Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why does SSH support only 1024 bit DSA keys in 3.0? #5373

Closed
lukpueh opened this issue Aug 4, 2020 · 4 comments
Closed

Why does SSH support only 1024 bit DSA keys in 3.0? #5373

lukpueh opened this issue Aug 4, 2020 · 4 comments

Comments

@lukpueh
Copy link
Contributor

lukpueh commented Aug 4, 2020

Is there a reason why the ssh serialization module does not support DSA keys with a bit length greater than 1024 in cryptography version 3.0? I could not find any information in the corresponding PR (#5146), git log or changelog.

These are the relevant lines that were released in 3.0.

cryptography/src/cryptography/hazmat/primitives/serialization/ssh.py

Lines 330 to 333 in 143f56f

def _validate(self, public_numbers):
parameter_numbers = public_numbers.parameter_numbers
if parameter_numbers.p.bit_length() != 1024:
raise ValueError("SSH supports only 1024 bit DSA keys")

And here is a serialization/deserialization snippet that worked fine on cryptography 2.9 but raises said ValueError in 3.0:

from cryptography.hazmat.primitives.serialization import (load_ssh_public_key,
        Encoding, PublicFormat)
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric.dsa import generate_private_key

# Create DSA key pair with key size != 1024
dsa_key = generate_private_key(key_size=2048, backend=default_backend())

# Dump to SSH
ssh_bytes = dsa_key.public_key().public_bytes(Encoding.OpenSSH, PublicFormat.OpenSSH)

# Parse from SSH
dsa_key_parsed = load_ssh_public_key(ssh_bytes, backend=default_backend()) # BREAKS ON v3.0

# Assert that no public key info was lost in serialization
assert dsa_key.public_key().public_numbers() == dsa_key_parsed.public_numbers()

Context:
The update just broke some test code in a project I maintain (secure-systems-lab/securesystemslib#261). I'm fine in changing the test code, I just wanted to know if the change was intentional? Thanks! :)

(cc @markokr, @reaperhulk, @joshuagl)
@markokr
Copy link
Contributor

markokr commented Aug 4, 2020

Because OpenSSH supports only 1024-bit DSA keys.

If there are other SSH server that support other lengths, then it would be OK to relax it.

@ronf
Copy link

ronf commented Aug 4, 2020

Basically, this has to do with RFC 4253 mandating that SHA-1 be used as a hash for the "ssh-dss" signature blob.

More detail about this can be found in https://bugzilla.mindrot.org/show_bug.cgi?id=1647.

@lukpueh
Copy link
Contributor Author

lukpueh commented Aug 4, 2020

Thanks for the quick reply and the pointer! I wasn't aware of that restriction.

We were using the ssh format only to store a DSA public key from a test gpg keychain as stand-alone file. gpg --export-ssh-key, which we used to create the file, didn't mind that the key was 2048 bits long, and nor did cryptography when importing the key, until now.

I guess we can close this issue.

@reaperhulk
Copy link
Member

DSA is also slowly being deprecated and removed from the ecosystem (for example, Go: golang/go#40337). We have no plans for removal on our end at this time, but similarly we're not interested in expanding DSA support further.

@lukpueh lukpueh closed this as completed Aug 4, 2020
@lukpueh lukpueh mentioned this issue Aug 4, 2020
Closed
lukpueh added a commit to lukpueh/securesystemslib that referenced this issue Aug 5, 2020
@lukpueh
Change DSA test key format + adopt test code
af6854c 
A recent pyca/cryptography update dropped support for DSA ssh
public keys with bit size other than 1024, which broke our tests.
See pyca/cryptography#5373

This commit changes the test key format to X.509 SubjectPublicKeyInfo PEM
and updates the corresponding test code.

```
ssh-keygen -f C242A830DAAF1C2BEF604A9EF033A3A3E267B3B1.ssh \
   -e -m pkcs8 > C242A830DAAF1C2BEF604A9EF033A3A3E267B3B1.pem
```

Note: ssh-keygen mistakingly calls the format pkcs8 although it
is X.509 SubjectPublicKeyInfo PEM.
@lukpueh lukpueh mentioned this issue Aug 5, 2020
Merged
3 tasks
lukpueh added a commit to lukpueh/securesystemslib that referenced this issue Aug 6, 2020
@lukpueh
Change DSA test key format + adopt test code
492f7e5 
A recent pyca/cryptography update dropped support for DSA ssh
public keys with bit size other than 1024, which broke our tests.
See pyca/cryptography#5373

This commit changes the test key format to X.509 SubjectPublicKeyInfo PEM
and updates the corresponding test code.

```
ssh-keygen -f C242A830DAAF1C2BEF604A9EF033A3A3E267B3B1.ssh \
   -e -m pkcs8 > C242A830DAAF1C2BEF604A9EF033A3A3E267B3B1.pem
```

Note: ssh-keygen mistakingly calls the format pkcs8 although it
is X.509 SubjectPublicKeyInfo PEM.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@markokr @reaperhulk @lukpueh @ronf