Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generating ed25519 key pair can produce key pairs not readable by parseKey #1390

Open
ayazhafiz opened this issue May 22, 2024 · 0 comments
Open

Comments

@ayazhafiz
Copy link

ayazhafiz commented May 22, 2024

Hi. First off, thanks for your work on this library.

I'm seeing an issue where generateKeyPairSync can produce key pairs where either the private or public key cannot be successfully parsed by parseKey. This program reproduces the issue:

const utils = require('ssh2').utils;
while (true) {
  const keyPair = utils.generateKeyPairSync('ed25519');
  const parsedPublicKey = utils.parseKey(keyPair.public)
  if (parsedPublicKey instanceof Error) {
    throw parsedPublicKey;
  }
  const parsedPrivateKey = utils.parseKey(keyPair.private)
  if (parsedPrivateKey instanceof Error) {
    throw parsedPrivateKey;
  }
}

Commenting out the block that throws parsedPublicKey may be needed to quickly see cases where parsing the private key also generates an error.

I am not sure whether the issue is exactly in parsing the key or generating it, but I did notice that generateKeyPair will strip leading zero bytes from the public key, if the public key from the Node.js standard library starts with a zero:

ssh2/lib/keygen.js

Lines 290 to 297 in a56e70e

let pubBin = reader.readString(Ber.BitString, true);
{
// Remove leading zero bytes
let i = 0;
for (; i < pubBin.length && pubBin[i] === 0x00; ++i);
if (i > 0)
pubBin = pubBin.slice(i);
}

My brief read of https://datatracker.ietf.org/doc/html/rfc8709#section-4 is that this can be incorrect if it strips the public key length to less than 32 bytes, but my understanding of the specification may be incorrect.

I did notice that feeding the generated keys with the stripped public keys to https://github.com/TritonDataCenter/node-sshpk parses successfully; I am not sure if that is an implementation detail of that library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant