diff --git a/sshd-core/src/main/java/org/apache/sshd/client/kex/DHGClient.java b/sshd-core/src/main/java/org/apache/sshd/client/kex/DHGClient.java index aefedb44a..b557a72c9 100644 --- a/sshd-core/src/main/java/org/apache/sshd/client/kex/DHGClient.java +++ b/sshd-core/src/main/java/org/apache/sshd/client/kex/DHGClient.java @@ -192,21 +192,19 @@ protected void verifyCertificate(Session session, OpenSshCertificate openSshKey) String keyAlg = KeyUtils.getKeyType(signatureKey); String keyId = openSshKey.getId(); - if (KeyPairProvider.SSH_RSA_CERT.equals(openSshKey.getKeyType())) { - // allow sha2 signatures for legacy reasons - String variant = openSshKey.getSignatureAlg(); - if ((!GenericUtils.isEmpty(variant)) - && KeyPairProvider.SSH_RSA.equals(KeyUtils.getCanonicalKeyType(variant))) { - if (log.isDebugEnabled()) { - log.debug("verifyCertificate({})[id={}] Allowing to use variant {} instead of {}", - session, keyId, variant, keyAlg); - } - keyAlg = variant; - } else { - throw new SshException( - SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED, - "Found invalid signature alg " + variant + " for key ID=" + keyId); + // allow sha2 signatures for legacy reasons + String variant = openSshKey.getSignatureAlg(); + if ((!GenericUtils.isEmpty(variant)) + && KeyPairProvider.SSH_RSA.equals(KeyUtils.getCanonicalKeyType(variant))) { + if (log.isDebugEnabled()) { + log.debug("verifyCertificate({})[id={}] Allowing to use variant {} instead of {}", + session, keyId, variant, keyAlg); } + keyAlg = variant; + } else { + throw new SshException( + SshConstants.SSH2_DISCONNECT_KEY_EXCHANGE_FAILED, + "Found invalid signature alg " + variant + " for key ID=" + keyId); } Signature verif = ValidateUtils.checkNotNull(