJXz1mLi1"
+
"gYKAEfF6MbwzZwcwhwIDAQAB",
- // Fingerprint:
+ // Fingerprint MD5
"a2:55:07:d3:b6:69:7c:ca:8f:33:e7:22:f2:12:48:d9",
+
+ // Fingerprint SHA256
+ "SHA256:5xWt5k1RhhX+EHqhzLxlqEW50QxiBIN2ng78SFbf2Rk",
// SSH:
"ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCP5HriASnFNB0PqE9M/QLMR2kBbcD7v/4yVsvosyIHw4cpRdfWTsqZAYgMHnwSsvDWTPhx6XCmyx/41pjR4H0bLINhqjbpQUjSwiDrXTLUiU4MJcDAFsFWabbj3cZksVSTuqxR6ljdXMLJd8lrJXz1mLi1gYKAEfF6MbwzZwcwhw==\n",
@@ -113,8 +120,11 @@
"B5JOzCzO79d3W5glGavSiUqaqOXBLfCFNcNhmJvKVhFAXyJ4JM3v2e8Dg/PtBT73"
+
"5+YCSkrnZOSr+if8GwIDAQAB",
- // Fingerprint:
+ // Fingerprint MD5
"0e:82:e9:96:e7:b1:35:2b:c0:14:49:09:1c:8d:80:ee",
+
+ // Fingerprint SHA256
+ "SHA256:KLeBSl0NAL6T1Z8EEqsvpW1c3y9mtVGmogUNxIuL9is",
// SSH:
"ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQC5AkL8nfbs0ANq1MGQL9WYISuQ8NtYMZ7MiH/7af0Mvy5K1nDUysqZt0BFP2Yd9/bScyxdgSp7jux//i2UVINrVFCnB5JOzCzO79d3W5glGavSiUqaqOXBLfCFNcNhmJvKVhFAXyJ4JM3v2e8Dg/PtBT735+YCSkrnZOSr+if8Gw==\n",
@@ -126,8 +136,11 @@
"Pv1i4Iln5gqJFbaT9/48Zli3AraKbVWBJQeDKQL0EywU0sXz2upN0OMwyehQAZsa"
+
"9KWvwt2LV2c8cbMprwIDAQAB",
- // Fingerprint:
+ // Fingerprint MD5
"b0:d1:fc:40:95:39:25:20:c4:3f:7b:b8:6f:18:4d:ae",
+
+ // Fingerprint SHA256
+ "SHA256:hDXnC4yi0dCY8uqtecpi7x3qPk4hwetfZigGpwoMrCo",
// SSH:
"ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCRYaSHFlFePROfmsj82O6KMCW3wMlF93ifYXA8T1b87AybzORNhR49uCi9jccEpEcRzOmC9lpHYt3iouGCtFfrBWgRPv1i4Iln5gqJFbaT9/48Zli3AraKbVWBJQeDKQL0EywU0sXz2upN0OMwyehQAZsa9KWvwt2LV2c8cbMprw==\n",
@@ -139,8 +152,11 @@
"DXYWsZY1/UgL9QNl0PrrugWKzQfU1lB7T+TFJQNeYH4xUtORGdnfO+uMTK9h2yC/"
+
"uCMvqv3dLKR1SGRzEQIDAQAB",
- // Fingerprint:
+ // Fingerprint MD5
"56:c1:e3:c5:bc:75:21:00:67:65:c2:06:39:82:bf:9f",
+
+ // Fingerprint SHA256
+ "SHA256:tO9ZbfmciAOQYdr/yk5+EGeEW51jBmMM/bDhc2Y47x8",
// SSH:
"ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDMJJqXjfcpxpb3VPUXvWl+4R2Kqf5piN3YNwIbBQiZobSnvoY7oMPVFBh0AW1DJa3VD0JOSRqcYn+zbo3/mEln7+/ZDXYWsZY1/UgL9QNl0PrrugWKzQfU1lB7T+TFJQNeYH4xUtORGdnfO+uMTK9h2yC/uCMvqv3dLKR1SGRzEQ==\n",
@@ -152,8 +168,11 @@
"rNVUmaCRUcsqclJpVURFrLUbdIn4fGMVnxeFrI+cKW34A9JFu4cGbZ2s7eOQNBJT"
+
"LKktR9T/nxc8D9H+/wIDAQAB",
- // Fingerprint:
+ // Fingerprint MD5
"55:d5:de:fc:17:d4:b1:06:22:73:67:f5:e0:08:bf:25",
+
+ // Fingerprint SHA256
+ "SHA256:GtqEmRC7wauTPZcuI14NeyIq/OBRIZfO8A5IoFyCWl8",
// SSH:
"ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDHlrWc38JjFHNvZ7gs6MOlvrFLF2K+U8CHkqV+7/WFCszZGeJPo9va9uIjdVD7RHYKOiOt2r6xulO/RRjxY4h8coU9rNVUmaCRUcsqclJpVURFrLUbdIn4fGMVnxeFrI+cKW34A9JFu4cGbZ2s7eOQNBJTLKktR9T/nxc8D9H+/w==\n",
