On 25/12/2020 10:10, Nico Schottelius wrote:
>
> Good morning Adam and Jason,
>
> thanks for your qualified and fast answers! It's nice to see Dan's
> website still referenced in almost 2021 and also that it can be easily
> enough verified.
>
> For reference and if anyone ever looks up this thread, I am using
> the following code within the Django Rest Framework [0]:
>
> --------------------------------------------------------------------------------
> def validate_wireguard_public_key(self, value):
> msg = _("Supplied key is not a valid wireguard public key")
>
> """
> Verify wireguard key.
> See
> https://urldefense.com/v3/__https://lists.zx2c4.com/pipermail/wireguard/2020-December/006221.html__;!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNgCByOzQ$
>
> """
>
> try:
> decoded_key = base64.standard_b64decode(value)
> except Exception as e:
> raise serializers.ValidationError(msg)
>
> if not len(decoded_key) == 32:
> raise serializers.ValidationError(msg)
>
> return value
> --------------------------------------------------------------------------------
>
> Thanks again and enjoy the quite time over Christmas!
>
> Best regards,
>
> Nico
>
> [0]
> https://urldefense.com/v3/__https://code.ungleich.ch/uncloud/uncloud/-/blob/master/uncloud_net/serializers.py*L37__;Iw!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNb-aKgNg$
>
>
>
> Adam Stiles <[email protected]> writes:
>
>> Hi Nico,
>>
>> WireGuard uses Curve25519 keys. A Curve25519 secret key is a random 32
>> byte value with a few special bits flipped, and a public key is
>> calculated from a secret key.
>>
>> There's some good info here
>> (https://urldefense.com/v3/__https://cr.yp.to/ecdh.html__;!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNDoxdskk$
>> ), including
>> this questions and answer:
>>
>> "How do I validate Curve25519 public keys?"
>>
>> "Don't. The Curve25519 function was carefully designed to allow all
>> 32-byte strings as Diffie-Hellman public keys."
>>
>> I just saw Jason's response, and so this is a bit redundant, but the
>> reference above is a good one.
>>
>> Best,
>>
>> Adam
>>
>>
>> On Thu, Dec 24, 2020 at 3:21 PM Nico Schottelius
>> <[email protected]> wrote:
>>>
>>>
>>> Good morning,
>>>
>>> I am currently extending uncloud [0] to support wireguard tunnels and
>>> keys. At the moment it is not entirely clear how to verify that a
>>> certain string is a valid wireguard key.
>>>
>>> I first tried checking that it is valid base64, but not all base64
>>> strings are valid wireguard keys.
>>>
>>> Then I tried using `echo $key | wg pubkey && echo ok` - which seems to
>>> check the key format, however the intended behaviour here is misused.
>>>
>>> Does anyone have a pointer on how to reliably identify wireguard public
>>> keys?
>>>
>>> Is the wireguard key always 32 bytes when decoded from base64? Tests
>>> with a number of public keys seems to indicate that.
>>>
>>> Best regards,
>>>
>>> Nico
>>>
>>>
>>> [0]
>>> https://urldefense.com/v3/__https://code.ungleich.ch/uncloud/uncloud__;!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNE6JpRjQ$
>>>
>>>
>>> --
>>> Modern, affordable, Swiss Virtual Machines. Visit
>>> https://urldefense.com/v3/__http://www.datacenterlight.ch__;!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNmbUvisY$
>>>
>
>
> --
> Modern, affordable, Swiss Virtual Machines. Visit
> https://urldefense.com/v3/__http://www.datacenterlight.ch__;!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNmbUvisY$
>
>
Hi
On this topic, i recently implemented a check if a key is valid in cpp with the
following rather crude code:
bool isValidWgKey(const string& usage, const string& key)
{
/* Wireguard keys are BASE64 encoded */
unsigned int _key_length = 44;
unsigned int _key_offset = _key_length -1;
if (key.length() != _key_length) {
log("Wireguard " + usage + " has wrong length (" +
to_string(key.length()) + " instead of 44)!");
return false;
}
size_t found =
key.substr(0,_key_offset).find_first_not_of("abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/");
if (found != std::string::npos) {
log("Wireguard " + usage + " contains invalid character '" +
key.substr(found, 1) + "'");
return false;
}
if (key.substr(_key_offset,1) != "=") {
log("Wireguard " + usage + " ends with invalid character '" +
key.substr(found, 1) + "' instead of '='");
return false;
}
return true;
}
Maybe it's useful to someone.
BR
Matthias
