Page MenuHomeVyOS Platform
Create Task
Maniphest T7256

PKI: serialization.load_pem_private_key fails to load unencrypted RSA private key without specified type in BEGIN/END tokens
Open, NormalPublicBUG
Actions

Description

I've tried to import existing CA with

set pki ca testca certificate 'MII<cut>=='
set pki ca testca private key 'MII<cut>=='

but commit failed with

Invalid private key on CA certificate "testca"

I did some digging on the implementation in pki.py and here's what I've found:

>>> from cryptography.hazmat.primitives.serialization import load_pem_private_key
>>> stripped_priv_key='MII<redacted>=='
>>> KEY_BEGIN='-----BEGIN PRIVATE KEY-----\n'
>>> KEY_END='\n-----END PRIVATE KEY-----'
>>> wrapped = KEY_BEGIN + stripped_priv_key + KEY_END
>>> load_pem_private_key(bytes(wrapped, 'utf-8'), password=None)
Traceback (most recent call last): 
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/serialization/base.py", line 22, in load_pem_private_key
    return ossl.load_pem_private_key(data, password)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 921, in load_pem_private_key
    return self._load_key(
           ^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 1189, in _load_key
    self._handle_key_loading_error()
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 1248, in _handle_key_loading_error
    raise ValueError(
ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [_OpenSSLErrorWithText(code=503841036, lib=60, reason=524556, reason_text=b'error:1E08010C:DECODER routines::unsupported'), _OpenSSLErrorWithText(code=109052072, lib=13, reason=168, reason_text=b'error:068000A8:asn1 encoding routines::wrong tag'), _OpenSSLErrorWithText(code=109576458, lib=13, reason=524554, reason_text=b'error:0688010A:asn1 encoding routines::nested asn1 error'), _OpenSSLErrorWithText(code=109576458, lib=13, reason=524554, reason_text=b'error:0688010A:asn1 encoding routines::nested asn1 error')])

And again with key type...

>>> KEY_BEGIN='-----BEGIN RSA PRIVATE KEY-----\n' 
>>> KEY_END='\n-----END RSA PRIVATE KEY-----'
>>> wrapped = KEY_BEGIN + stripped_priv_key + KEY_END
>>> load_pem_private_key(bytes(wrapped, 'utf-8'), password=None)
<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey object at 0x7f75aa8aaad0>

Details

Version
1.5-rolling
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

mkozlowski created this task.Mon, Mar 17, 11:29 PM
Viacheslav triaged this task as Normal priority.Tue, Mar 18, 7:06 AM
pasik subscribed.Tue, Mar 18, 7:12 AM
mkozlowski added a comment.Wed, Mar 19, 10:18 PM

for the record: I've successfuly imported private key after converting it from pkcs#1 to pkcs#8