Bug 3013

Summary: Use the PKCS#8 formatted PEM files instead of insecure "traditional PEM"
Product: Portable OpenSSH Reporter: Jakub Jelen <jjelen>
Component: ssh-keygenAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm
Priority: P5    
Version: 8.0p1   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 2988    
Attachments:
Description Flags
generate PEM files in new PKCS#8 format
none
support pkcs#8 and PEM none

Description Jakub Jelen 2019-05-23 01:37:20 AEST 
Created attachment 3286 [details]
generate PEM files in new PKCS#8 format

OpenSSL 1.0 introduced the following change according to the changelog [1]:

>  *) Make PKCS#8 the default write format for private keys, replacing the
>    traditional format. This form is standardised, more secure and doesn't
>    include an implicit MD5 dependency.
>    [Steve Henson]

This is getting rid of of the old "traditional PEM" format and use the standardized PKCS#8 one. Unfortunately, the users of the old API are left with the old format, because the new format requires the use of a new API.

I think OpenSSH should make use of this new format and use more secure keys without leaving the users that need some interoperability (can not use the new OpenSSH format) with the old (potentially) insecure format.

The attached patch modifies the PEM export function to use the new API and generate PKCS#8 PEM files. They are readable by existing OpenSSL API so this is the only change needed.

[1] https://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=CHANGES;hb=refs/heads/OpenSSL_1_0_0-stable
Comment 1 Damien Miller 2019-07-05 15:21:53 AEST 
Created attachment 3295 [details]
support pkcs#8 and PEM

I don't think we want to remove the ability to support olde PEM keys entirely as there's a bit of non-OpenSSL stuff that expects them. This adds support for PKCS#8 in parallel.

"ssh-keygen -m PKCS8 -t rsa" seems to do the right thing with this now.
Comment 2 Jakub Jelen 2019-07-08 18:21:32 AEST 
Damien, thank you for the proposed patch. Fast read-through looks good to me and it is indeed a good idea to provide backward compatibility. This is also resolving the long-standing issue when the PKCS8 was used only for public keys, which I found very confusing whenever I tried to convert some keys from one format to other.
Comment 3 Damien Miller 2019-07-15 23:21:54 AEST 
Applied - thanks!

commit eb0d8e708a1f958aecd2d6e2ff2450af488d4c2a
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Jul 15 13:16:29 2019 +0000

    upstream: support PKCS8 as an optional format for storage of
    
    private keys, enabled via "ssh-keygen -m PKCS8" on operations that save
    private keys to disk.
    
    The OpenSSH native key format remains the default, but PKCS8 is a
    superior format to PEM if interoperability with non-OpenSSH software
    is required, as it may use a less terrible KDF (IIRC PEM uses a single
    round of MD5 as a KDF).
    
    adapted from patch by Jakub Jelen via bz3013; ok markus
    
    OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
Comment 4 Damien Miller 2021-04-23 15:01:29 AEST 
closing resolved bugs as of 8.6p1 release