Opened 2 years ago

Closed 2 years ago

#9682 defect closed fixed (fixed)

Key.privateBlob is wrong for ECDSA

Reported by: Colin Watson Owned by: Colin Watson <cjwatson@…>
Priority: normal Milestone:
Component: conch Keywords:
Cc: Branch:


In ce1b01479d939451e0db3f985fff2d0dbeefc8f6 and, I successfully argued that the encoding of ECDSA keys expected by Key._fromString_PRIVATE_BLOB was wrong: this is currently only used by the agent protocol, and the de-facto implementation of that in OpenSSH differed from that previously implemented in Twisted. We changed Twisted to match.

However, when I was fixing the decoder, I missed that Key.privateBlob implements a corresponding encoder, so now round-tripping fails for ECDSA keys:

>>> from twisted.conch.ssh import keys
>>> from twisted.conch.test import keydata
>>> ecdsaKey = keys.Key._fromECComponents(**keydata.ECDatanistp256)
>>> keys.Key._fromString_PRIVATE_BLOB(ecdsaKey.privateBlob())
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/cjwatson/src/python/twisted/twisted/build/py36-alldeps-nocov/lib/python3.6/site-packages/twisted/conch/ssh/", line 292, in _fromString_PRIVATE_BLOB
    'type %r' % (curveName, keyType))
twisted.conch.ssh.keys.BadKeyError: ECDSA curve name b'\x00\xa8\xa6_P\xd9\xef\xe4#\xd1*_x\xf3\x1b\xa3Z[\xeb!\xa4\x01\xbee\xed\xdb\x82\xd6_9\xe7 \xfb' does not match key type b'ecdsa-sha2-nistp256'

This doesn't make much difference today because Key.privateBlob is unused outside tests, but failing to round-trip is clearly unhelpful. The most obvious use case for this method is in writing the OpenSSH v1 private key format, and I discovered this discrepancy in the process of doing that.

Change History (3)

comment:1 Changed 2 years ago by Colin Watson

Keywords: review added

comment:2 Changed 2 years ago by hawkowl

Keywords: review removed


comment:3 Changed 2 years ago by Colin Watson <cjwatson@…>

Owner: set to Colin Watson <cjwatson@…>
Resolution: fixed
Status: newclosed

In 1f9d14b:

Error: Processor CommitTicketReference failed
 does not appear to be a Git repository. See the log for more information.
Note: See TracTickets for help on using tickets.