Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/ssh: ParseRawPrivateKeyWithPassphrase doesn't support PKCS#8 encrypted keys #43387

Open
eurozulu opened this issue Dec 26, 2020 · 2 comments
Open

Comments

@eurozulu
Copy link

@eurozulu eurozulu commented Dec 26, 2020

What version of Go are you using (go version)?

go version go1.15.4 darwin/amd64

Does this issue reproduce with the latest release? Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOOS="darwin"

go env Output
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/rob/Library/Caches/go-build"
GOENV="/Users/rob/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/rob/development/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/rob/development/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.15.4/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.15.4/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"

What did you do?

When decrypting a private key PEM block, using ssh package, there are two methods:
ParseRawPrivateKeyWithPassphrase.
ParseRawPrivateKey.

ParseRawPrivateKey accepts PEM blocks with type "PRIVATE KEY" (with no other qualifier) and decrypts using x509.ParsePKCS8PrivateKey however ParseRawPrivateKeyWithPassphrase does not. Both accept blocks with
"RSA PRIVATE KEY", "EC PRIVATE KEY", "DSA PRIVATE KEY" and "OPENSSH PRIVATE KEY" but ParseRawPrivateKeyWithPassphrase seems to be missing the 'case' for "PRIVATE KEY" on its own.
As methods perform the same task, just with the addition of decrypting, should they not be aligned in the keys they support?

https://play.golang.org/p/D_CtEEAqO7i

What did you expect to see?

ParseRawPrivateKeyWithPassphrase parses pem block of type "Private Key" using x509.ParsePKCS8PrivateKey

What did you see instead?

Error: ssh: unsupported key type "PRIVATE KEY"

Looking at ssh/keys.go line: 1172 a switch block for the types appears to be missing the "PRIVATE KEY" case, reflected in the ParseRawPrivateKey switch block.

Suggested fix is a simple insertion of:
case "PRIVATE KEY": return x509.ParsePKCS8PrivateKey(buf)

@toothrot toothrot changed the title crypto/ssh ParseRawPrivateKeyWithPassphrase doesn't support "PRIVATE KEY" pem block as ParseRawPrivateKey does crypto/ssh: ParseRawPrivateKeyWithPassphrase doesn't support "PRIVATE KEY" pem block as ParseRawPrivateKey does Jan 5, 2021
@toothrot toothrot added this to the Backlog milestone Jan 5, 2021
@toothrot
Copy link
Contributor

@toothrot toothrot commented Jan 5, 2021

@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented Jan 5, 2021

That function supports two types of encryption: legacy PEM encryption, and the OpenSSH native encryption format. PKCS#8 specifies its own encryption format which we don't currently support. I'm not aware of any software that uses PEM legacy encryption with PKCS#8 encoding.

This is a duplicate of #8860, although it could also be fixed in x/crypto/ssh without exposing support in crypto/x509 by just implementing PKCS#8 encryption support. Retitled.

@FiloSottile FiloSottile changed the title crypto/ssh: ParseRawPrivateKeyWithPassphrase doesn't support "PRIVATE KEY" pem block as ParseRawPrivateKey does crypto/ssh: ParseRawPrivateKeyWithPassphrase doesn't support PKCS#8 encrypted keys Jan 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants