You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In ce1b014 and #1053, I successfully argued that the encoding of ECDSA keys expected by Key._fromString_PRIVATE_BLOB was wrong: this is currently only used by the agent protocol, and the de-facto implementation of that in OpenSSH differed from that previously implemented in Twisted. We changed Twisted to match.
However, when I was fixing the decoder, I missed that Key.privateBlob implements a corresponding encoder, so now round-tripping fails for ECDSA keys:
>>> from twisted.conch.ssh import keys
>>> from twisted.conch.test import keydata
>>> ecdsaKey = keys.Key._fromECComponents(**keydata.ECDatanistp256)
>>> keys.Key._fromString_PRIVATE_BLOB(ecdsaKey.privateBlob())
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/cjwatson/src/python/twisted/twisted/build/py36-alldeps-nocov/lib/python3.6/site-packages/twisted/conch/ssh/keys.py", line 292, in _fromString_PRIVATE_BLOB
'type %r' % (curveName, keyType))
twisted.conch.ssh.keys.BadKeyError: ECDSA curve name b'\x00\xa8\xa6_P\xd9\xef\xe4#\xd1*_x\xf3\x1b\xa3Z[\xeb!\xa4\x01\xbee\xed\xdb\x82\xd6_9\xe7 \xfb' does not match key type b'ecdsa-sha2-nistp256'
This doesn't make much difference today because Key.privateBlob is unused outside tests, but failing to round-trip is clearly unhelpful. The most obvious use case for this method is in writing the OpenSSH v1 private key format, and I discovered this discrepancy in the process of doing that.
In ce1b014 and #1053, I successfully argued that the encoding of ECDSA keys expected by Key._fromString_PRIVATE_BLOB was wrong: this is currently only used by the agent protocol, and the de-facto implementation of that in OpenSSH differed from that previously implemented in Twisted. We changed Twisted to match.
However, when I was fixing the decoder, I missed that Key.privateBlob implements a corresponding encoder, so now round-tripping fails for ECDSA keys:
This doesn't make much difference today because
Key.privateBlob
is unused outside tests, but failing to round-trip is clearly unhelpful. The most obvious use case for this method is in writing the OpenSSH v1 private key format, and I discovered this discrepancy in the process of doing that.Searchable metadata
The text was updated successfully, but these errors were encountered: