Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

handle pkcs8 ECDSA keys with missing public parts #62

Closed
sierranevadan opened this issue Jan 19, 2019 · 2 comments
Closed

handle pkcs8 ECDSA keys with missing public parts #62

sierranevadan opened this issue Jan 19, 2019 · 2 comments

Comments

@sierranevadan
Copy link

@sierranevadan sierranevadan commented Jan 19, 2019

I have been given the following PKCS8 private key, but get this error parsing it.
(This is safe to share.) Is this not a valid private key? openssl doesn't complain.

$ cat dev1.pem
-----BEGIN PRIVATE KEY-----
MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCD1/r3zho5W2MpyZEk+
2d7gxUcQYUJzvWSOiwkUxCj8Bw==
-----END PRIVATE KEY-----

$ openssl pkcs8 -nocrypt -in dev1.pem
-----BEGIN PRIVATE KEY-----
MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCD1/r3zho5W2MpyZEk+
2d7gxUcQYUJzvWSOiwkUxCj8Bw==
-----END PRIVATE KEY-----

$ openssl asn1parse -in dev1.pem
    0:d=0  hl=2 l=  65 cons: SEQUENCE
    2:d=1  hl=2 l=   1 prim: INTEGER           :00
    5:d=1  hl=2 l=  19 cons: SEQUENCE
    7:d=2  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
   16:d=2  hl=2 l=   8 prim: OBJECT            :prime256v1
   26:d=1  hl=2 l=  39 prim: OCTET STRING      [HEX DUMP]:30250201010420F5FEBDF3868E56D8CA7264493ED9DEE0C54710614273BD648E8B0914C428FC07

$ openssl asn1parse -in dev1.pem -strparse 26
    0:d=0  hl=2 l=  37 cons: SEQUENCE
    2:d=1  hl=2 l=   1 prim: INTEGER           :01
    5:d=1  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:F5FEBDF3868E56D8CA7264493ED9DEE0C54710614273BD648E8B0914C428FC07

$ node -v
v8.14.0

$ node
> require('sshpk').parsePrivateKey(fs.readFileSync('./dev1.pem'), 'pkcs8')
KeyParseError: Failed to parse (unnamed) as a valid pkcs8 format key: undefined (buffer) is required
    at Object.PrivateKey.parse [as parsePrivateKey] (/xxx/node_modules/sshpk/lib/private-key.js:197:10)

https://github.com/joyent/node-sshpk/blob/master/lib/formats/pkcs8.js#L306
Attaching a debugger showed that Q is null and not a buffer that ecNormalize(Q) asserts.

Is there something required that is missing from this private key?

@arekinath
Copy link
Contributor

@arekinath arekinath commented Jan 20, 2019

No, this is a bug. The public key part of this pkcs8 private key is missing, but it's optional in the RFC and you're supposed to recompute it if it's missing (which sshpk is not currently doing). I'll have a fix for you shortly.

@arekinath arekinath changed the title Q is null in readPkcs8ECDSAPrivate handle pkcs8 ECDSA keys with missing public parts Jan 20, 2019
joyent-automation pushed a commit that referenced this issue Jan 22, 2019
Reviewed by: Cody Peter Mello <cody.mello@joyent.com>
@arekinath
Copy link
Contributor

@arekinath arekinath commented Jan 23, 2019

Fix is merged in master (will be released as 1.16.1 once another commit is reviewed)

@arekinath arekinath closed this Jan 23, 2019
This was referenced Jan 23, 2019
This was referenced Sep 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.