Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: ParseRawPrivateKey should return PassphraseMissingError for ENCRYPTED PRIVATE KEY #71048

Open
rgmz opened this issue Dec 28, 2024 · 3 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@rgmz
Copy link

rgmz commented Dec 28, 2024

Go version

go1.23.4

Output of go env in your module/workspace:

N/A

What did you do?

I was validating a Box-generated private key using ssh.ParseRawPrivateKey and encountered an unexpected error.

Reproducer: https://go.dev/play/p/mX6cEyGa7FO

( The private key is inert and was generated with: openssl genpkey -algorithm RSA -aes256 -out encrypted_private_key.pem)

What did you see happen?

The function fails due to "ENCRYPTED PRIVATE KEY" not being a supported key type.

panic: ssh: unsupported key type "ENCRYPTED PRIVATE KEY"

What did you expect to see?

The function should actually return PassphraseMissingError, per the documentation:

If the private key is encrypted, it will return a PassphraseMissingError.
https://github.com/golang/crypto/blob/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909/ssh/keys.go#L1230-L1233

@gopherbot gopherbot added this to the Unreleased milestone Dec 28, 2024
@rgmz
Copy link
Author

rgmz commented Dec 28, 2024

#41949 could related.

If it's a deliberate choice to not support these types, it would be beneficial to update the ssh.ParseRawPrivateKey and ssh.ParseRawPrivateKeyWithPassphrase docs to avoid confusion.

@dmitshur
Copy link
Contributor

CC @drakkan, @golang/security.

@dmitshur dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

4 participants