Re: Importing hostkey
- Subject: Re: Importing hostkey
- From: Anderson Sasaki <ansasaki@xxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Thu, 23 Jan 2020 05:49:05 -0500 (EST)
- To: libssh@xxxxxxxxxx
----- Original Message -----
> From: "Michal Vaško" <mvasko@xxxxxxxxx>
> To: libssh@xxxxxxxxxx
> Sent: Thursday, January 23, 2020 10:47:49 AM
> Subject: Importing hostkey
> we have recently found an issue with importing RSA host key of length 2048
> but presumably the problem may occur also with other key types/lengths. It
> seems to work fine when libssh is compiled with OpenSSL but not with gcrypt.
> The problem is tracked on GitHub . My query is whether anyone can tell me
> more about this/had the same problem and fixed it somehow. It would be best
> if there was a format compatible with both backend libraries. Thanks for any
> Some more details regarding the problem, the key is generated by:
> openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM
> Then, the header and footer is removed only to be added later  and stored
> back into a file. This file is then imported , which fails.
>  https://github.com/CESNET/Netopeer2/issues/534
This happens because OpenSSL uses the PKCS#8 format when writing RSA keys to PEM files by default. When compiled with OpenSSL we use its parser, which supports PKCS#8 format.
Unfortunately, AFAIK, libgcrypt does not have a PEM file parser; what we use is an internally implemented parser which only supports the legacy OpenSSL format (also called "SSLeay format" or "traditional format").
You can convert the PKCS#8 PEM file to the legacy format by running:
$ openssl rsa -in pkcs8-file.pem -out legacy.pem
Then such key in legacy format can be used both with OpenSSL and libgcrypt.
Archive administrator: firstname.lastname@example.org