fixes #12062 -- raise a clean error when loading an SK SSH private key (

#12063)
pyca · Nov 28, 2024 · a1057fd · a1057fd
1 parent cb86495
commit a1057fd
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py
@@ -612,6 +612,13 @@ def load_public(
         _, data = load_application(data)
         return public_key, data
 
+    def get_public(self, data: memoryview) -> typing.Never:
+        # Confusingly `get_public` is an entry point used by private key
+        # loading.
+        raise UnsupportedAlgorithm(
+            "sk-ssh-ed25519 private keys cannot be loaded"
+        )
+
 
 class _SSHFormatSKECDSA:
     """
@@ -631,6 +638,13 @@ def load_public(
         _, data = load_application(data)
         return public_key, data
 
+    def get_public(self, data: memoryview) -> typing.Never:
+        # Confusingly `get_public` is an entry point used by private key
+        # loading.
+        raise UnsupportedAlgorithm(
+            "sk-ecdsa-sha2-nistp256 private keys cannot be loaded"
+        )
+
 
 _KEY_FORMATS = {
     _SSH_RSA: _SSHFormatRSA(),

diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py
@@ -10,7 +10,11 @@
 import pytest
 
 from cryptography import utils
-from cryptography.exceptions import InvalidSignature, InvalidTag
+from cryptography.exceptions import (
+    InvalidSignature,
+    InvalidTag,
+    UnsupportedAlgorithm,
+)
 from cryptography.hazmat.primitives.asymmetric import (
     dsa,
     ec,
@@ -255,6 +259,26 @@ def test_load_ssh_private_key(self, key_file, backend):
         maxline = max(map(len, priv_data2.split(b"\n")))
         assert maxline < 80
 
+    @pytest.mark.supported(
+        only_if=lambda backend: backend.ed25519_supported(),
+        skip_message="Requires Ed25519 support",
+    )
+    @pytest.mark.parametrize(
+        "key_file",
+        [
+            "sk-ecdsa-nopsw.key",
+            "sk-ed25519-nopsw.key",
+        ],
+    )
+    def test_load_unsupported_ssh_private_key(self, key_file):
+        data = load_vectors_from_file(
+            os.path.join("asymmetric", "OpenSSH", key_file),
+            lambda f: f.read(),
+            mode="rb",
+        )
+        with pytest.raises(UnsupportedAlgorithm):
+            load_ssh_private_key(data, None)
+
     @pytest.mark.supported(
         only_if=lambda backend: backend.ed25519_supported(),
         skip_message="Requires Ed25519 support",