Mailing List Archive

A mis-specification of the OpenSSH key format?
The PROTOCOL.key file says the list of N private keys in in the OpenSSH format are stored like so

uint32 checkint
uint32 checkint
string privatekey1
string comment1
string privatekey2
string comment2
...

I would then expect then that each privatekey should have the string wrapping that proceeds them with a 32-bit count of the number of bytes in the private key.

When I do a dump of the file though it seems that each of the privatekeys are just embedded at these points without the string wrapping. For example

$ sed -n '2,9p' ~/.ssh/id_ecdsa_sk | base64 -d | xxd -g 1
...
000000a0: 4e 95 00 00 00 04 73 73 68 3a 00 00 00 e0 ea 93 N.....ssh:......
000000b0: 0b 34 ea 93 0b 34 00 00 00 22 73 6b 2d 65 63 64 .4...4..."sk-ecd
000000c0: 73 61 2d 73 68 61 32 2d 6e 69 73 74 70 32 35 36 sa-sha2-nistp256
000000d0: 40 6f 70 65 6e 73 73 68 2e 63 6f 6d 00 00 00 08 @openssh.com....
...

you can see the two ea 93 0b 34 checkints are followed by 00 00 00 22 which is the immediate start of a "sk-ecdsa-sha2-nistp256@openssh.com" key without a string wrapper (0x22 being the length of the "sk-ecdsa-sha2-nistp256@openssh.com" identifier).

As a point of comparison, the public keys declared earlier in the file are actually string wrapped. Using the same example

byte[] AUTH_MAGIC
string ciphername
string kdfname
string kdfoptions
int number of keys N
string publickey1
string publickey2
...

$ sed -n '2,9p' ~/.ssh/id_ecdsa_sk | base64 -d | xxd -g 1
...
00000020: 00 00 00 00 00 00 01 00 00 00 7f 00 00 00 22 73 .............."s
00000030: 6b 2d 65 63 64 73 61 2d 73 68 61 32 2d 6e 69 73 k-ecdsa-sha2-nis
00000040: 74 70 32 35 36 40 6f 70 65 6e 73 73 68 2e 63 6f tp256@openssh.co
00000050: 6d 00 00 00 08 6e 69 73 74 70 32 35 36 00 00 00 m....nistp256...
...

we see the number of keys 01 is followed by the length of the entire first key 00 00 00 7f, which is then followed by the 00 00 00 22 that starts the "sk-ecdsa-sha2-nistp256@openssh.com" key that is wrapped (again the size of the key type identifier).

Thanks! -Tyson
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: A mis-specification of the OpenSSH key format? [ In reply to ]
yeah, the private keys should be inserted as byte[] rather than string.

I just fixed this in https://github.com/openssh/openssh-portable/commit/24fee8

On Wed, 5 May 2021, Tyson Whitehead wrote:

> The PROTOCOL.key file says the list of N private keys in in the OpenSSH format
> are stored like so
>
> uint32 checkint
> uint32 checkint
> string privatekey1
> string comment1
> string privatekey2
> string comment2
> ...
>
> I would then expect then that each privatekey should have the string wrapping
> that proceeds them with a 32-bit count of the number of bytes in the private
> key.
>
> When I do a dump of the file though it seems that each of the privatekeys are
> just embedded at these points without the string wrapping. For example
>
> $ sed -n '2,9p' ~/.ssh/id_ecdsa_sk | base64 -d | xxd -g 1
> ...
> 000000a0: 4e 95 00 00 00 04 73 73 68 3a 00 00 00 e0 ea 93 N.....ssh:......
> 000000b0: 0b 34 ea 93 0b 34 00 00 00 22 73 6b 2d 65 63 64 .4...4..."sk-ecd
> 000000c0: 73 61 2d 73 68 61 32 2d 6e 69 73 74 70 32 35 36 sa-sha2-nistp256
> 000000d0: 40 6f 70 65 6e 73 73 68 2e 63 6f 6d 00 00 00 08 @openssh.com....
> ...
>
> you can see the two ea 93 0b 34 checkints are followed by 00 00 00 22 which is
> the immediate start of a "sk-ecdsa-sha2-nistp256@openssh.com" key without a
> string wrapper (0x22 being the length of the
> "sk-ecdsa-sha2-nistp256@openssh.com" identifier).
>
> As a point of comparison, the public keys declared earlier in the file are
> actually string wrapped. Using the same example
>
> byte[] AUTH_MAGIC
> string ciphername
> string kdfname
> string kdfoptions
> int number of keys N
> string publickey1
> string publickey2
> ...
>
> $ sed -n '2,9p' ~/.ssh/id_ecdsa_sk | base64 -d | xxd -g 1
> ...
> 00000020: 00 00 00 00 00 00 01 00 00 00 7f 00 00 00 22 73 .............."s
> 00000030: 6b 2d 65 63 64 73 61 2d 73 68 61 32 2d 6e 69 73 k-ecdsa-sha2-nis
> 00000040: 74 70 32 35 36 40 6f 70 65 6e 73 73 68 2e 63 6f tp256@openssh.co
> 00000050: 6d 00 00 00 08 6e 69 73 74 70 32 35 36 00 00 00 m....nistp256...
> ...
>
> we see the number of keys 01 is followed by the length of the entire first key
> 00 00 00 7f, which is then followed by the 00 00 00 22 that starts the
> "sk-ecdsa-sha2-nistp256@openssh.com" key that is wrapped (again the size of
> the key type identifier).
>
> Thanks! -Tyson
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: A mis-specification of the OpenSSH key format? [ In reply to ]
On Fri, May 07, 2021 at 12:42:47PM +1000, Damien Miller wrote:
> yeah, the private keys should be inserted as byte[] rather than string.
>
> I just fixed this in https://github.com/openssh/openssh-portable/commit/24fee8

This is quite similar to
https://bugzilla.mindrot.org/show_bug.cgi?id=2390 from a few years ago,
but my patch in that bug includes a few further fixes that I think you
missed in that commit (e.g. you left "privatekeyN" unchanged, and I
included a few more type clarifications).

Thanks,

--
Colin Watson (he/him) [cjwatson@debian.org]
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev