[JENKINS-76219] Update SSH key fingerprints to use SHA-256 (#631)

sgscheffler · web-flow · commit c64d040efa85 · 2025-10-18T11:10:15.000+02:00
Replace MD5 fingerprint format with SHA-256 Base64 encoding to match
OpenSSH 6.8+ behavior. Existing stored keys automatically use the new
format without migration.
diff --git a/src/main/java/hudson/plugins/sshslaves/verifiers/HostKey.java b/src/main/java/hudson/plugins/sshslaves/verifiers/HostKey.java
@@ -25,7 +25,10 @@
 
 import com.trilead.ssh2.KnownHosts;
 import java.io.Serializable;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
+import java.util.Base64;
 
 /**
  * A representation of the SSH key provided by a remote host to verify itself
@@ -63,7 +66,14 @@ public byte[] getKey() {
     }
 
     public String getFingerprint() {
-        return KnownHosts.createHexFingerprint(getAlgorithm(), getKey());
+        try {
+            MessageDigest md = MessageDigest.getInstance("SHA-256");
+            byte[] digest = md.digest(getKey());
+            return "SHA256:" + Base64.getEncoder().encodeToString(digest);
+        } catch (NoSuchAlgorithmException e) {
+            // SHA-256 should always be available, but fallback to MD5 if not
+            return KnownHosts.createHexFingerprint(getAlgorithm(), getKey());
+        }
     }
 
     @Override
diff --git a/src/test/java/hudson/plugins/sshslaves/verifiers/HostKeyTest.java b/src/test/java/hudson/plugins/sshslaves/verifiers/HostKeyTest.java
@@ -0,0 +1,41 @@
+package hudson.plugins.sshslaves.verifiers;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+import java.util.Base64;
+import org.junit.jupiter.api.Test;
+
+/**
+ * @author Steven Scheffler
+ */
+class HostKeyTest {
+
+    @Test
+    void testFingerprintUsesSHA256() {
+        // Example RSA key bytes (this is just test data)
+        byte[] keyBytes = "test-key-data".getBytes();
+        HostKey hostKey = new HostKey("ssh-rsa", keyBytes);
+
+        String fingerprint = hostKey.getFingerprint();
+
+        // Verify it starts with SHA256: prefix
+        assertTrue(fingerprint.startsWith("SHA256:"), "Fingerprint should use SHA256 format");
+
+        // Verify it's Base64 encoded after the prefix
+        String base64Part = fingerprint.substring(7); // Remove "SHA256:"
+        assertDoesNotThrow(
+                () -> Base64.getDecoder().decode(base64Part),
+                "Fingerprint should be valid Base64 after SHA256: prefix");
+    }
+
+    @Test
+    void testFingerprintFormat() {
+        byte[] keyBytes = "test-key-data".getBytes();
+        HostKey hostKey = new HostKey("ssh-rsa", keyBytes);
+
+        String fingerprint = hostKey.getFingerprint();
+
+        // Should match pattern: SHA256:[Base64]
+        assertTrue(fingerprint.matches("SHA256:[A-Za-z0-9+/=]+"), "Fingerprint should match SHA256:Base64 format");
+    }
+}
