Skip to content

Add support for OpenSSH certificates, resolve #31 #901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
luigidemasi wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add support for OpenSSH certificates, resolve #31 #901

luigidemasi wants to merge 6 commits into from
+5,559 −39

Conversation

@luigidemasi
Copy link

@luigidemasi luigidemasi commented Sep 17, 2025

No description provided.

norrisjeremy
norrisjeremy suggested changes Sep 17, 2025
View reviewed changes
Copy link
Contributor

@norrisjeremy norrisjeremy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Can you run mvn formatter:format to ensure that everything is formatted correctly?
  2. Does this support SSH certs for host keys? If not, we need to add support for that too, as I'm opposed to only adding support SSH certs for user pubkey auth, w/o also adding support for SSH certs as host keys as well at the same time.

norrisjeremy
norrisjeremy reviewed Sep 17, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Sep 18, 2025
View reviewed changes
@davsclaus
Copy link
Contributor

davsclaus commented Sep 23, 2025

@norrisjeremy is there more feedback to this, as it would be nice to get to the finish line, thanks

@norrisjeremy
Copy link
Contributor

norrisjeremy commented Sep 23, 2025

@norrisjeremy is there more feedback to this, as it would be nice to get to the finish line, thanks

  1. None of my earlier feedback appears to have actually been incorporated: the PR author simply marked them all as resolved w/o making any of the suggested changes.
  2. To quote part of my earlier review: "Does this support SSH certs for host keys? If not, we need to add support for that too, as I'm opposed to only adding support SSH certs for user pubkey auth, w/o also adding support for SSH certs as host keys as well at the same time."

@luigidemasi
Copy link
Author

luigidemasi commented Sep 23, 2025

@norrisjeremy is there more feedback to this, as it would be nice to get to the finish line, thanks

  1. None of my earlier feedback appears to have actually been incorporated: the PR author simply marked them all as resolved w/o making any of the suggested changes.
  2. To quote part of my earlier review: "Does this support SSH certs for host keys? If not, we need to add support for that too, as I'm opposed to only adding support SSH certs for user pubkey auth, w/o also adding support for SSH certs as host keys as well at the same time."

Hi @norrisjeremy, thanks for following up. I marked the comments as resolved on GitHub because I had already addressed them locally and didn’t want to lose track of your suggestions. I’m currently adding support for host keys as well (it’s nearly finished) and I’ll push everything together in the next update. Please let me know if you have any additional suggestions in the meantime.

@norrisjeremy
Copy link
Contributor

norrisjeremy commented Sep 23, 2025

Hi @norrisjeremy, thanks for following up. I marked the comments as resolved on GitHub because I had already addressed them locally and didn’t want to lose track of your suggestions. I’m currently adding support for host keys as well (it’s nearly finished) and I’ll push everything together in the next update. Please let me know if you have any additional suggestions in the meantime.

Hi @luigidemasi,

Great, thanks! We are excited to have someone step up and contribute this work!

Thanks,
Jeremy

@luigidemasi
Copy link
Author

luigidemasi commented Sep 29, 2025

@norrisjeremy

  1. Does this support SSH certs for host keys? If not, we need to add support for that too, as I'm opposed to only adding support SSH certs for user pubkey auth, w/o also adding support for SSH certs as host keys as well at the same time.

I added the support for Host Certificate, let me know wdyt.

@davsclaus
Copy link
Contributor

davsclaus commented Oct 2, 2025

Great to see progress on this one. If we are getting close to the finish line it would be good to do the last review and update the reported findings so fingers crossed we can get this merged and released. Thank you.

@norrisjeremy
Copy link
Contributor

norrisjeremy commented Oct 2, 2025

Great to see progress on this one. If we are getting close to the finish line it would be good to do the last review and update the reported findings so fingers crossed we can get this merged and released. Thank you.

I probably won't have time to start reviewing this again until next week.

@davsclaus
Copy link
Contributor

davsclaus commented Oct 2, 2025

Great to see progress on this one. If we are getting close to the finish line it would be good to do the last review and update the reported findings so fingers crossed we can get this merged and released. Thank you.

I probably won't have time to start reviewing this again until next week.

Thanks for the update, no problem. Just glad we are on path to the goal line.

@davsclaus
Copy link
Contributor

davsclaus commented Oct 14, 2025

Sorry to bother - but would be good to get this reviewed

@norrisjeremy
Copy link
Contributor

norrisjeremy commented Oct 14, 2025

Sorry to bother - but would be good to get this reviewed

HI @davsclaus,

Yes, I haven't forgotten, I will try to review it when I have some time available.

