[ssh_x509] Question RE: store identities(keys) in PKCS#8 PEM format

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Jan 3 21:17:30 EET 2021

Hi Alex,

First I would like to say Happy New Year, dear list members.

Sorry for late reply. I was just working on topic and now I would like to share results.

ssh_x509 at roumenpetrov.info wrote:
> Roumen,
> Thanks for the response! I'm apologize that I am still a little bit confused on one point. It sounds like you are saying I can use -m to get the old PKCS1 format, but when  I use -m PEM, I don't see that format.
As is documented currently PEM is alias to PKCS8 - see https://securebox.termoneplus.com.example.net/man1/ssh-keygen.1.html#m , i.e. ... “PEM” (compatibility option) ...

> Or do you mean that I would need to use openssl genpkey to get the old format?

No! Sample below was:

openssl genpkey -algorithm RSA | openssl rsa

Output is from last command, i.e. openssl rsa. This command outputs in traditional PEM. In sample it is "conversion" command. So rsa is "conversion" for all openssl releases.
Another point is that depending from openssl release you could find -traditional command line argument. See pkey manual in release is 1.1+.

> Thanks for the help,
> Alex

Back on main topic.

I decided to implement -m format for key generation - commit d8673c5bc4632d7fdc7460e3cedab07e582de2cf (enhance key generation utility to store private keys in traditional PEM format) followed by correction d7247d5bd3e12e30802a5bc4c8b554742e0af839 for FIPS enabled builds.

In addition enhancement implements -m OpenSSH format that supersede -o option.
As result for private keys could be used either -m PKCS8, or -m PEM, or -m OpenSSH to set  explicitly format of stored key - PKCS#8 PEM, or traditional PEM, or proprietary OpenSSH respectively.

Working on this I note that code has a weakness regarding import/export of public EC keys in absence of private key. As this is corner case it was left undiscovered so long.
Weakness is due to one undocumented but proper change in OpenSSL functionality for release 1.1. It is visible with keygen-convert regression test enhanced in PKIX-SSH.

Code correction will be published soon. Currently impacts is on builds with all 1.0.* releases as well build with compatible cryptographic libraries based on earlier project forks.

> On Wednesday, December 9, 2020, 04:29:01 PM EST,<ssh_x509 at roumenpetrov.info>  wrote:
> Hi Alex,
>> Roumen,
>> As I'm upgrading to the latest release of PKIX-SSH, I'm seeing some changes in ssh-keygen. It appears that in release 12.3 (and commit 5e0974257d55618d71063634ade9dde18b540d23), ssh-keygen changed to support PKCS#8 keys and no longer support writing PKCS#1 key format. Is that accurate? My apologies if I am completely misunderstanding the change here, but if so, why the decision to leave PKCS#1 behind?
> The main reason is that PCKS#8 is more universal. Also since OpenSSL 1.0.0 PKCS#8 is default. And there is no impact to any PKIX-SSH release.
> More:
> - Keys stored in "old" format are still supported - see technical details below.
> - Openssl utilities could be used to restore "old" format if needed.
> - FIPS enabled builds must use PKCS#8 format. Remark: PKIX-SSH supports  OpenSSL fips 1.2.* (OpenSSL 0.9.8) and fips 2.0 (OpenSSL 1.0.1) modules.
> - Openssl 1.0 (10 years ago) adds universal utility - genpkey. It uses PKCS#8 format. Utilities like genrsa (old format) could be considered as obsolete.
> Sample key generation with "old"(traditional) format: openssl genpkey -algorithm RSA | openssl rsa
> OpenSSL 1.0.0 changes default format used by function PEM_write_bio_PrivateKey. As result above mentioned commit was corrected in 86ac9df3a36664b61bd63d53dfaaae27c74b9e3d - use PEM_write_bio_PKCS8PrivateKey instead PEM_write_bio_PrivateKey.
> Also with this version OpenSSL team stop to accept "old" formats and recommend loadable modules(engines) to use PKCS#8. See for example gost.
> I cannot see any reason to restore store in "old"(traditional) format. Remark: technically option -m could be used to specify private key format.
> Even ancient OpenSSL 0.9.7 could read either traditional or PKCS#8 format. For details see function PEM_read_bio_PrivateKey. With other words read of traditional or PKCS#8 key is transparent to applications.
> For instance PKIX-SSH still support builds with ancient version like 0.9.7 and I cannot see any impacts from key format change.

Roumen Petrov

More information about the ssh_x509 mailing list