1

I have private key, example generate RSA key pair:

ssh-keygen -t rsa -N 123456 -f /tmp/rsa

I can replace the call:

ssh-keygen -p -P 123456 -N "" -f /tmp/rsa

using python cryptography module:

from cryptography.hazmat.backends import default_backend
import cryptography.hazmat.primitives.serialization as crypto_serialization


priv_key = crypto_serialization.load_pem_private_key(open(key_path, "rb").read(),
                                                     passphrase.encode('utf-8'),
                                                     default_backend()
                                                     )
with open(key_path, "wb") as dest_pem:
    dest_pem.write(priv_key.private_bytes(crypto_serialization.Encoding.PEM,
                                          crypto_serialization.PrivateFormat.TraditionalOpenSSL,
                                          crypto_serialization.NoEncryption()
                                         )
                   )

But when I generate key with parameter -t ed25519, I get error:

  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/primitives/serialization/base.py", line 16, in load_pem_private_key
    return backend.load_pem_private_key(data, password)
  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1089, in load_pem_private_key
    password,
  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1315, in _load_key
    self._handle_key_loading_error()
  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1373, in _handle_key_loading_error
    raise ValueError("Could not deserialize key data.")
ValueError: Could not deserialize key data.

I load Ed25519 private key using python paramiko module, but I can't serialize private bytes:

import paramiko
key_priv = paramiko.Ed25519Key.from_private_key_file('ed25519', password=b'123456')
v1cont
  • 31
  • 4
  • The code that you claim works for processing SSH RSA private keys doesn't work for me. You are calling `load_pem_private_key()`, but that is the wrong method. The [cryptography module](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization.html) has a different function for SSH private keys, `load_ssh_private_key()`, which works just fine for either RSA or ed25519 keys. – President James K. Polk Feb 15 '21 at 17:00
  • In fact, your code doesn't really replace the `ssh-keygen` calls as you've claimed. The `ssh-keygen -p -P...` code changes the passphrase from 123456 to the empty passphrase. The new private key file is still encrypted (with the empty passphrase) and still in openssh format. Your python code, on the other hand, converts an encrypted, openssh-format private key file into an unencrypted PKCS1-format private key file. Completely different. – President James K. Polk Feb 15 '21 at 17:11

1 Answers1

0

Generating key pair:

ssh-keygen -t ed25519 -N 123456 -f ed25519

Using load_ssh_private_key method I try to descrypt a private key:

from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend

priv_key = serialization.load_ssh_private_key(open('ed25519', 'rb').read(), b'123456', default_backend())

with open('ed25519_py', wb') as dest_key:
    dest_key.write(priv_key.private_bytes(serialization.Encoding.PEM,
                                          serialization.PrivateFormat.OpenSSH,
                                          serialization.NoEncryption()
                                         )
                   )

No error occurs and I get unencrypted openssh-format private key file.

On other hand, using ssk-keygen tool I change the passphrase of a private key file to empty:

ssh-keygen -p -P 123456 -N "" -f ed25519

As a result, I have two decrypted keys, which not matched.

How to get a key using python that will match the result of the call ssh-keygen?

v1cont
  • 31
  • 4