Re: Importing hostkey
- Subject: Re: Importing hostkey
- From: Michal Vaško <mvasko@xxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Thu, 23 Jan 2020 12:18:17 +0100
- To: libssh@xxxxxxxxxx
thanks a lot for the information, I will try your suggestion. However, in case I cannot sue the legacy key format for whatever reason, is there a simple way of detecting what crypto library libssh was compiled with? I could not find anything in libssh.h.
On Thursday, January 23, 2020 11:49 CET, Anderson Sasaki <ansasaki@xxxxxxxxxx> wrote:
> ----- Original Message -----
> > From: "Michal Vaško" <mvasko@xxxxxxxxx>
> > To: libssh@xxxxxxxxxx
> > Sent: Thursday, January 23, 2020 10:47:49 AM
> > Subject: Importing hostkey
> > Hello,
> > we have recently found an issue with importing RSA host key of length 2048
> > but presumably the problem may occur also with other key types/lengths. It
> > seems to work fine when libssh is compiled with OpenSSL but not with gcrypt.
> > The problem is tracked on GitHub . My query is whether anyone can tell me
> > more about this/had the same problem and fixed it somehow. It would be best
> > if there was a format compatible with both backend libraries. Thanks for any
> > input.
> > Some more details regarding the problem, the key is generated by:
> > openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM
> > Then, the header and footer is removed only to be added later  and stored
> > back into a file. This file is then imported , which fails.
> > Regards,
> > Michal
> >  https://github.com/CESNET/Netopeer2/issues/534
> > 
> > https://github.com/CESNET/libnetconf2/blob/devel/src/session_server_ssh.c#L43
> > 
> > https://github.com/CESNET/libnetconf2/blob/devel/src/session_server_ssh.c#L1291
> This happens because OpenSSL uses the PKCS#8 format when writing RSA keys to PEM files by default. When compiled with OpenSSL we use its parser, which supports PKCS#8 format.
> Unfortunately, AFAIK, libgcrypt does not have a PEM file parser; what we use is an internally implemented parser which only supports the legacy OpenSSL format (also called "SSLeay format" or "traditional format").
> You can convert the PKCS#8 PEM file to the legacy format by running:
> $ openssl rsa -in pkcs8-file.pem -out legacy.pem
> Then such key in legacy format can be used both with OpenSSL and libgcrypt.
Archive administrator: firstname.lastname@example.org