search for: pem_read_bio_privatekey

On 2018-04-07 11:24, Bernard Spil wrote: > On 2018-04-07 9:04, Joel Sing wrote: >> On Friday 06 April 2018 21:31:01 Bernard Spil wrote: >>> Hi, >>> >>> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA >>> and >>> ECDSA private keys. >>> >>> Error loading key "./id_rsa": invalid format

...context: Couldn't parse private SSL key: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt, error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error, error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error, error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib: user=<>, rip=192.168.0.254, lip=192.168.0.51, session=<thtmP6iCc9jAqAD+> ? -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190224/6b259970/attachment.html>

...; parse private SSL key: error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt,?error:23077074:PKCS12 > routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error, > error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe > crypt error, error:0907B00D:PEM?routines:PEM_read_bio_PrivateKey:ASN1 > lib: user=<>, rip=192.168.0.254, lip=192.168.0.51, > session=<thtmP6iCc9jAqAD+>?? > > > >

...], my post on mailing list [2] and SO question [3] I went down the source code and investigated a bit communication between OpenSSH and OpenSSL in terms of private key parsing. When openSSH can not derive the key type it passes the whole blob to OpenSSL function and waits if it can parse it. PEM_read_bio_PrivateKey() # called from sshkey.c @ 3791 Only return value from this function is NULL on failure. The reason can be obtained using ERR_ functions from OpenSSL ERR_get_error(); # actual error code ERR_print_errors_fp(stderr); # prints verbose info Possible reasons for failure...

...d-bugs at mindrot.org ReportedBy: dkg at fifthhorseman.net Created attachment 2001 --> https://bugzilla.mindrot.org/attachment.cgi?id=2001 allow ssh-add to read from FIFOs It looks like ssh-add can no longer read from FIFOs as of 5.7p1 (since the switch from PEM_read_PrivateKey() to PEM_read_bio_PrivateKey(), and reading the file into an ssh buffer directly). Being able to read from a FIFO is nice for tools that don't want to put keys directly on the filesystem. In fact, we were relying on that behavior for the monkeysphere, and it's currently breaking because of the change: https://labs....

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

...ence to `d2i_RSAPrivateKey_bio' /usr/local/ssl/lib/libssl.so: undefined reference to `ASN1_dup' /usr/local/ssl/lib/libssl.so: undefined reference to `RSA_sign' /usr/local/ssl/lib/libssl.so: undefined reference to `ERR_peek_error' /usr/local/ssl/lib/libssl.so: undefined reference to `PEM_read_bio_PrivateKey' /usr/local/ssl/lib/libssl.so: undefined reference to `lh_retrieve' /usr/local/ssl/lib/libssl.so: undefined reference to `X509_get_pubkey' /usr/local/ssl/lib/libssl.so: undefined reference to `CRYPTO_dup_ex_data' /usr/local/ssl/lib/libssl.so: undefined reference to `DH_generate_key&...

...ib/dovecot/libdovecot-storage.so: undefined reference to `SSL_CTX_set_tmp_dh_callback at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `ENGINE_set_default_ciphers at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `PEM_read_bio_PrivateKey at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `BIO_new_mem_buf at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `SSL_get_ex_data_X509_STORE_CTX_idx at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storag...

...libs/libssl_iostream_openssl.so X509_INFO_free ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so X509_get_ext_d2i ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so X509_free ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so ERR_get_error ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so PEM_read_bio_PrivateKey ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so OPENSSL_add_all_algorithms_noconf ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so BIO_write ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so ENGINE_set_default ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so SSL_accept ../lib-ssl-i...

...LL) { +?? ??? ?r = SSH_ERR_ALLOC_FAIL; +?? ??? ?goto out; +?? ?} +?? ?// TODO: identify correctly PEM and PKCS8 format +?? ?vault_info->format = SSHKEY_PRIVATE_PEM; +?? ?// TODO: put the correct ciphername, kdfname and round if a passphrase is used ? ??? ?clear_libcrypto_errors(); ??? ?if ((pk = PEM_read_bio_PrivateKey(bio, NULL, pem_passphrase_cb, @@ -4614,17 +4690,22 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, ??? ??? ?*keyp = prv; ??? ??? ?prv = NULL; ??? ?} +?? ?if (vault_infop != NULL) { +?? ??? ?*vault_infop = vault_info; +?? ??? ?vault_info = NULL; +?? ?} ? out: ??? ?BIO_free(bio);...