Bug 3013 - Use the PKCS#8 formatted PEM files instead of insecure "traditional PEM"
Summary: Use the PKCS#8 formatted PEM files instead of insecure "traditional PEM"
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keygen (show other bugs)
Version: 8.0p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_8_1
  Show dependency treegraph
 
Reported: 2019-05-23 01:37 AEST by Jakub Jelen
Modified: 2021-04-23 15:01 AEST (History)
1 user (show)

See Also:

Attachments
generate PEM files in new PKCS#8 format (1.92 KB, text/plain)
2019-05-23 01:37 AEST, Jakub Jelen 		no flags Details
support pkcs#8 and PEM (10.35 KB, patch)
2019-07-05 15:21 AEST, Damien Miller 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Jelen 2019-05-23 01:37:20 AEST 
Created attachment 3286 [details]
generate PEM files in new PKCS#8 format

OpenSSL 1.0 introduced the following change according to the changelog [1]:

>  *) Make PKCS#8 the default write format for private keys, replacing the
>    traditional format. This form is standardised, more secure and doesn't
>    include an implicit MD5 dependency.
>    [Steve Henson]

This is getting rid of of the old "traditional PEM" format and use the standardized PKCS#8 one. Unfortunately, the users of the old API are left with the old format, because the new format requires the use of a new API.

I think OpenSSH should make use of this new format and use more secure keys without leaving the users that need some interoperability (can not use the new OpenSSH format) with the old (potentially) insecure format.

The attached patch modifies the PEM export function to use the new API and generate PKCS#8 PEM files. They are readable by existing OpenSSL API so this is the only change needed.

[1] https://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=CHANGES;hb=refs/heads/OpenSSL_1_0_0-stable
Comment 1 Damien Miller 2019-07-05 15:21:53 AEST 
Created attachment 3295 [details]
support pkcs#8 and PEM

I don't think we want to remove the ability to support olde PEM keys entirely as there's a bit of non-OpenSSL stuff that expects them. This adds support for PKCS#8 in parallel.

"ssh-keygen -m PKCS8 -t rsa" seems to do the right thing with this now.
Comment 2 Jakub Jelen 2019-07-08 18:21:32 AEST 
Damien, thank you for the proposed patch. Fast read-through looks good to me and it is indeed a good idea to provide backward compatibility. This is also resolving the long-standing issue when the PKCS8 was used only for public keys, which I found very confusing whenever I tried to convert some keys from one format to other.
Comment 3 Damien Miller 2019-07-15 23:21:54 AEST 
Applied - thanks!

commit eb0d8e708a1f958aecd2d6e2ff2450af488d4c2a
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Jul 15 13:16:29 2019 +0000

    upstream: support PKCS8 as an optional format for storage of
    
    private keys, enabled via "ssh-keygen -m PKCS8" on operations that save
    private keys to disk.
    
    The OpenSSH native key format remains the default, but PKCS8 is a
    superior format to PEM if interoperability with non-OpenSSH software
    is required, as it may use a less terrible KDF (IIRC PEM uses a single
    round of MD5 as a KDF).
    
    adapted from patch by Jakub Jelen via bz3013; ok markus
    
    OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
Comment 4 Damien Miller 2021-04-23 15:01:29 AEST 
closing resolved bugs as of 8.6p1 release