From alex.gaynor at gmail.com Tue Sep 19 12:47:45 2023 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Tue, 19 Sep 2023 12:47:45 -0400 Subject: [Cryptography-dev] PyCA cryptography 41.0.4 released Message-ID: PyCA cryptography 41.0.4 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 3.7+, and PyPy3 7.3.10+. Changelog (https://cryptography.io/en/latest/changelog/#v41-0-4): * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3. Alex -- All that is necessary for evil to succeed is for good people to do nothing. From jwalstra at keepersecurity.com Wed Sep 20 13:24:11 2023 From: jwalstra at keepersecurity.com (John Walstra) Date: Wed, 20 Sep 2023 12:24:11 -0500 Subject: [Cryptography-dev] Loading an ED25519 private key Message-ID: <63A091F5-D073-46F9-AEDB-1E2C05470A54@keepersecurity.com> For other keys I can use cryptography.hazmat.primitives.serialization.load_pem_private_key, however for a ED25519 private key I get .. ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', []) Is there another way to load it? I?m generating the private key using Ed25519PrivateKey.generate(), but using later after it?s been serialized. The format is serialization.PrivateFormat.OpenSSH. Thanks, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Wed Sep 20 15:11:46 2023 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Wed, 20 Sep 2023 15:11:46 -0400 Subject: [Cryptography-dev] Loading an ED25519 private key In-Reply-To: <63A091F5-D073-46F9-AEDB-1E2C05470A54@keepersecurity.com> References: <63A091F5-D073-46F9-AEDB-1E2C05470A54@keepersecurity.com> Message-ID: If you've exported a key with PrivateFormat.OpenSSH, you can load with https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.load_ssh_private_key Alex On Wed, Sep 20, 2023 at 1:24?PM John Walstra via Cryptography-dev wrote: > > For other keys I can use cryptography.hazmat.primitives.serialization.load_pem_private_key, however for a ED25519 private key I get .. > > > ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', []) > > Is there another way to load it? > > I?m generating the private key using Ed25519PrivateKey.generate(), but using later after it?s been serialized. The format is serialization.PrivateFormat.OpenSSH. > > Thanks, > John > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -- All that is necessary for evil to succeed is for good people to do nothing. From jwalstra at keepersecurity.com Thu Sep 21 12:59:01 2023 From: jwalstra at keepersecurity.com (John Walstra) Date: Thu, 21 Sep 2023 11:59:01 -0500 Subject: [Cryptography-dev] Generate a signed SSH user authorized key Message-ID: I?m trying to use cryptography to generate a SSH authorized key that is use when the SSH server is set up with TrustedUserCAKeys. On the Linux command line, the keys are setup as follows $ ssh-keygen -t rsa -b 2048 -f test $ ssh-keygen -s /path/to/trusted_user_ca_pk -I test -V +52w test.pub That will create a test-cert.pub $ cat test-cert.pub ssh-rsa-cert-v01 at openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNz... K8v+ESbFDSmb+Z9YIE7owjQ2m92s= test at test.local $ ssh-keygen -L -f test-cert.pub test-cert.pub: Type: ssh-rsa-cert-v01 at openssh.com user certificate Public key: RSA-CERT SHA256:pXIIcD3P9mD7BLzYYKlx70kNE4y4pkEuJmFsRuUrpFc Signing CA: RSA SHA256:a16H80IMdKLq9WZfaMqAEB9kYx7zFzmbwQP3cOeELPI (using rsa-sha2-512) Key ID: "test" Serial: 0 Valid: from 2023-09-19T23:08:00 to 2024-09-17T23:09:25 Principals: (none) Critical Options: (none) Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc Since this appears to be a certificate, I was trying to use x509 to generate the certificate. subject = Name([ x509.NameAttribute(NameOID.COMMON_NAME, oid), ]) csr = x509.CertificateSigningRequestBuilder().subject_name( subject ).sign(private_key, hashes.SHA256(), default_backend()) # Sign the CSR with the CA private key. The ( ) allows user_certificate = ( x509.CertificateBuilder() .subject_name(csr.subject) .issuer_name(subject) .public_key(csr.public_key()) .serial_number(x509.random_serial_number()) .not_valid_before(datetime.datetime.utcnow()) .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=days)) .sign(ca_private_key, hashes.SHA256(), default_backend()) ) authorized_key = user_certificate.public_bytes( encoding=serialization.Encoding.PEM, ) The only encoding that is allowed is PEM, and no formatting is allowed. I?ve tried getting the public_key() from user_certificate, and formatting it with public_bytes(), but that just gave me a ssh-rsa algorithm key (no cert). If this is the correct path to get what I want, how do I get this into an encoding/format for OpenSSH? Thanks, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Thu Sep 21 13:08:30 2023 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Thu, 21 Sep 2023 10:08:30 -0700 Subject: [Cryptography-dev] Generate a signed SSH user authorized key In-Reply-To: References: Message-ID: <69E0B2CD-9CD8-4CB0-898B-1CDDF2A7817C@gmail.com> An HTML attachment was scrubbed... URL: