----- Original Message ----- > From: "Michal Vaško" <[email protected]> > To: [email protected] > Sent: Thursday, January 23, 2020 10:47:49 AM > Subject: Importing hostkey > > Hello, > we have recently found an issue with importing RSA host key of length 2048 > but presumably the problem may occur also with other key types/lengths. It > seems to work fine when libssh is compiled with OpenSSL but not with gcrypt. > The problem is tracked on GitHub [1]. My query is whether anyone can tell me > more about this/had the same problem and fixed it somehow. It would be best > if there was a format compatible with both backend libraries. Thanks for any > input. > > Some more details regarding the problem, the key is generated by: > openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM > > Then, the header and footer is removed only to be added later [2] and stored > back into a file. This file is then imported [3], which fails. > > Regards, > Michal > > [1] https://github.com/CESNET/Netopeer2/issues/534 > [2] > https://github.com/CESNET/libnetconf2/blob/devel/src/session_server_ssh.c#L43 > [3] > https://github.com/CESNET/libnetconf2/blob/devel/src/session_server_ssh.c#L1291 > >
Hello, This happens because OpenSSL uses the PKCS#8 format when writing RSA keys to PEM files by default. When compiled with OpenSSL we use its parser, which supports PKCS#8 format. Unfortunately, AFAIK, libgcrypt does not have a PEM file parser; what we use is an internally implemented parser which only supports the legacy OpenSSL format (also called "SSLeay format" or "traditional format"). You can convert the PKCS#8 PEM file to the legacy format by running: $ openssl rsa -in pkcs8-file.pem -out legacy.pem Then such key in legacy format can be used both with OpenSSL and libgcrypt. Regards, Anderson
