Unable to load pem pkcs8 encrypted private key which worked in v44

[deivse]

Hi, I've encountered a possible regression with v45 with loading encrypted PEM private keys.
I confirmed that this works on v44, on v45 I'm getting the following exception from load_pem_private_key:

ValueError: Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters). Details: ASN.1 parsing error: invalid value

Here's a private key for replication (this is of course not used anywhere 😄): test_pkey.pem.txt, the password is "password".

The key is generated, encrypted and serialized with the following java code, using bouncycastle 1.70

public static KeyPair generateRsaKeyPair() throws NoSuchAlgorithmException {
    KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA");
    keyGenerator.initialize(4096);
    return keyGenerator.generateKeyPair();
}

public static String serializePem(PemObjectGenerator generator) {
    StringWriter pemOut = new StringWriter();
    PemWriter pw = new PemWriter(pemOut);

    try {
        pw.writeObject(generator);
        pw.flush();
    } catch (IOException e) {
        throw new RuntimeException("Unable to write Key to PEM.", e);
    }

    return pemOut.toString();
}

public static String toPemPkcs8(PrivateKey privateKey, char[] password) {
    JceOpenSSLPKCS8EncryptorBuilder encryptorBuilder = new JceOpenSSLPKCS8EncryptorBuilder(PKCS8Generator.PBE_SHA1_3DES);
    encryptorBuilder.setPassword(password);
    OutputEncryptor outputEncryptor;
    try {
        outputEncryptor = encryptorBuilder.build();
    } catch (OperatorCreationException e) {
        throw new RuntimeException(e);
    }

    try {
        return serializePem(new JcaPKCS8Generator(privateKey, outputEncryptor));
    } catch (PemGenerationException e) {
        throw new RuntimeException(e);
    }
}

[deivse]

PS: Loading a non-encrypted key, generated with serializePem(new JcaPKCS8Generator(privateKey, null)) (using the above java functions) works as expected. I don't really have the time to test with encrypted keys generated with openssl etc unfortunately, so not sure if this is specific to bouncycastle or the used encryption algorithm.

[reaperhulk]

Thanks for the report. This key loads fine if I unwrap the encryption first, so we appear to have some incompatibility in the PBES1 pbeWithSHAAnd3-KeyTripleDES-CBC path.

[reaperhulk]

The issue here is that the salt length of this key is 20 bytes, where we assume it will be 8. We made this assumption because the RFC states

   PBEParameter ::= SEQUENCE {
       salt OCTET STRING (SIZE(8)),
       iterationCount INTEGER
   }

but clearly that does not hold in practice.

[alex]

This is a bug on our side, as #12976 discovers there's two structures that are nearly identical, but not quite, and in practice they're compatible for length 8 strings, so we mixed them up. That's our bad.

[deivse]

I see, good to know. Thanks for looking into this!