Abstract revoked key handling in KnownHostsServerKeyVerifier

New method handleRevokedKey() is invoked if a revoked host key is encountered, before the key exchange is rejected. Subclasses can override to customize reporting. The default just issues a log message.
apache · Jan 25, 2025 · 909b5e2 · 909b5e2
1 parent 11a9277
commit 909b5e2
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -50,6 +50,7 @@
 ## New Features
 
 * [GH-606](https://github.com/apache/mina-sshd/issues/606) Support ML-KEM PQC hybrid key exchanges
+* [GH-652](https://github.com/apache/mina-sshd/issues/652) New method `KnownHostsServerKeyVerifier.handleRevokedKey()`
 
 * [SSHD-988](https://issues.apache.org/jira/projects/SSHD/issues/SSHD-988) Support ed25519 keys via the Bouncy Castle library
 

diff --git a/sshd-core/src/main/java/org/apache/sshd/client/keyverifier/KnownHostsServerKeyVerifier.java b/sshd-core/src/main/java/org/apache/sshd/client/keyverifier/KnownHostsServerKeyVerifier.java
@@ -285,8 +285,7 @@ protected boolean acceptKnownHostEntries(
 
         if (keyMatches.stream()
                 .anyMatch(k -> "revoked".equals(k.getHostEntry().getMarker()))) {
-            log.debug("acceptKnownHostEntry({})[{}] key={}-{} marked as revoked",
-                    clientSession, remoteAddress, KeyUtils.getKeyType(serverKey), KeyUtils.getFingerPrint(serverKey));
+            handleRevokedKey(clientSession, remoteAddress, serverKey);
             return false;
         }
 
@@ -536,6 +535,18 @@ protected List<HostEntryPair> findKnownHostEntries(
         return matches;
     }
 
+    /**
+     * Invoked if any matching host entry has a 'revoked' marker
+     *
+     * @param clientSession The {@link ClientSession}
+     * @param remoteAddress The remote host address
+     * @param serverKey     The presented server {@link PublicKey}
+     */
+    protected void handleRevokedKey(ClientSession clientSession, SocketAddress remoteAddress, PublicKey serverKey) {
+        log.debug("acceptKnownHostEntry({})[{}] key={}-{} marked as revoked",
+                clientSession, remoteAddress, KeyUtils.getKeyType(serverKey), KeyUtils.getFingerPrint(serverKey));
+    }
+
     /**
      * Called if failed to reload known hosts - by default invokes
      * {@link #acceptUnknownHostKey(ClientSession, SocketAddress, PublicKey)}