[karaf] branch karaf-4.2.x updated: Make sure that only a java KeyPair object can be deserialized in OpenSSHKeyPairProvider

[jb...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch karaf-4.2.x
in repository https://gitbox.apache.org/repos/asf/karaf.git


The following commit(s) were added to refs/heads/karaf-4.2.x by this push:
     new 2dc4f15  Make sure that only a java KeyPair object can be deserialized in OpenSSHKeyPairProvider
2dc4f15 is described below

commit 2dc4f15f7957b0d3208260367d14100874218dd5
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Mar 6 12:25:07 2020 +0000

    Make sure that only a java KeyPair object can be deserialized in OpenSSHKeyPairProvider
    
    (cherry picked from commit cac2207a929fc684f5ad6f5ae7431e206b4aabdf)
---
 .../ssh/keygenerator/OpenSSHKeyPairProvider.java   | 28 +++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHKeyPairProvider.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHKeyPairProvider.java
index 0e16d2e..9f52b8e 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHKeyPairProvider.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/keygenerator/OpenSSHKeyPairProvider.java
@@ -22,7 +22,9 @@ import static java.util.Collections.singleton;
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.InvalidClassException;
 import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -105,7 +107,7 @@ public class OpenSSHKeyPairProvider extends AbstractKeyPairProvider {
 
     private KeyPair convertLegacyKey(Path privateKeyPath) throws GeneralSecurityException, IOException {
         KeyPair keypair = null;
-        try (ObjectInputStream r = new ObjectInputStream(Files.newInputStream(privateKeyPath))) {
+        try (ObjectInputStream r = new KeyPairObjectInputStream(Files.newInputStream(privateKeyPath))) {
             keypair = (KeyPair)r.readObject();
         }
         catch (ClassNotFoundException e) {
@@ -147,4 +149,28 @@ public class OpenSSHKeyPairProvider extends AbstractKeyPairProvider {
             throw new RuntimeException("Key file generation failed", e);
         }
     }
+
+    /**
+     * Check the first Object that is resolved is a KeyPair instance
+     */
+    private static class KeyPairObjectInputStream extends ObjectInputStream {
+
+        private boolean valid;
+
+        public KeyPairObjectInputStream(InputStream is) throws IOException {
+            super(is);
+        }
+
+        @Override
+        protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+            if (!valid) {
+                if (!desc.getName().equals(KeyPair.class.getName())) {
+                    throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
+                }
+                valid = true;
+            }
+            return super.resolveClass(desc);
+        }
+    }
+
 }