@@ -165,8 +184,11 @@
"VP7QfQ6OSV1c8alckmAA4aFjq84O3dRIM4Vj97FwiENuzcLsBSlPxU4WFhKNrLEL"
+
"NNuIVKPltQVnJUA0AwIDAQAB",
- // Fingerprint:
+ // Fingerprint MD5
"23:90:4e:18:11:fc:44:f8:4a:3e:5b:f3:a7:3c:cb:14",
+
+ // Fingerprint SHA256
+ "SHA256:FmRM9fOZfn3yAkik/vE799kR0msftllHsxWh4WK+WDU",
// SSH:
"ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCYDKTQXJWxY5GNtQyz40osYjuiaqP5B+C0xN8lteW/zrQ9rwyZ+ijm15uY0vH4gggpn5oYkIbu/5mrk7cNan5Ygs5MVP7QfQ6OSV1c8alckmAA4aFjq84O3dRIM4Vj97FwiENuzcLsBSlPxU4WFhKNrLELNNuIVKPltQVnJUA0Aw==\n",
@@ -178,8 +200,11 @@
"l5VwwKqOrlOVhi3lj6ljpWBI/viBMMJNOeG1K4x8ZO1x6L3h8UtmIU599VqjpaPg"
+
"wQNFlOweUqh4h0sRtwIDAQAB",
- // Fingerprint:
+ // Fingerprint MD5
"61:a8:d6:8d:ca:27:86:50:ad:5f:de:1e:a6:17:c0:42",
+
+ // Fingerprint SHA256
+ "SHA256:N0jkalb2Z9nK/tjmYlfECOiTSOVP/OSRHmHmj1BOePk",
// SSH:
"ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbfXqtv9/jI022H5t4T9qI3oBBaLFBSLx2J/MP4XQ32L5/arQIyiu25mPNwcnwo7h1teCVr722TS2m8Sg9TXWwnd13l5VwwKqOrlOVhi3lj6ljpWBI/viBMMJNOeG1K4x8ZO1x6L3h8UtmIU599VqjpaPgwQNFlOweUqh4h0sRtw==\n",
@@ -191,8 +216,11 @@
"0/1UZP95KRlCLfa8Nnqi889NNpUhvHJnfBqzbyBbgDFDMZoi2NVEx9nUpZRr8e6D"
+
"1rA4kS4jQURTLODjrwIDAQAB",
- // Fingerprint:
+ // Fingerprint MD5
"37:49:1d:28:20:98:1a:da:e7:29:b3:96:61:2b:f1:40",
+
+ // Fingerprint SHA256
+ "SHA256:OQfj4/W7qD5rfqy81+2gUiX+cPdlVGWupfxZ5Z6GGIM",
// SSH:
"ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDJmCyxIsgvYvhymxcqZF0eX3bL/IA26Ygr4hZ+Q4NidYXZZ3cYOJvgdj8zoJu/+I3jW2re0Kltj+BqHssWD1WIO2rX0/1UZP95KRlCLfa8Nnqi889NNpUhvHJnfBqzbyBbgDFDMZoi2NVEx9nUpZRr8e6D1rA4kS4jQURTLODjrw==\n",
@@ -204,9 +232,12 @@
"C3giBDJotkkXO7uR3iAQAGZrARxRrOOhUNqVKIuslw/+YcvgsQl5TdgflvrdH2zQ"
+
"yVm2/0qLjdCN8lYahwIDAQAB",
- // Fingerprint:
+ // Fingerprint MD5
"6d:cd:bc:99:c0:83:ca:b1:8e:58:10:c3:b8:4d:56:ee",
+ // Fingerprint SHA256
+ "SHA256:pbpMFSx/C7wm34+zg3ky8ALQytzn1QzDOYE1ohHWGWw",
+
// SSH:
"ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQC3Cz4oruqQv9fz+NOZnhvGugWvPpuwh44aGVdYm0iXJZCq76bgw0ajDF6XhVs5xYagWEO31vVKVu7lTMIv7OcoAw3VC3giBDJotkkXO7uR3iAQAGZrARxRrOOhUNqVKIuslw/+YcvgsQl5TdgflvrdH2zQyVm2/0qLjdCN8lYahw==\n",
},
--
To view, visit https://gerrit.ovirt.org/41283
To unsubscribe, visit https://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3570f622054b83c66431609e01917f27ef5957a4
Gerrit-PatchSet: 4
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Francesco Romani <from...@redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: automat...@ovirt.org
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
