On Mon, 2019-02-25 at 11:56 +0100, g4-l...@tonarchiv.ch wrote:
> On 25.02.19 09:57, Jakub Jelen wrote:
>
> > On Sun, 2019-02-24 at 18:38 +0100, g4-l...@tonarchiv.ch wrote:
> > > ... which IMHO does not make much sense:
> > >
> > > #define OPENSSH_HEADER_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----
> > > "
> > >
> > > So if we import a public key this code block will never be used:
> > >
> > > /* Test for new OpenSSH key format first */
> > > cmp = strncmp(key_buf, OPENSSH_HEADER_BEGIN,
> > > strlen(OPENSSH_HEADER_BEGIN));
> > > if (cmp == 0) {
> > > *pkey = ssh_pki_openssh_pubkey_import(key_buf);
> > > SAFE_FREE(key_buf);
> > > if (*pkey == NULL) {
> > > SSH_LOG(SSH_LOG_WARN, "Failed to import public key
> > > from
> > > OpenSSH"
> > > " private key file");
> > > return SSH_ERROR;
> > > }
> > > return SSH_OK;
> > > }
> > >
> > > Or am I missing something here?
> > This code is used to import public key from the OpenSSH private key
> > container [1]. This new format has advantage, that it has the
> > public
> > key unencrypted unlike the old PEM files, which can be handy.
> >
> > [1]
> > https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.key?annotate=HEAD
>
> Thank you for the explanation. Actually it's clear when I read the
> warning log on failure... But I couldn't find any key sample which
> starts with BEGIN OPENSSH PRIVATE KEY but also contains a public key.
The test key in tests/keys/id_ed25519 should do that.
There are other examples of different key types in unit tests in
tests/torture_key.c.
The usage of this import function is demonstrated in the unit tests
called torture_pki_*_import_pubkey_from_openssh_privkey() in
tests/unittests/torture_pki_*.c
Hope it helps,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
