public Boolean doAuth()

in sshd-core/src/main/java/org/apache/sshd/server/auth/pubkey/UserAuthPublicKey.java [77:182]

• 90 lines of code
• 16 McCabe index (conditional complexity)

    public Boolean doAuth(Buffer buffer, boolean init) throws Exception {
        ValidateUtils.checkTrue(init, "Instance not initialized");
        ServerSession session = getServerSession();
        String username = getUsername();

        boolean hasSig = buffer.getBoolean();
        String alg = buffer.getString();
        int oldLim = buffer.wpos();
        int oldPos = buffer.rpos();
        int len = buffer.getInt();
        int remaining = buffer.available();
        // Protect against malicious or corrupted packets
        if ((len < 0) || (len > remaining)) {
            log.error("doAuth({}@{}) illogical algorithm={} signature length ({}) when remaining={}",
                    username, session, alg, len, remaining);
            throw new IndexOutOfBoundsException("Illogical signature length (" + len + ") for algorithm=" + alg);
        }

        buffer.wpos(buffer.rpos() + len);

        PublicKey key = buffer.getRawPublicKey();
        PublicKey verifyKey = key;

        if (key instanceof OpenSshCertificate) {
            OpenSshCertificate cert = (OpenSshCertificate) key;
            try {
                if (!OpenSshCertificate.Type.USER.equals(cert.getType())) {
                    throw new CertificateException("not a user certificate");
                }
                if (!OpenSshCertificate.isValidNow(cert)) {
                    throw new CertificateException("expired");
                }
                verifyCertificateSignature(session, cert);
                verifyCertificateSources(session, cert);
            } catch (Exception e) {
                warn("doAuth({}@{}): public key certificate (id={}) is not valid: {}", username, session, cert.getId(),
                        e.getMessage(), e);
                return Boolean.FALSE;
            }
            // Need to use the certified public key for signature verification, not the certificate itself
            verifyKey = cert.getCertPubKey();
        }

        Collection<NamedFactory<Signature>> factories = ValidateUtils.checkNotNullAndNotEmpty(
                SignatureFactoriesManager.resolveSignatureFactories(this, session),
                "No signature factories for session=%s",
                session);
        boolean debugEnabled = log.isDebugEnabled();
        if (debugEnabled) {
            log.debug("doAuth({}@{}) verify key type={}, factories={}, fingerprint={}",
                    username, session, alg, NamedResource.getNames(factories), KeyUtils.getFingerPrint(key));
        }
        Signature verifier = ValidateUtils.checkNotNull(
                NamedFactory.create(factories, alg),
                "No verifier located for algorithm=%s",
                alg);
        verifier.initVerifier(session, verifyKey);
        buffer.wpos(oldLim);

        byte[] sig = hasSig ? buffer.getBytes() : null;
        PublickeyAuthenticator authenticator = session.getPublickeyAuthenticator();
        if (authenticator == null) {
            if (debugEnabled) {
                log.debug("doAuth({}@{}) key type={}, fingerprint={} - no authenticator",
                        username, session, alg, KeyUtils.getFingerPrint(key));
            }
            return Boolean.FALSE;
        }

        boolean authed;
        try {
            authed = authenticator.authenticate(username, key, session);
            // Also checks username against the certificate's principals, if key is a certificate.
        } catch (Error e) {
            warn("doAuth({}@{}) failed ({}) to consult delegate for {} key={}: {}",
                    username, session, e.getClass().getSimpleName(), alg, KeyUtils.getFingerPrint(key), e.getMessage(), e);
            throw new RuntimeSshException(e);
        }

        if (debugEnabled) {
            log.debug("doAuth({}@{}) key type={}, fingerprint={} - authentication result: {}",
                    username, session, alg, KeyUtils.getFingerPrint(key), authed);
        }

        if (!authed) {
            return Boolean.FALSE;
        }

        if (!hasSig) {
            sendPublicKeyResponse(session, username, alg, key, buffer.array(), oldPos, 4 + len, buffer);
            return null;
        }

        buffer.rpos(oldPos);
        buffer.wpos(oldPos + 4 + len);
        if (!verifySignature(session, username, alg, key, buffer, verifier, sig)) {
            throw new SignatureException("Key verification failed");
        }

        if (debugEnabled) {
            log.debug("doAuth({}@{}) key type={}, fingerprint={} - verified",
                    username, session, alg, KeyUtils.getFingerPrint(key));
        }

        return Boolean.TRUE;
    }