[
https://issues.jboss.org/browse/JBIDE-12016?page=com.atlassian.jira.plugi...
]
Andre Dietisheim edited comment on JBIDE-12016 at 9/13/12 8:25 AM:
-------------------------------------------------------------------
I tried reading private key files with the jdk but did not succeed. According to
http://stackoverflow.com/a/1580184/231357 and
http://security.stackexchange.com/a/9601
OpenSSH keys are in PKCS1 format which the JDK/JCE is not able to read (they use PKCS8 by
default). It looks like the only valid option for now is to use the BouncyCastle crypto
provider library which is able to read those keys on behalf of their PEMReader.
Nima SSHD is using Bouncycastle. JSch does not depend on Bouncycastle, it's able to
load OpenSSHL private keys but it's not able to generate the public key for a given
private key. Afaik JSch does not parse all bits required to use JDK/JCE to create a public
key:
{code:title=bouncy castle parsing A DSA PEM (the DER of a PEM in this snippet), it would
extract q,p,m,x,y in PEMReader#readKeyPair
http://grepcode.com/file/repository.jboss.org/maven2/bouncycastle/bcprov-...
DERInteger p = (DERInteger)seq.getObjectAt(1);
DERInteger q = (DERInteger)seq.getObjectAt(2);
DERInteger g = (DERInteger)seq.getObjectAt(3);
DERInteger y = (DERInteger)seq.getObjectAt(4);
DERInteger x = (DERInteger)seq.getObjectAt(5);
privSpec = new DSAPrivateKeySpec(
x.getValue(), p.getValue(),
q.getValue(), g.getValue());
pubSpec = new DSAPublicKeySpec(
y.getValue(), p.getValue(),
q.getValue(), g.getValue());
}
KeyFactory fact = KeyFactory.getInstance(type, provider);
return new KeyPair(
fact.generatePublic(pubSpec),
fact.generatePrivate(privSpec));
{code}
{code:title=JSch only parses q, p and g in KeyPairDSA#parse
http://grepcode.com/file/repo1.maven.org/maven2/com.jcraft/jsch/0.1.31/co...
P_array=new byte[length];
System.arraycopy(plain, index, P_array, 0, length);
index+=length;
index++;
length=plain[index++]&0xff;
if((length&0x80)!=0){
int foo=length&0x7f; length=0;
while(foo-->0){ length=(length<<8)+(plain[index++]&0xff); }
}
Q_array=new byte[length];
System.arraycopy(plain, index, Q_array, 0, length);
index+=length;
index++;
length=plain[index++]&0xff;
if((length&0x80)!=0){
int foo=length&0x7f; length=0;
while(foo-->0){ length=(length<<8)+(plain[index++]&0xff); }
}
G_array=new byte[length];
System.arraycopy(plain, index, G_array, 0, length);
index+=length;
{code}
was (Author: adietish):
I tried reading private key files with the jdk but did not succeed. According to
http://stackoverflow.com/a/1580184/231357 and
http://security.stackexchange.com/a/9601
OpenSSH keys are in PKCS1 format which the JDK/JCE is not able to read (they use PKCS8 by
default). It looks like the only valid option for now is to use the BouncyCastle crypto
provider library which is able to read those keys on behalf of their PEMReader.
Nima SSHD is using Bouncycastle. JSch does not depend on Bouncycastle, it's able to
load OpenSSHL private keys but it's not able to generate the public key for a given
private key. Afaik JSch does not parse all bits required to use JDK/JCE to create a public
key:
{code:bouncy castle parsing A DSA PEM (the DER of a PEM in this snippet), it would extract
q,p,m,x,y in PEMReader#readKeyPair
http://grepcode.com/file/repository.jboss.org/maven2/bouncycastle/bcprov-...
DERInteger p = (DERInteger)seq.getObjectAt(1);
DERInteger q = (DERInteger)seq.getObjectAt(2);
DERInteger g = (DERInteger)seq.getObjectAt(3);
DERInteger y = (DERInteger)seq.getObjectAt(4);
DERInteger x = (DERInteger)seq.getObjectAt(5);
privSpec = new DSAPrivateKeySpec(
x.getValue(), p.getValue(),
q.getValue(), g.getValue());
pubSpec = new DSAPublicKeySpec(
y.getValue(), p.getValue(),
q.getValue(), g.getValue());
}
KeyFactory fact = KeyFactory.getInstance(type, provider);
return new KeyPair(
fact.generatePublic(pubSpec),
fact.generatePrivate(privSpec));
{code}
{code:title=JSch only parses q, p and g in KeyPairDSA#parse
http://grepcode.com/file/repo1.maven.org/maven2/com.jcraft/jsch/0.1.31/co...
P_array=new byte[length];
System.arraycopy(plain, index, P_array, 0, length);
index+=length;
index++;
length=plain[index++]&0xff;
if((length&0x80)!=0){
int foo=length&0x7f; length=0;
while(foo-->0){ length=(length<<8)+(plain[index++]&0xff); }
}
Q_array=new byte[length];
System.arraycopy(plain, index, Q_array, 0, length);
index+=length;
index++;
length=plain[index++]&0xff;
if((length&0x80)!=0){
int foo=length&0x7f; length=0;
while(foo-->0){ length=(length<<8)+(plain[index++]&0xff); }
}
G_array=new byte[length];
System.arraycopy(plain, index, G_array, 0, length);
index+=length;
{code}
OpenShift Wizard should warn if domain exists but there's no ssh
key on local machine (domain was created in web ui)
--------------------------------------------------------------------------------------------------------------------
Key: JBIDE-12016
URL:
https://issues.jboss.org/browse/JBIDE-12016
Project: Tools (JBoss Tools)
Issue Type: Enhancement
Components: openshift
Affects Versions: 3.3.0.Beta3
Reporter: Burr Sutter
Assignee: Andre Dietisheim
Fix For: 4.0.0.Alpha2
Attachments: cloning-settings.png, Screen Shot 2012-05-25 at 10.57.18 AM.png
If the end-user's .ssh directory is empty - we should provide a stronger warning for
them - ideally provide a URL to some documentation/video explaining how the user can use
Eclipse/JBoss Tools to create their private/public keys - so they can then upload the .pub
to OpenShift.
At least 10 users failed this test today and had to be "handheld" through the
process.
What is worse, if the end-user uploads a slightly butchered pub key - the create
application phase still works but the git clone fails - with a relatively poor error
message - recovery normally means having to go up to the OpenShift console, deleting the
poorly created apps - getting the pub key uploaded correctly (deleting the previous one)
and starting again.
The fact that Eclipse could create the keys was actually unknown by the instructor's
of today's class. SSH is still a nightmare for the newbie trying to use OpenShift +
JBDS.
How to reproduce:
1. ASSERT: make sure you have an OpenShift user without a domain (create a new user or
kill your users domain)
2. EXEC: launch *OpenShift Application* wizard and create a new application
Result:
Cloning fails, since there are no ssh-keys on the local machine and no keys were added to
OpenShift. The wizard did not tell the user since the domain already existed. The domain
creation dialog is currently the only place that would allow a user to create a new
ssh-key. If you already have a domain, you'll never get asked to create your keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira