2020
2121import java .nio .file .Files ;
2222import java .nio .file .Path ;
23+ import java .nio .file .StandardOpenOption ;
2324import java .security .KeyPair ;
2425import java .util .Arrays ;
2526import java .util .Collections ;
3738import org .apache .sshd .common .config .keys .PublicKeyEntry ;
3839import org .apache .sshd .common .keyprovider .KeyPairProvider ;
3940import org .apache .sshd .common .util .GenericUtils ;
41+ import org .apache .sshd .core .CoreModuleProperties ;
4042import org .apache .sshd .server .SshServer ;
4143import org .apache .sshd .util .test .BaseTestSupport ;
4244import org .apache .sshd .util .test .CommonTestSupportUtils ;
4345import org .apache .sshd .util .test .CoreTestSupportUtils ;
4446import org .junit .jupiter .api .AfterAll ;
47+ import org .junit .jupiter .api .AfterEach ;
4548import org .junit .jupiter .api .BeforeAll ;
4649import org .junit .jupiter .api .Test ;
4750import org .junit .jupiter .api .io .TempDir ;
4851import org .junit .jupiter .params .ParameterizedTest ;
4952import org .junit .jupiter .params .provider .MethodSource ;
53+ import org .junit .jupiter .params .provider .ValueSource ;
5054
5155/**
5256 * Tests for KEX with host certificates with host key validation through a {@link KnownHostsServerKeyVerifier}.
@@ -92,6 +96,11 @@ static void tearDownClientAndServer() throws Exception {
9296 }
9397 }
9498
99+ @ AfterEach
100+ void resetCertificateProperty () {
101+ CoreModuleProperties .ALLOW_EMPTY_CERTIFICATE_PRINCIPALS .set (client , false );
102+ }
103+
95104 private static Stream <String > markers () {
96105 return Stream .of ("rejected" , "" , null );
97106 }
@@ -155,8 +164,22 @@ void testHostCertificateSucceeds() throws Exception {
155164 }
156165 }
157166
167+ @ Test
168+ void testHostCertificateWithoutPrincipalsFails () throws Exception {
169+ initKeys (KeyUtils .EC_ALGORITHM , 256 , KeyUtils .EC_ALGORITHM , 256 , "ecdsa-sha2-nistp256" , "cert-authority" ,
170+ new String [0 ]);
171+ assertThrows (SshException .class , () -> {
172+ try (ClientSession s = client .connect (getCurrentTestName (), TEST_LOCALHOST , port ).verify (CONNECT_TIMEOUT )
173+ .getSession ()) {
174+ s .addPasswordIdentity (getCurrentTestName ());
175+ s .auth ().verify (AUTH_TIMEOUT );
176+ }
177+ });
178+ }
179+
158180 @ Test
159181 void testHostCertificateWithoutPrincipalsSucceeds () throws Exception {
182+ CoreModuleProperties .ALLOW_EMPTY_CERTIFICATE_PRINCIPALS .set (client , true );
160183 initKeys (KeyUtils .EC_ALGORITHM , 256 , KeyUtils .EC_ALGORITHM , 256 , "ecdsa-sha2-nistp256" , "cert-authority" ,
161184 new String [0 ]);
162185 try (ClientSession s = client .connect (getCurrentTestName (), TEST_LOCALHOST , port ).verify (CONNECT_TIMEOUT )
@@ -165,4 +188,36 @@ void testHostCertificateWithoutPrincipalsSucceeds() throws Exception {
165188 s .auth ().verify (AUTH_TIMEOUT );
166189 }
167190 }
191+
192+ @ ParameterizedTest (name = "test CA key with {0}" )
193+ @ ValueSource (strings = { "loca?host,127.0.0.?" , "loca*ost,127.?.?.*" })
194+ void testHostCertificateWithWildcardSucceeds (String principals ) throws Exception {
195+ initKeys (KeyUtils .EC_ALGORITHM , 256 , KeyUtils .EC_ALGORITHM , 256 , "ecdsa-sha2-nistp256" , "cert-authority" ,
196+ principals .split ("," ));
197+ try (ClientSession s = client .connect (getCurrentTestName (), TEST_LOCALHOST , port ).verify (CONNECT_TIMEOUT )
198+ .getSession ()) {
199+ s .addPasswordIdentity (getCurrentTestName ());
200+ s .auth ().verify (AUTH_TIMEOUT );
201+ }
202+ }
203+
204+ @ Test
205+ void testHostCertificateWithRejectedHostKeyFails () throws Exception {
206+ initKeys (KeyUtils .EC_ALGORITHM , 256 , KeyUtils .EC_ALGORITHM , 256 , "ecdsa-sha2-nistp256" , "cert-authority" );
207+ Path knownHosts = tmp .resolve ("known_hosts" );
208+ StringBuilder line = new StringBuilder ();
209+ line .append ("@revoked " );
210+ line .append ("[localhost]:" ).append (port ).append (",[127.0.0.1]:" ).append (port ).append (' ' );
211+ line .append (PublicKeyEntry .toString (hostKey .getPublic ()));
212+ line .append ('\n' );
213+ Files .write (knownHosts , Collections .singletonList (line .toString ()), StandardOpenOption .APPEND );
214+ client .setServerKeyVerifier (new KnownHostsServerKeyVerifier (AcceptAllServerKeyVerifier .INSTANCE , knownHosts ));
215+ assertThrows (SshException .class , () -> {
216+ try (ClientSession s = client .connect (getCurrentTestName (), TEST_LOCALHOST , port ).verify (CONNECT_TIMEOUT )
217+ .getSession ()) {
218+ s .addPasswordIdentity (getCurrentTestName ());
219+ s .auth ().verify (AUTH_TIMEOUT );
220+ }
221+ });
222+ }
168223}
0 commit comments