1

I have set up an ssh server using Apache MINA sshd for SFTP. I want to enable server authentication so clients cannot be spoofed. In the documentation page all it says is to use the following method (Apache MINA sshd doc):

sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider("hostkey.ser"));

But as I understand, that generates a keypair on its own. What if I want to use an existing certificate file for this server?

Alberto Anguita
  • 103
  • 1
  • 11

2 Answers2

0

Ok I found it. I used the MappedKeyPairProvider class:

sshd.setKeyPairProvider(new MappedKeyPairProvider(loadKeyPair("certificateFile.p12")));

With loadKeyPair defined as follows:

public static loadKeyPair(String path) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException, UnrecoverableKeyException, NoSuchProviderException {
    KeyStore p12 = KeyStore.getInstance("pkcs12");
    p12.load(new FileInputStream(path), "certPassword".toCharArray());
    java.security.cert.Certificate cert = p12.getCertificate("myAlias");
    PublicKey publicKey = cert.getPublicKey();
    PrivateKey key = (PrivateKey)p12.getKey("myAlias", "certPassword".toCharArray());
    return new KeyPair(publicKey, key);
}

Please note that my certificate is stored in PKCS12 format.

Alberto Anguita
  • 103
  • 1
  • 11
0

FileKeyPairProvider is simpler

Path path = Paths.get(getClass().getClassLoader().getResource("server-key.pem").toURI());
sshd.setKeyPairProvider(new FileKeyPairProvider(path));
Claus
  • 1,684
  • 14
  • 20
  • If you package your application, will this still work? I feel `FileKeyPayProvider` expects a physical file, and this would only work during development because calling `.toURI` on a resource is still able to produce a `file://` URI. – Carlos Ferreyra Oct 12 '19 at 21:36
  • 1
    Found `ClassLoadableResourceKeyPairProvider`. – Carlos Ferreyra Oct 13 '19 at 13:27