x/crypto/ssh: support OpenSSH encoded ECDSA keys in ParsePrivateKey

[Fransebas]

What version of Go are you using (go version)?

go version go1.11.4 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/fransebas/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/fransebas/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/3p/21s_plx55xq8zv2_hvnj93dc0000gn/T/go-build752561798=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

I'm using the default key that my raspberry pi uses when I connect to it using ssh and it's ecdsa-sha2-nistp256 type (I could share the key if necessary, it's a dummy machine ). But I get an error when using it. I don't know if I should be using another method to parse the key or if it's not supported (I assumed it was because of constants you have declared).

// These constants represent the algorithm names for key types supported by this
// package.
const (
	KeyAlgoRSA        = "ssh-rsa"
	KeyAlgoDSA        = "ssh-dss"
	KeyAlgoECDSA256   = "ecdsa-sha2-nistp256"
	KeyAlgoSKECDSA256 = "[email protected]"
	KeyAlgoECDSA384   = "ecdsa-sha2-nistp384"
	KeyAlgoECDSA521   = "ecdsa-sha2-nistp521"
	KeyAlgoED25519    = "ssh-ed25519"
	KeyAlgoSKED25519  = "[email protected]"
)

This is the code that I use:

private, err := ssh.ParsePrivateKey(privateBytes)
if err != nil {
	log.Fatal("Failed to parse private key: ", err)
}

I debbuged the code to see where it ends and it's on x/crypto/keys.go

// Implemented based on the documentation at
// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
func parseOpenSSHPrivateKey(key []byte) (crypto.PrivateKey, error) {
	const magic = "openssh-key-v1\x00"
	if len(key) < len(magic) || string(key[:len(magic)]) != magic {
		return nil, errors.New("ssh: invalid openssh private key format")
	}
	remaining := key[len(magic):]

	var w struct {
		CipherName   string
		KdfName      string
		KdfOpts      string
		NumKeys      uint32
		PubKey       []byte
		PrivKeyBlock []byte
	}

	if err := Unmarshal(remaining, &w); err != nil {
		return nil, err
	}

	if w.KdfName != "none" || w.CipherName != "none" {
		return nil, errors.New("ssh: cannot decode encrypted private keys")
	}

	pk1 := struct {
		Check1  uint32
		Check2  uint32
		Keytype string
		Rest    []byte `ssh:"rest"`
	}{}

	if err := Unmarshal(w.PrivKeyBlock, &pk1); err != nil {
		return nil, err
	}

	if pk1.Check1 != pk1.Check2 {
		return nil, errors.New("ssh: checkint mismatch")
	}

	// we only handle ed25519 and rsa keys currently
	switch pk1.Keytype {
	case KeyAlgoRSA:
		// https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L2760-L2773
		key := struct {
			N       *big.Int
			E       *big.Int
			D       *big.Int
			Iqmp    *big.Int
			P       *big.Int
			Q       *big.Int
			Comment string
			Pad     []byte `ssh:"rest"`
		}{}

		if err := Unmarshal(pk1.Rest, &key); err != nil {
			return nil, err
		}

		for i, b := range key.Pad {
			if int(b) != i+1 {
				return nil, errors.New("ssh: padding not as expected")
			}
		}

		pk := &rsa.PrivateKey{
			PublicKey: rsa.PublicKey{
				N: key.N,
				E: int(key.E.Int64()),
			},
			D:      key.D,
			Primes: []*big.Int{key.P, key.Q},
		}

		if err := pk.Validate(); err != nil {
			return nil, err
		}

		pk.Precompute()

		return pk, nil
	case KeyAlgoED25519:
		key := struct {
			Pub     []byte
			Priv    []byte
			Comment string
			Pad     []byte `ssh:"rest"`
		}{}

		if err := Unmarshal(pk1.Rest, &key); err != nil {
			return nil, err
		}

		if len(key.Priv) != ed25519.PrivateKeySize {
			return nil, errors.New("ssh: private key unexpected length")
		}

		for i, b := range key.Pad {
			if int(b) != i+1 {
				return nil, errors.New("ssh: padding not as expected")
			}
		}

		pk := ed25519.PrivateKey(make([]byte, ed25519.PrivateKeySize))
		copy(pk, key.Priv)
		return &pk, nil
	default:
		return nil, errors.New("ssh: unhandled key type")
	}
}

If it's not supported, what do you recommend? Cand I use another library to parse the key (which I think it's not possible). Or I can help you incorporate that type 😁 if it's not too messy (I worked for a company implementing some Bitcoin BIPs that used the ECDSA so I have some experience with this).

What did you expect to see?

What did you see instead?

ssh: unhandled key type

[toothrot]

As an aside, Go 1.11 is no longer supported. We recommend upgrading to the latest supported release to ensure that you continue to receive security and critical bugfix patches.

/cc @hanwen @FiloSottile

[Fransebas]

For completeness I just update go and the issue persists,

go version go1.13.6 darwin/amd64

here is an example of a key I just generate:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRDQLJjLev2cYpwZyQi+iQMp53jPt+z
Z9ntQAPV4Qcgjr7QzOwy6rs9VBZv5nd92pRwVGE4dqFb9o/QXwV6BA9aAAAAyHgpbOd4KW
znAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBENAsmMt6/ZxinBn
JCL6JAynneM+37Nn2e1AA9XhByCOvtDM7DLquz1UFm/md33alHBUYTh2oVv2j9BfBXoED1
oAAAAhALxATueAPI452dBuBCkzF47/BjvAYpv16rTG6sj4hGF9AAAAKGZyYW5zZWJhc0BT
ZWJhc3RpYW5zLU1hY0Jvb2stUHJvLTIubG9jYWwBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----

[FiloSottile]

Indeed, we probably should support that. I think it wasn't an issue in the past because OpenSSH used the PKIX format until recently, which we do support.

[gopherbot]

Change https://golang.org/cl/215540 mentions this issue: ssh: support ECDSA private keys in OpenSSH format