commit a20de3fa94e069ec699987416679230d72e030a3
author Emmanuel Odeke <emm.odeke@gmail.com> Fri Sep 23 01:39:13 2016 -0700
committer Han-Wen Nienhuys <hanwen@google.com> Thu Sep 29 09:05:14 2016 +0000
tree b83133d729d408531e0be6dc0e66df29095442db
parent 7ac97ebec9cb7ab8b44b571f6ec4cee333dc4309

x/crypto/ssh: ParsePrivateKey errors out with encrypted private keys

RSA and DSA keys if encrypted have the
phrase ENCRYPTED in their Proc-Type block
header according to RFC 1421 Section 4.6.1.1.

This CL checks for that phrase and errors out
if we encounter it, since we don't yet have
decryption of encrypted private keys.

Fixes golang/go#6650

Change-Id: I5b157716a2f93557d289af5f62994234a2e7a0ed
Reviewed-on: https://go-review.googlesource.com/29676
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>

ssh/keys.go

diff --git a/ssh/keys.go b/ssh/keys.go
index 0324e12..ffcdb18 100644
--- a/ssh/keys.go
+++ b/ssh/keys.go
@@ -731,6 +731,14 @@
 	return NewSignerFromKey(key)
 }
 
+// encryptedBlock tells whether a private key is
+// encrypted by examining its Proc-Type header
+// for a mention of ENCRYPTED
+// according to RFC 1421 Section 4.6.1.1.
+func encryptedBlock(block *pem.Block) bool {
+	return strings.Contains(block.Headers["Proc-Type"], "ENCRYPTED")
+}
+
 // ParseRawPrivateKey returns a private key from a PEM encoded private key. It
 // supports RSA (PKCS#1), DSA (OpenSSL), and ECDSA private keys.
 func ParseRawPrivateKey(pemBytes []byte) (interface{}, error) {
@@ -739,6 +747,10 @@
 		return nil, errors.New("ssh: no key found")
 	}
 
+	if encryptedBlock(block) {
+		return nil, errors.New("ssh: cannot decode encrypted private keys")
+	}
+
 	switch block.Type {
 	case "RSA PRIVATE KEY":
 		return x509.ParsePKCS1PrivateKey(block.Bytes)