Mailman 3 September 2023 - Cryptography-dev

Generate a signed SSH user authorized key
by John Walstra Sept. 21, 2023

Sept. 21, 2023

I’m trying to use cryptography to generate a SSH authorized key that is use when the SSH server is set up with TrustedUserCAKeys. On the Linux command line, the keys are setup as follows $ ssh-keygen -t rsa -b 2048 -f test $ ssh-keygen -s /path/to/trusted_user_ca_pk -I test -V +52w test.pub That will create a test-cert.pub $ cat test-cert.pub ssh-rsa-cert-v01(a)openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNz... K8v+ESbFDSmb+Z9YIE7owjQ2m92s= test(a)test.local <mailto:xxx@xxxx.local> $ ssh-keygen -L -f test-cert.pub test-cert.pub: Type: ssh-rsa-cert-v01(a)openssh.com user certificate Public key: RSA-CERT SHA256:pXIIcD3P9mD7BLzYYKlx70kNE4y4pkEuJmFsRuUrpFc Signing CA: RSA SHA256:a16H80IMdKLq9WZfaMqAEB9kYx7zFzmbwQP3cOeELPI (using rsa-sha2-512) Key ID: "test" Serial: 0 Valid: from 2023-09-19T23:08:00 to 2024-09-17T23:09:25 Principals: (none) Critical Options: (none) Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc Since this appears to be a certificate, I was trying to use x509 to generate the certificate. subject = Name([ x509.NameAttribute(NameOID.COMMON_NAME, oid), ]) csr = x509.CertificateSigningRequestBuilder().subject_name( subject ).sign(private_key, hashes.SHA256(), default_backend()) # Sign the CSR with the CA private key. The ( ) allows user_certificate = ( x509.CertificateBuilder() .subject_name(csr.subject) .issuer_name(subject) .public_key(csr.public_key()) .serial_number(x509.random_serial_number()) .not_valid_before(datetime.datetime.utcnow()) .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=days)) .sign(ca_private_key, hashes.SHA256(), default_backend()) ) authorized_key = user_certificate.public_bytes( encoding=serialization.Encoding.PEM, ) The only encoding that is allowed is PEM, and no formatting is allowed. I’ve tried getting the public_key() from user_certificate, and formatting it with public_bytes(), but that just gave me a ssh-rsa algorithm key (no cert). If this is the correct path to get what I want, how do I get this into an encoding/format for OpenSSH? Thanks, John

2 1

Loading an ED25519 private key
by John Walstra Sept. 20, 2023

Sept. 20, 2023

For other keys I can use cryptography.hazmat.primitives.serialization.load_pem_private_key, however for a ED25519 private key I get .. ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>]) Is there another way to load it? I’m generating the private key using Ed25519PrivateKey.generate(), but using later after it’s been serialized. The format is serialization.PrivateFormat.OpenSSH. Thanks, John

2 1

PyCA cryptography 41.0.4 released
by Alex Gaynor Sept. 19, 2023

Sept. 19, 2023

PyCA cryptography 41.0.4 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 3.7+, and PyPy3 7.3.10+. Changelog (https://cryptography.io/en/latest/changelog/#v41-0-4): * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3. Alex -- All that is necessary for evil to succeed is for good people to do nothing.

1 0