Re: ssh_pki_import_pubkey_file checks for OPENSSH_HEADER_BEGIN

[Jakub Jelen <jjelen@xxxxxxxxxx>]

On Mon, 2019-02-25 at 11:56 +0100, g4-lisz@xxxxxxxxxxxx wrote:
> On 25.02.19 09:57, Jakub Jelen wrote:
> 
> > On Sun, 2019-02-24 at 18:38 +0100, g4-lisz@xxxxxxxxxxxx wrote:
> > > ... which IMHO does not make much sense:
> > > 
> > > #define OPENSSH_HEADER_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----
> > > "
> > > 
> > > So if we import a public key this code block will never be used:
> > > 
> > >      /* Test for new OpenSSH key format first */
> > >     cmp = strncmp(key_buf, OPENSSH_HEADER_BEGIN,
> > > strlen(OPENSSH_HEADER_BEGIN));
> > >     if (cmp == 0) {
> > >         *pkey = ssh_pki_openssh_pubkey_import(key_buf);
> > >         SAFE_FREE(key_buf);
> > >         if (*pkey == NULL) {
> > >             SSH_LOG(SSH_LOG_WARN, "Failed to import public key
> > > from
> > > OpenSSH"
> > >                                   " private key file");
> > >             return SSH_ERROR;
> > >         }
> > >         return SSH_OK;
> > >     }
> > > 
> > > Or am I missing something here?
> > This code is used to import public key from the OpenSSH private key
> > container [1]. This new format has advantage, that it has the
> > public
> > key unencrypted unlike the old PEM files, which can be handy.
> > 
> > [1] 
> > https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.key?annotate=HEAD
> 
> Thank you for the explanation. Actually it's clear when I read the
> warning log on failure... But I couldn't find any key sample which
> starts with BEGIN OPENSSH PRIVATE KEY but also contains a public key.

The test key in tests/keys/id_ed25519 should do that.

There are other examples of different key types in unit tests in
tests/torture_key.c.

The usage of this import function is demonstrated in the unit tests
called torture_pki_*_import_pubkey_from_openssh_privkey() in
tests/unittests/torture_pki_*.c

Hope it helps,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.