You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Grzegorz Grzybek (Jira)" <ji...@apache.org> on 2021/03/17 12:47:00 UTC

[jira] [Comment Edited] (SSHD-1145) EdDSASecurityProviderRegistrar#isSupported() should check more classloaders

    [ https://issues.apache.org/jira/browse/SSHD-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17303376#comment-17303376 ] 

Grzegorz Grzybek edited comment on SSHD-1145 at 3/17/21, 12:46 PM:
-------------------------------------------------------------------

Yes, it should... But you'd have to put eddsa library to e.g., Karaf's lib/boot.
I'd keep the current mechanism, but instead of checking first non-null ClassLoader, I'd check at least TCCL and getClass().getClassLoader().


was (Author: gzres):
Yes, it should... But you'd have to put eddsa library to e.g., Karaf's lib/boot.

> EdDSASecurityProviderRegistrar#isSupported() should check more classloaders
> ---------------------------------------------------------------------------
>
>                 Key: SSHD-1145
>                 URL: https://issues.apache.org/jira/browse/SSHD-1145
>             Project: MINA SSHD
>          Issue Type: Improvement
>    Affects Versions: 2.5.1
>            Reporter: Grzegorz Grzybek
>            Priority: Major
>
> I'm working for Karaf and Camel fix that would allow me to use ssh-ed25519 for server key.
> EdDSA is supported via net.i2p.crypto/eddsa library, but its availability is checked in a way that is not correct (and not only in OSGi environment).
> It's is also problematic for BouncyCastleSecurityProviderRegistrar, but actually for all methods that use {{org.apache.sshd.common.util.threads.ThreadUtils#resolveDefaultClassLoader(java.lang.Class<?>)}}.
> {{resolveDefaultClassLoader()}} method result is a classloader which is checked for availability of e.g., "net.i2p.crypto.eddsa.EdDSAKey" class, but the check result is cached statically. The problem is that if TCCL is used (which is generally not defined in OSGi) it may be a false negative.
> More precisely - if in Karaf, I start Karaf's own sshd server with a TCCL that _sees_ {{net.i2p.crypto.eddsa}} package, I can use EdDSA algorithm.
> If I add camel-ssh usage, it _may_ have own TCCL (depending on how Camel is started - e.g., through OSGi blueprint) - the first one who calls {{org.apache.sshd.common.util.security.eddsa.EdDSASecurityProviderRegistrar#isSupported()}} _wins_.
> I'll work on a way to check more classloaders in search for given provider/registrar and send a PR soon.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org