Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

handle pkcs8 ECDSA keys with missing public parts #62

Closed
sierranevadan opened this issue Jan 19, 2019 · 2 comments
Closed

handle pkcs8 ECDSA keys with missing public parts #62

sierranevadan opened this issue Jan 19, 2019 · 2 comments

Comments

@sierranevadan
Copy link

I have been given the following PKCS8 private key, but get this error parsing it.
(This is safe to share.) Is this not a valid private key? openssl doesn't complain.

$ cat dev1.pem
-----BEGIN PRIVATE KEY-----
MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCD1/r3zho5W2MpyZEk+
2d7gxUcQYUJzvWSOiwkUxCj8Bw==
-----END PRIVATE KEY-----

$ openssl pkcs8 -nocrypt -in dev1.pem
-----BEGIN PRIVATE KEY-----
MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCD1/r3zho5W2MpyZEk+
2d7gxUcQYUJzvWSOiwkUxCj8Bw==
-----END PRIVATE KEY-----

$ openssl asn1parse -in dev1.pem
    0:d=0  hl=2 l=  65 cons: SEQUENCE
    2:d=1  hl=2 l=   1 prim: INTEGER           :00
    5:d=1  hl=2 l=  19 cons: SEQUENCE
    7:d=2  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
   16:d=2  hl=2 l=   8 prim: OBJECT            :prime256v1
   26:d=1  hl=2 l=  39 prim: OCTET STRING      [HEX DUMP]:30250201010420F5FEBDF3868E56D8CA7264493ED9DEE0C54710614273BD648E8B0914C428FC07

$ openssl asn1parse -in dev1.pem -strparse 26
    0:d=0  hl=2 l=  37 cons: SEQUENCE
    2:d=1  hl=2 l=   1 prim: INTEGER           :01
    5:d=1  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:F5FEBDF3868E56D8CA7264493ED9DEE0C54710614273BD648E8B0914C428FC07

$ node -v
v8.14.0

$ node
> require('sshpk').parsePrivateKey(fs.readFileSync('./dev1.pem'), 'pkcs8')
KeyParseError: Failed to parse (unnamed) as a valid pkcs8 format key: undefined (buffer) is required
    at Object.PrivateKey.parse [as parsePrivateKey] (/xxx/node_modules/sshpk/lib/private-key.js:197:10)

https://github.com/joyent/node-sshpk/blob/master/lib/formats/pkcs8.js#L306
Attaching a debugger showed that Q is null and not a buffer that ecNormalize(Q) asserts.

Is there something required that is missing from this private key?
@arekinath
Copy link
Contributor

No, this is a bug. The public key part of this pkcs8 private key is missing, but it's optional in the RFC and you're supposed to recompute it if it's missing (which sshpk is not currently doing). I'll have a fix for you shortly.

@arekinath arekinath changed the title Q is null in readPkcs8ECDSAPrivate handle pkcs8 ECDSA keys with missing public parts Jan 20, 2019
joyent-automation pushed a commit that referenced this issue Jan 22, 2019
@arekinath
#62 handle pkcs8 ECDSA keys with missing public parts
684dbe6 
Reviewed by: Cody Peter Mello <[email protected]>
@arekinath
Copy link
Contributor

Fix is merged in master (will be released as 1.16.1 once another commit is reviewed)

This was referenced Jan 23, 2019
Open
Open
Open
Closed
Closed
Closed
Merged
Open
Open
Merged
Closed
Open
Open
Open
Open
Open
Open
Open
Open
Merged
Open
Open
Open
Merged
Open
This was referenced Sep 12, 2019
Merged
Merged
Merged
Merged
Merged
Closed
Merged
Closed
Closed
Closed
This was referenced Mar 10, 2021
Merged
Merged
Open
Open
Merged
Open
Open
Open
Merged
Merged
Merged
Open
Open
Open
Closed
Open
Merged
Closed
@dependabot dependabot bot mentioned this issue Mar 18, 2021
Open
@snyk-bot snyk-bot mentioned this issue May 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sierranevadan @arekinath