Bug 3330

Summary: OpenSSH's ssh-keygen can't parse encrypted PKCS#8 private keys being built against openssl 3.0
Product: Portable OpenSSH Reporter: Dmitry Belyavskiy <dbelyavs>
Component: ssh-keygenAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WORKSFORME    
Severity: enhancement CC: djm, dtucker
Priority: P5    
Version: 8.6p1   
Hardware: Other   
OS: Linux   

Description Dmitry Belyavskiy 2021-07-22 00:14:00 AEST 
When openssh is built against OpenSSL 3.0, we get an error importing encrypted PKCS#8 files:

openssl genrsa -aes128 -out my-test-private.key -passout pass:RedHatEnterpriseLinux9.0 2048

ssh-keygen -y -f my-test-private.key > public.key.pub

Instead of requesting the passphrase, we get an error
`Load key "my-test-private.key": error in libcrypto`
Comment 1 Darren Tucker 2021-07-23 14:40:49 AEST 
I can't reproduce the test case building against the 3.0.0 dev branch as of right now:

$ ./ssh -V
OpenSSH_8.6p1, OpenSSL 3.0.0-beta2-dev 
$ openssl genrsa -aes128 -out my-test-private.key -passout pass:RedHatEnterpriseLinux9.0 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.+++++
...........................................+++++
e is 65537 (0x010001)
$ ssh-keygen -y -f my-test-private.key > public.key.pub
Enter passphrase: 

Have OpenSSL rolled back the API change?
Comment 2 Dmitry Belyavskiy 2021-07-23 17:17:56 AEST 
I will recheck it against the current master, it may be fixed since the last alpha.

Many thanks!
Comment 3 Damien Miller 2022-01-14 15:24:24 AEDT 
Closing for lack of followup
Comment 4 Damien Miller 2022-02-25 13:58:32 AEDT 
closing bugs resolved before openssh-8.9