Hi Nico, WireGuard uses Curve25519 keys. A Curve25519 secret key is a random 32 byte value with a few special bits flipped, and a public key is calculated from a secret key.
There's some good info here (https://cr.yp.to/ecdh.html), including this questions and answer: "How do I validate Curve25519 public keys?" "Don't. The Curve25519 function was carefully designed to allow all 32-byte strings as Diffie-Hellman public keys." I just saw Jason's response, and so this is a bit redundant, but the reference above is a good one. Best, Adam On Thu, Dec 24, 2020 at 3:21 PM Nico Schottelius <[email protected]> wrote: > > > Good morning, > > I am currently extending uncloud [0] to support wireguard tunnels and > keys. At the moment it is not entirely clear how to verify that a > certain string is a valid wireguard key. > > I first tried checking that it is valid base64, but not all base64 > strings are valid wireguard keys. > > Then I tried using `echo $key | wg pubkey && echo ok` - which seems to > check the key format, however the intended behaviour here is misused. > > Does anyone have a pointer on how to reliably identify wireguard public > keys? > > Is the wireguard key always 32 bytes when decoded from base64? Tests > with a number of public keys seems to indicate that. > > Best regards, > > Nico > > > [0] https://code.ungleich.ch/uncloud/uncloud > > -- > Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
