in sshd-core/src/main/java/org/apache/sshd/server/auth/pubkey/UserAuthPublicKey.java [73:180]
public Boolean doAuth(Buffer buffer, boolean init) throws Exception {
ValidateUtils.checkTrue(init, "Instance not initialized");
ServerSession session = getServerSession();
String username = getUsername();
boolean hasSig = buffer.getBoolean();
String alg = buffer.getString();
int oldLim = buffer.wpos();
int oldPos = buffer.rpos();
int len = buffer.getInt();
int remaining = buffer.available();
// Protect against malicious or corrupted packets
if ((len < 0) || (len > remaining)) {
log.error("doAuth({}@{}) illogical algorithm={} signature length ({}) when remaining={}",
username, session, alg, len, remaining);
throw new IndexOutOfBoundsException("Illogical signature length (" + len + ") for algorithm=" + alg);
}
buffer.wpos(buffer.rpos() + len);
PublicKey key = buffer.getRawPublicKey();
if (key instanceof OpenSshCertificate) {
OpenSshCertificate cert = (OpenSshCertificate) key;
try {
if (!OpenSshCertificate.Type.USER.equals(cert.getType())) {
throw new CertificateException("not a user certificate");
}
if (!OpenSshCertificate.isValidNow(cert)) {
throw new CertificateException("expired");
}
Collection<String> principals = cert.getPrincipals();
if (!GenericUtils.isEmpty(principals) && !principals.contains(username)) {
throw new CertificateException("not valid for the given username");
}
// TODO: cert.getCaKey() must be either in authorized_keys, marked as a CA key
// and not revoked, or in TrustedUserCAKeys and then also match
// AuthorizedPricipalsFile, if present.
} catch (CertificateException e) {
warn("doAuth({}@{}): public key certificate (id={}) is not valid: {}", username, session, cert.getId(),
e.getMessage(), e);
throw e;
}
}
Collection<NamedFactory<Signature>> factories = ValidateUtils.checkNotNullAndNotEmpty(
SignatureFactoriesManager.resolveSignatureFactories(this, session),
"No signature factories for session=%s",
session);
boolean debugEnabled = log.isDebugEnabled();
if (debugEnabled) {
log.debug("doAuth({}@{}) verify key type={}, factories={}, fingerprint={}",
username, session, alg, NamedResource.getNames(factories), KeyUtils.getFingerPrint(key));
}
Signature verifier = ValidateUtils.checkNotNull(
NamedFactory.create(factories, alg),
"No verifier located for algorithm=%s",
alg);
verifier.initVerifier(session, key);
buffer.wpos(oldLim);
byte[] sig = hasSig ? buffer.getBytes() : null;
PublickeyAuthenticator authenticator = session.getPublickeyAuthenticator();
if (authenticator == null) {
if (debugEnabled) {
log.debug("doAuth({}@{}) key type={}, fingerprint={} - no authenticator",
username, session, alg, KeyUtils.getFingerPrint(key));
}
return Boolean.FALSE;
}
boolean authed;
try {
authed = authenticator.authenticate(username, key, session);
} catch (Error e) {
warn("doAuth({}@{}) failed ({}) to consult delegate for {} key={}: {}",
username, session, e.getClass().getSimpleName(), alg, KeyUtils.getFingerPrint(key), e.getMessage(), e);
throw new RuntimeSshException(e);
}
if (debugEnabled) {
log.debug("doAuth({}@{}) key type={}, fingerprint={} - authentication result: {}",
username, session, alg, KeyUtils.getFingerPrint(key), authed);
}
if (!authed) {
return Boolean.FALSE;
}
if (!hasSig) {
sendPublicKeyResponse(session, username, alg, key, buffer.array(), oldPos, 4 + len, buffer);
return null;
}
buffer.rpos(oldPos);
buffer.wpos(oldPos + 4 + len);
if (!verifySignature(session, username, alg, key, buffer, verifier, sig)) {
throw new SignatureException("Key verification failed");
}
if (debugEnabled) {
log.debug("doAuth({}@{}) key type={}, fingerprint={} - verified",
username, session, alg, KeyUtils.getFingerPrint(key));
}
return Boolean.TRUE;
}