[Bug 2390] New: PROTOCOL.key mis-describes private section

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Apr 27 04:04:16 AEST 2015 

https://bugzilla.mindrot.org/show_bug.cgi?id=2390

            Bug ID: 2390
           Summary: PROTOCOL.key mis-describes private section
           Product: Portable OpenSSH
           Version: 6.8p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: anakin at pobox.com

Created attachment 2607
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2607&action=edit
test key file

The file openssh/PROTOCOL.key documents the (optionally) encrypted
section of a new-format private key file as containing

        uint32  checkint
        uint32  checkint
        string  privatekey1
        string  comment1
        ...

Therefore, I expect each private key to be wrapped in a single large
SSH-2 "string", inside which I expect a second layer of data
marshalling such as the key type string and various mpints.

However, in fact, this doesn't seem to be true: as far as I can see,
the individual pieces of the private key just appear at the top level
of the encrypted string, and whoever is reading the file must recognise
the key type (either here or in the prior sequence of public keys) and
use it to know how many bits and pieces to expect.

As evidence I attach a test key file that I just generated using the
command "./ssh-keygen -t rsa -o -f testkey" and no passphrase.
Hex-dumping the base64 content, the relevant section is here:

00000140  DE DF 00 00 03 C8 92 77 30 13 92 77 30 13 00 00
.......w0..w0...
00000150  00 07 73 73 68 2D 72 73 61 00 00 01 01 00 AC 84
..ssh-rsa.......

Offset 0x142 is just beyond the end of the public key component, so the
next thing we see is the uint32 0x3C8 which is the length field of the
entire encrypted section (though not encrypted in this case). After
that, we see two identical copies of the uint32 0x92773013 (the
duplicated 'checkint'), and then immediately after that the 00 00 00 07
length field of the string "ssh-rsa" - with no intervening length field
large enough to span the whole private key. In other words, the
individual pieces of the private key data appear inline without a large
wrapping "string".

In fact, my analysis of the entire 'encrypted' section in this key
looks like this:

        uint32  0x92773013 (checkint)
        uint32  0x92773013 (checkint again)
        string  "ssh-rsa"
        mpint   modulus
        mpint   0x10001 (public exponent)
        mpint   private exponent
        mpint   iqmp
        mpint   p
        mpint   q
        string  "simon at resolution" (key comment)
        data    0x01 0x02 0x03 (padding)

so you can see that a decoder of this format has to see "ssh-rsa" and
know that that means six mpints follow, otherwise they cannot know
where to find the key comment or the start of the next private key (if
there were one).

I realise it's too late to actually change the key format now, but
PROTOCOL.key should be corrected to stop claiming a wrapping string.
Ideally it should also contain enough information to understand all the
supported key types, or at the very least, how to skip over each one to
the next.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list