| commit | 23758d7a61081be4e28c9fc2a0256d7774962455 | [log] [tgz] |
|---|---|---|
| author | Thomas Wolf <twolf@apache.org> | Sun Jul 09 20:06:37 2023 +0200 |
| committer | Thomas Wolf <twolf@apache.org> | Mon Jul 17 04:52:30 2023 -0400 |
| tree | 9a661f915f0ad12d77d0e495f73c4b1a3c224ea1 | |
| parent | 760bdd09b1d186d4ca4f21b7f771882513521949 [diff] |
ssh: PKCS#11 support Support PKCS#11 HSMs (like YubiKey PIV) for SSH authentication. Use the SunPKCS11 provider as described at [1]. This provider dynamically loads the library from the PKCS11Provider SSH configuration and creates a Java KeyStore with that provider. A Java CallbackHandler is needed to feed PIN prompts from the KeyStore into the JGit CredentialsProvider framework. Because the JGit CredentialsProvider may be specific to a SSH session but the PKCS11Provider may be used by several sessions, the CallbackHandler needs to be configurable per session. PIN prompts respect the NumberOfPasswordPrompts SSH configuration. As long as the library asks only for a PIN, we use the KeyPasswordProvider to prompt for it. This gives automatic integration in Eclipse with the Eclipse secure storage, so a user has even the option to store the PIN there. (Eclipse will then ask for the secure storage master password on first access, so the usefulness of this is debatable.) By default the provider uses the first PKCS#11 token (slot list index zero). This can be overridden by a non-standard PKCS11SlotListIndex ssh configuration entry. (For OpenSSH interoperability, also set "IgnoreUnknown PKCS11SlotListIndex" in the SSH config file then.) Once loaded, the provider and its shared library and the keys contained remain available until the application exits. Manually tested using SoftHSM. See file manual_tests.txt. Kudos to Christopher Lamb for additional manual testing with a real YubiKey, also on Windows.[2] [1] https://docs.oracle.com/en/java/javase/11/security/pkcs11-reference-guide1.html [2] https://www.eclipse.org/forums/index.php/t/1113295/ Change-Id: I544c97e1e24d05e28a9f0e803fd4b9151a76ed11 Signed-off-by: Thomas Wolf <twolf@apache.org>
An implementation of the Git version control system in pure Java.
This project is licensed under the EDL (Eclipse Distribution License).
JGit can be imported straight into Eclipse and built and tested from there. It can be built from the command line using Maven or Bazel. The CI builds use Maven and run on Jenkins.
org.eclipse.jgit
A pure Java library capable of being run standalone, with no additional support libraries. It provides classes to read and write a Git repository and operate on a working directory.
All portions of JGit are covered by the EDL. Absolutely no GPL, LGPL or EPL contributions are accepted within this package.
org.eclipse.jgit.ant
Ant tasks based on JGit.
org.eclipse.jgit.archive
Support for exporting to various archive formats (zip etc).
org.eclipse.jgit.http.apache
Apache httpclient support.
org.eclipse.jgit.http.server
Server for the smart and dumb Git HTTP protocol.
org.eclipse.jgit.lfs
Support for LFS (Large File Storage).
org.eclipse.jgit.lfs.server
Basic LFS server support.
org.eclipse.jgit.packaging
Production of Eclipse features and p2 repository for JGit. See the JGit Wiki on why and how to use this module.
org.eclipse.jgit.pgm
Command-line interface Git commands implemented using JGit (“pgm” stands for program).
org.eclipse.jgit.ssh.apache
Client support for the SSH protocol based on Apache Mina sshd.
org.eclipse.jgit.ssh.apache.agent
Optional support for SSH agents for org.eclipse.jgit.ssh.apache.
org.eclipse.jgit.ui
Simple UI for displaying git log.
Native symbolic links are supported, provided the file system supports them. For Windows you must use a non-administrator account and have the SeCreateSymbolicLinkPrivilege.
Only the timestamp of the index is used by JGit if the index is dirty.
JGit 6.0 and newer requires at least Java 11. Older versions require at least Java 1.8.
CRLF conversion is performed depending on the core.autocrlf setting, however Git for Windows by default stores that setting during installation in the “system wide” configuration file. If Git is not installed, use the global or repository configuration for the core.autocrlf setting.
The system wide configuration file is located relative to where C Git is installed. Make sure Git can be found via the PATH environment variable. When installing Git for Windows check the “Run Git from the Windows Command Prompt” option. There are other options like Eclipse settings that can be used for pointing out where C Git is installed. Modifying PATH is the recommended option if C Git is installed.
We try to use the same notation of $HOME as C Git does. On Windows this is often not the same value as the user.home system property.
org.eclipse.jgit
Read loose and packed commits, trees, blobs, including deltafied objects.
Read objects from shared repositories
Write loose commits, trees, blobs.
Write blobs from local files or Java InputStreams.
Read blobs as Java InputStreams.
Copy trees to local directory, or local directory to a tree.
Lazily loads objects as necessary.
Read and write .git/config files.
Create a new repository.
Read and write refs, including walking through symrefs.
Read, update and write the Git index.
Checkout in dirty working directory if trivial.
Walk the history from a given set of commits looking for commits introducing changes in files under a specified path.
Object transport
Fetch via ssh, git, http, Amazon S3 and bundles. Push via ssh, git, http, and Amazon S3. JGit does not yet deltify the pushed packs so they may be a lot larger than C Git packs.
Garbage collection
Merge
Rebase
And much more
org.eclipse.jgit.pgm
org.eclipse.jgit.ant
org.eclipse.jgit.archive
org.eclipse.http
There are some missing features:
Post questions, comments or discussions to the jgit-dev@eclipse.org mailing list. You need to be subscribed to post. File bugs and enhancement requests in Bugzilla.
See the EGit Contributor Guide.
More information about Git, its repository format, and the canonical C based implementation can be obtained from the Git website.