[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Parsing private key PK - Invalid key tag or value
[Thread Prev] | [Thread Next]
- Subject: Re: Parsing private key PK - Invalid key tag or value
- From: Jakub Jelen <jjelen@xxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Mon, 4 Jul 2022 19:59:11 +0200
- To: Jan Kundrát <jan.kundrat@xxxxxxxxx>, Heiko Thiery <heiko.thiery@xxxxxxxxx>
- Cc: Michal Vasko <mvasko@xxxxxxxxx>, libssh@xxxxxxxxxx, Andreas Schneider <asn@xxxxxxxxxxxxxx>
On 7/4/22 12:08, Jan Kundrát wrote:
On pondělí 4. července 2022 12:02:29 CEST, Heiko Thiery wrote:Can you comment why the header and footer need to be removed?Just FYI, Michal is on a long-ish vacation, to be back next week.In the meanwhile I dug into git history, and it looks like the header/footer was being removed since 2019 via https://github.com/CESNET/netopeer2/commit/3384ac45a54bad4420903da578a1ca3a79d1a7b8 . That commit doesn't explain why that's needed.Have you tried removing that and checking whether it works for you?
If I read it correctly, your server code takes care of adding some headers back, the question is whether they add the correct ones as there are different ones for different key types and file formats and you just remove everything and add back what you believe should belong there.
https://github.com/CESNET/libnetconf2/blob/master/src/session_server_ssh.c#L49The problem is that there are two "types" of PEM files, one of them is "legacy" PEM, which is just encoded ASN.1 sequence of the key elements and it is no rocket science to parse these key types, see an example here, which I generated using OpenSSH's ssh-keygen (sorry for a long link):
$ ssh-keygen -m PEM -f /tmp/test_rsa -t rsa -N '' https://lapo.it/asn1js/#MIIG4wIBAAKCAYEA6w7G5s-PRDnPdDStEhzQaTbYWZ8XqHUtfGIxjBGtEuR5nk86wOE3yN8rz0OYouXgbK_0ZDAQqarjF_3QNauvf9bRcw1Exsxt33IDZLdiQx57d8cmuPZy8kHP4dp9LuyVQOjxIgNrmDfBhY5dPxtbk9E_j5QAran1gZ-e34SAqdZYE1PDqrSKR_VWXn7C2H11MTuYi-jct7Jyz-73cm_lvcdLzKsQ5CoTniRrSpozmvMUUSyJmEbuPFKUBAmrYXNss8J3lRkZ6327USxHJOV47CF9dDXl_C5eGE2B0FplqohMQ9BtiIBtx8pao_OYmS_lBbv3JiYgo48rXez_rfH8DBhu3w1D5GxkAaLbtmVm8j4myPEIi1nHhYWGJFXeMa-9tga0rWpZ8Dg9ihnNCMiiiUDVBJWbO9IarzsDtNQa4TusShlq06s85P8COd6QKl1f2mOIRmRxU5fAA0muYPIW95ZogTZXcpc__uFbP2LdmOZVDCZaz2hh3Yn5i4Nj8YURAgMBAAECggGAOQnR7CpLqpOYqqspoC6LyCw93amEVSVyDy_ItCOJ6v60IF07dZhxL_YvrFDL1iOQDO-5jyI2uOU1zBmUD6IEqTHYi2GZ4d-zfbgt6J-zYXQhI9SYqeNryyt7JWQeYmeYZDLiaI2J61sEQ8NjDzA1Ta5GDTIt4_ZNE9JG_BgsHIpdvvrhjSfYMlPvTGjYIS54ZKUAhFrSTGUqBRkIxKUwi5ez5gtQwv0O254cxvKaOSxpLrVvAhucLdkf_8bU5oXaUMkGdj-JQH1uEoTBvgHbeqKVAmXm7kvFdDSV6Gv20-xucfkwrYAw9Dm3j-Miqz6Kiem9j0HkFnvTYZBM2ZFClp7hvoehuuQApIoba6JkXLfFSjejW5mn1U1VdXWdMGVu0FaHcGJ7mlu9hbvjHpnxDT9FLtx3lIIcA787hAGvi0VZyDZvGOPecrYc6jUxC-8BKoZTp6J1Z5lSHBOZO9ZdIgKUZ4iS2NUeoaBbZyFbGmLLdJoGwjLc5Jaix4fvA5GRAoHBAPhLasQ9ULDetlZ_hRkXnR21sVGBGi6FixEZdIpWb5O-VvPoFnC5uG16opvHQTHGuXwNXnXufNshuMehtTlnVgb3DgTPbA025BNYQoDxMRWZ468hdBVJA69Gq1zemDfwtyfhTumBLIiR3RUNVJ_tb2To8tUy8yBlF1Og5h8BStXKFcUJ1VZ_QxOa-EnzfW13aEAMEb1pKWikKsjwNADT6SPEeQgVaqAJC99OJpqueZRbyYaZip6aJXUDHsxhUvyxxQKBwQDyWjL-tFrhLAZ6I2i9j2iB6ILcEkkesxUgDrABAdUXPEcEWfJPkpO7-xTGyic73QtFW_35dEH76LWDvRw5n2VTY6mPBw8QJoU33IYWyoJ38vaOlX2VKnMj7ghOdYpbpEi8dA3PNm4OLIk5i6CpbDZkAQvT0_HFJdI21MVd2VLGIREkZDAZ4eOohqu2evcpIz_Gpn_S8ruDfydbAAjpoUc9T-yz2lz75QbL7p-Wgq11iCYmFWVAL1XNlDWlo5xitt0CgcAiufmOxLyaYCvEYUVuQv04gIbyTUoqI4dVtuezyW8FjOOAbX9l-LOwrCw9-VpG6fJbRUtm1xojU84SLa24_5jqlHcjeRc1qe2wPvHeMt2YldNgVR91MqcPRqUE8iT7_fC_5SUyR1zBJRV0sk6Zp42i4WnFI8EZUMo4ahKFV5rt17u_uSZbWKU7ArujLCjovICaJJX-lcyy0_Mf82hyjTDYTcxXsxccludQLg_8Jlbexw-igar_j7OZb_xIvXvr17kCgcEAzf2MyqFRfYKGHtpp9HUoRwLx90wzijx9ADp7rt9318AMPM6W_rt_ho_rIOxCXMeNBO8j-Buw2gT6A3eBvhiVb0OOo1tEml2jbc-qyURnkLyahKbbjyX9p9Ryiv2tFCeXC1c5RZ7l_HYuTRM5A8hOksGw4-OJ5CA5hRFkkFhf2rfQcjYWDGnLrzqISRpLalPjqV1r2EkoyKQTN23YJXxHqP1-G4DG9_O6yyuPycZY2UVX55bX8K5LJ-mJj7h4_A6hAoHAYnE_eW2RXFccog_BSVqzM8IG7dT2wnxjmKvPWzfNe0DaTXHY311VICWkD1jI_ZD0WtjkpFeRrSu9D7aCjGtyy-sPy95UVJFnJZk6BLbmzRkMtGdVKo1Hi5SeVq5ZHPxT_jEdIrfv-RrTDHnqUYkiXtwU-bsCdEmdAz7w-Pc4kbaEuP-Z4yPh77JqJSMM7NXmc99eC8iqjJ8lAe-dS09tFU3V4DW-hAwRlbrD1znC--WeAl0TTNa2WERtBm4ZMHgdThe other "type" is modern PKCS8 PEM file, which is now for some time default of OpenSSL and provides more information (mostly OID). This is the key you have:
https://lapo.it/asn1js/#MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDyME0v2x6BmN6uqMg972ACTdENCVMELQ0Au-6AXdcnVBCI2DQLCfKjuZgHLnKucEvWUIK9v_9VXTDDhPbWMrZpokBRgvv3mj6go0e0sfnKyRVNDOSONvDqdZIlRIKJOcYU0ueR2t2F5ZHL4xr_3UKo1p1JMwtJaRTGJC397a8M0j1Fed_1isKsF8N-9mnkXp23Apegof1_21aU0HdGOjdCni0nPvqSI25pQb1M29FkMN_BlLTVL9F9bHU5xwTLDr-WpvLdRVdpjFCGCYfHQkDtqI7wvWwBXl8jXqRf5PWTWEaf-lwOw7vzXo8o2yC6f6CSmNf_4foP8T18RWEEaLBAgMBAAECggEAVvEckz76fgm-PW8KKAa7-VKeX0RE182HKJ2xNUmXZuJZFLW_NVKWbQYeWcoH23W3yz347QOY1DgRvNjQipSYqCSjLJSdkmyS88PrxSdXLFnlLY0b5bAoL3CJPvwr4aNXmF7M8sHGf8-jpYMA-aicohe-gMzReq7_lQMQqRFw7YuUxS-6xizZgqpoBUC3-Y4a_2E8Wuce8VfGdI6VL7mf5wVniwUEtCTy1gDHJhRQ3b_inKUTTh6BspcA3g1ruj8VlEnwUe4sHtjOKFWHyTWnLJj7MAnDIDmMLTXgg8X2r5xyIUnN3xrA8u-RvO0BRjYnTdQ2FiZk8gfDjEnIOcxn0QKBgQD4z8i90F7bEKQtO5G_Xcgxjyd1zQy2unVKkh81BdhGI9ClzriZSzBOoTwiN54TJ6QouE0ITJ3Fwk8zgU8HZj1RSPs87pECDHrdZ2c0BiFhfH2HDOcF5fYtllmOKVhzRr-6zaTE448rhSCrpY3R20jPSFY_624zzRgTHbikMxacrQKBgQDJcMdIZzCXspY9CA6OoFLxVU5H_GtpoApRZlW5jekEvouCsHDLf7QgbETIfytWhZdh5zqiDFL2O3zfulv1rh0WIrKfYpvN4ymuvuOBirdErDXYOaBUyf4EVZTn07gYf402Sje7T5NI1R1ycbGCPjgiTgE6a18MPHgomESlvwjs5QKBgQDJuy53N8qwsv1p7zJshg0aoYbM7EOyo9sVawQCaYrA06kHxmPFZkD0f6XR2GZCAZIHseZDJFuHS9QLXnxE85Ajp5iL_qFzl8rGWGBEvfOypszgAoYNMjY3H__cU4lzbZlmS_Wb7STXlEi44rHpxHF0HqJPkQL43QD3_tEF0KY0wQKBgAOxz9XiHqAJpHvGFA5Fnn_SorbrSEUNrGLFz7ixg56UqBZjig4Rb4pQsgpDWtYhaR9gkFC8jSD7AlVQI7Oj1-C6DjCiLF1gVzlfQujzVF0sE2i91dT4R3Jo52xBE9VPMZXXUqJa2UaysfGRaEINRhZK-_bIVVvyF_oWoNuxX0aJAoGBAMcM73tUL5Dn6Fh9ASqjqJF_pS7ZTAq7cPFv93kLy-VYaaD45Pf4e-W_YeqFX96epBddVNZyWlOFjpHVawy5qmB_i94LxBaOy4nxMWqowpQ0bqeTj3rj3rmUIdCdaQ4Ng_rD-VysOtn4JxQiZc5mDZ0zY4t88jAZtYqYHDgxQkyL And it looks like the MbedTLS does not know how to parse these keys There is a bit more about it in https://crypto.stackexchange.com/questions/35093/why-ssh-gen-makes-difference-between-pem-and-pkcs8 For the question whether the headers matter or not: https://stackoverflow.com/questions/20065304/differences-between-begin-rsa-private-key-and-begin-private-keyWhen going through the implementation, the openssl is much less strict about them but the mbedtls is quite picky and if you mix them, it will notwork. Moreover, libssh supports now in the mbedtls backend only the legacy PEM headers (with key type in) and the PKCS8 ones are rejected.
I refactored a bit the mbedtls implementaiton of key parsing in so it is able to parse the keys you provided in the previous email. Can you check if this solves your issue (indeed after fixing your key headers):
https://gitlab.com/libssh/libssh-mirror/-/merge_requests/260I would like to give it a better look to cross check the various key types and formats against libgcrypt and openssl too.
Regards, -- Jakub Jelen Crypto Team, Security Engineering Red Hat, Inc.
Re: Parsing private key PK - Invalid key tag or value | Andreas Schneider <asn@xxxxxxxxxxxxxx> |
Re: Parsing private key PK - Invalid key tag or value | Heiko Thiery <heiko.thiery@xxxxxxxxx> |