openssh unix dev - May 2021 - A mis-specification of the OpenSSH key format?

The PROTOCOL.key file says the list of N private keys in in the OpenSSH format
are stored like so

uint32	checkint
uint32	checkint
string	privatekey1
string	comment1
string	privatekey2
string	comment2
...

I would then expect then that each privatekey should have the string wrapping
that proceeds them with a 32-bit count of the number of bytes in the private
key.

When I do a dump of the file though it seems that each of the privatekeys are
just embedded at these points without the string wrapping. For example

$ sed -n '2,9p' ~/.ssh/id_ecdsa_sk | base64 -d | xxd -g 1
...
000000a0: 4e 95 00 00 00 04 73 73 68 3a 00 00 00 e0 ea 93  N.....ssh:......
000000b0: 0b 34 ea 93 0b 34 00 00 00 22 73 6b 2d 65 63 64  .4...4..."sk-ecd
000000c0: 73 61 2d 73 68 61 32 2d 6e 69 73 74 70 32 35 36  sa-sha2-nistp256
000000d0: 40 6f 70 65 6e 73 73 68 2e 63 6f 6d 00 00 00 08  @openssh.com....
...

you can see the two ea 93 0b 34 checkints are followed by 00 00 00 22 which is
the immediate start of a "sk-ecdsa-sha2-nistp256 at openssh.com" key
without a string wrapper (0x22 being the length of the
"sk-ecdsa-sha2-nistp256 at openssh.com" identifier).

As a point of comparison, the public keys declared earlier in the file are
actually string wrapped. Using the same example

byte[]	AUTH_MAGIC
string	ciphername
string	kdfname
string	kdfoptions
int	number of keys N
string	publickey1
string	publickey2
...

$ sed -n '2,9p' ~/.ssh/id_ecdsa_sk | base64 -d | xxd -g 1
...
00000020: 00 00 00 00 00 00 01 00 00 00 7f 00 00 00 22 73  .............."s
00000030: 6b 2d 65 63 64 73 61 2d 73 68 61 32 2d 6e 69 73  k-ecdsa-sha2-nis
00000040: 74 70 32 35 36 40 6f 70 65 6e 73 73 68 2e 63 6f  tp256 at openssh.co
00000050: 6d 00 00 00 08 6e 69 73 74 70 32 35 36 00 00 00  m....nistp256...
...

we see the number of keys 01 is followed by the length of the entire first key
00 00 00 7f, which is then followed by the 00 00 00 22 that starts the
"sk-ecdsa-sha2-nistp256 at openssh.com" key that is wrapped (again the
size of the key type identifier).

Thanks!  -Tyson

yeah, the private keys should be inserted as byte[] rather than string.

I just fixed this in https://github.com/openssh/openssh-portable/commit/24fee8

On Wed, 5 May 2021, Tyson Whitehead wrote:
> The PROTOCOL.key file says the list of N private keys in in the OpenSSH
format
> are stored like so
> 
> uint32	checkint
> uint32	checkint
> string	privatekey1
> string	comment1
> string	privatekey2
> string	comment2
> ...
> 
> I would then expect then that each privatekey should have the string
wrapping
> that proceeds them with a 32-bit count of the number of bytes in the
private
> key.
> 
> When I do a dump of the file though it seems that each of the privatekeys
are
> just embedded at these points without the string wrapping. For example
> 
> $ sed -n '2,9p' ~/.ssh/id_ecdsa_sk | base64 -d | xxd -g 1
> ...
> 000000a0: 4e 95 00 00 00 04 73 73 68 3a 00 00 00 e0 ea 93  N.....ssh:......
> 000000b0: 0b 34 ea 93 0b 34 00 00 00 22 73 6b 2d 65 63 64 
.4...4..."sk-ecd
> 000000c0: 73 61 2d 73 68 61 32 2d 6e 69 73 74 70 32 35 36  sa-sha2-nistp256
> 000000d0: 40 6f 70 65 6e 73 73 68 2e 63 6f 6d 00 00 00 08  @openssh.com....
> ...
> 
> you can see the two ea 93 0b 34 checkints are followed by 00 00 00 22 which
is
> the immediate start of a "sk-ecdsa-sha2-nistp256 at openssh.com"
key without a
> string wrapper (0x22 being the length of the
> "sk-ecdsa-sha2-nistp256 at openssh.com" identifier).
> 
> As a point of comparison, the public keys declared earlier in the file are
> actually string wrapped. Using the same example
> 
> byte[]	AUTH_MAGIC
> string	ciphername
> string	kdfname
> string	kdfoptions
> int	number of keys N
> string	publickey1
> string	publickey2
> ...
> 
> $ sed -n '2,9p' ~/.ssh/id_ecdsa_sk | base64 -d | xxd -g 1
> ...
> 00000020: 00 00 00 00 00 00 01 00 00 00 7f 00 00 00 22 73 
.............."s
> 00000030: 6b 2d 65 63 64 73 61 2d 73 68 61 32 2d 6e 69 73  k-ecdsa-sha2-nis
> 00000040: 74 70 32 35 36 40 6f 70 65 6e 73 73 68 2e 63 6f  tp256 at
openssh.co
> 00000050: 6d 00 00 00 08 6e 69 73 74 70 32 35 36 00 00 00  m....nistp256...
> ...
> 
> we see the number of keys 01 is followed by the length of the entire first
key
> 00 00 00 7f, which is then followed by the 00 00 00 22 that starts the
> "sk-ecdsa-sha2-nistp256 at openssh.com" key that is wrapped
(again the size of
> the key type identifier).
> 
> Thanks!  -Tyson
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>