Thanks,
Jeremy

norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
Copy link
Contributor

@norrisjeremy norrisjeremy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few initial comments, I still have a lot left to review.

norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
norrisjeremy
norrisjeremy reviewed Oct 16, 2025
View reviewed changes
@luigidemasi luigidemasi force-pushed the openssh_certificate_support branch from e3194d7 to 7db8379 Compare October 18, 2025 12:50
@luigidemasi luigidemasi force-pushed the openssh_certificate_support branch 2 times, most recently from aa826fc to b2240d6 Compare January 15, 2026 19:34
norrisjeremy
norrisjeremy reviewed Jan 20, 2026
View reviewed changes
Copy link
Contributor

@norrisjeremy norrisjeremy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your patience as I continue review this.

Aside from a few small stylistic nits I've pointed out, the only signficant item I can see is API changes proposed for KeyExchange (changing the next() method to no longer be abstract & introducing the the doNext() and getFingerprint(byte[]) methods).

As I mentioned inline, if these API changes to KeyExchange aren't necessary for the cert support (which I don't believe they are, but I could have missed it since this is such a large PR), I'd rather they not be made (at least as part of this PR).

src/main/java/com/jcraft/jsch/KeyExchange.java Outdated
}


protected boolean doNext(Buffer buf, int sshMessageType) throws Exception {
Copy link
Contributor

@norrisjeremy norrisjeremy Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I can see, the cert support being introduced here doesn't seem to require the changes here though to the next() method (and introduction of doNext()), right?

If that's true, then I'd rather not introduce API changes like this into KeyExchange.

@davsclaus
Copy link
Contributor

davsclaus commented Jan 22, 2026

Thanks for the progress on this one - looks like we are getting close to be ready. @luigidemasi there is a few things still to do thanks.

@luigidemasi luigidemasi force-pushed the openssh_certificate_support branch from b2240d6 to 3002923 Compare January 22, 2026 17:28
@norrisjeremy
Copy link
Contributor

norrisjeremy commented Jan 22, 2026

Hi @luigidemasi,

Can you run mvn formatter:format?
It seems the build fails currently:

Error:  Failed to execute goal net.revelc.code.formatter:formatter-maven-plugin:2.29.0:validate (default) on project jsch: File '/home/runner/work/jsch/jsch/src/test/java/com/jcraft/jsch/HostCertificateIT.java' has not been previously formatted. Please format file (for example by invoking `mvn net.revelc.code.formatter:formatter-maven-plugin:2.29.0:format`) and commit before running validation! -> [Help 1]

Thanks!
Jeremy

@luigidemasi luigidemasi force-pushed the openssh_certificate_support branch from 3002923 to 6147bd3 Compare January 22, 2026 17:34
@luigidemasi
Copy link
Author

luigidemasi commented Jan 22, 2026
edited
Loading

Hi @luigidemasi,

Can you run mvn formatter:format? It seems the build fails currently:

Error:  Failed to execute goal net.revelc.code.formatter:formatter-maven-plugin:2.29.0:validate (default) on project jsch: File '/home/runner/work/jsch/jsch/src/test/java/com/jcraft/jsch/HostCertificateIT.java' has not been previously formatted. Please format file (for example by invoking `mvn net.revelc.code.formatter:formatter-maven-plugin:2.29.0:format`) and commit before running validation! -> [Help 1]

Thanks! Jeremy

@norrisjeremy done!

norrisjeremy
norrisjeremy reviewed Jan 22, 2026
View reviewed changes
@luigidemasi luigidemasi force-pushed the openssh_certificate_support branch from 6147bd3 to fd2e894 Compare January 22, 2026 19:30
norrisjeremy
norrisjeremy reviewed Jan 23, 2026
View reviewed changes
norrisjeremy
norrisjeremy reviewed Jan 23, 2026
View reviewed changes
@luigidemasi luigidemasi force-pushed the openssh_certificate_support branch 2 times, most recently from a57ab9e to 95f18cb Compare January 26, 2026 13:22
norrisjeremy
norrisjeremy reviewed Jan 27, 2026
View reviewed changes
norrisjeremy
norrisjeremy reviewed Jan 27, 2026
View reviewed changes
norrisjeremy
norrisjeremy reviewed Jan 27, 2026
View reviewed changes
@luigidemasi luigidemasi force-pushed the openssh_certificate_support branch from 95f18cb to 0556aad Compare January 27, 2026 21:04
@luigidemasi luigidemasi force-pushed the openssh_certificate_support branch from 0556aad to 0cf60d9 Compare January 28, 2026 10:33
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 28, 2026

Quality Gate Passed Quality Gate passed

Issues
210 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@norrisjeremy norrisjeremy norrisjeremy requested changes

@davsclaus davsclaus davsclaus approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@luigidemasi @davsclaus @norrisjeremy @mwiede