Bug 3330 - OpenSSH's ssh-keygen can't parse encrypted PKCS#8 private keys being built against openssl 3.0
Summary: OpenSSH's ssh-keygen can't parse encrypted PKCS#8 private keys being built ag...
Status: CLOSED WORKSFORME
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keygen (show other bugs)
Version: 8.6p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-22 00:14 AEST by Dmitry Belyavskiy
Modified: 2022-02-25 13:58 AEDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Belyavskiy 2021-07-22 00:14:00 AEST 
When openssh is built against OpenSSL 3.0, we get an error importing encrypted PKCS#8 files:

openssl genrsa -aes128 -out my-test-private.key -passout pass:RedHatEnterpriseLinux9.0 2048

ssh-keygen -y -f my-test-private.key > public.key.pub

Instead of requesting the passphrase, we get an error
`Load key "my-test-private.key": error in libcrypto`
Comment 1 Darren Tucker 2021-07-23 14:40:49 AEST 
I can't reproduce the test case building against the 3.0.0 dev branch as of right now:

$ ./ssh -V
OpenSSH_8.6p1, OpenSSL 3.0.0-beta2-dev 
$ openssl genrsa -aes128 -out my-test-private.key -passout pass:RedHatEnterpriseLinux9.0 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.+++++
...........................................+++++
e is 65537 (0x010001)
$ ssh-keygen -y -f my-test-private.key > public.key.pub
Enter passphrase: 

Have OpenSSL rolled back the API change?
Comment 2 Dmitry Belyavskiy 2021-07-23 17:17:56 AEST 
I will recheck it against the current master, it may be fixed since the last alpha.

Many thanks!
Comment 3 Damien Miller 2022-01-14 15:24:24 AEDT 
Closing for lack of followup
Comment 4 Damien Miller 2022-02-25 13:58:32 AEDT 
closing bugs resolved before openssh-8.9