I have a unit test at work that ends up loading an EC key (generated by java) that is stored in a PKCS8 blob. Has been working like a champ for quite a while, but I am doing an update of our 3rd party python packages and am upgrading to 42.0.2 as part of that effort. The first time I try to load this key in a python instance, it fails. After that it works fine.
Environment (Debian 12.x):
- Python 3.11.2
- cryptography 42.0.2
- cffi 1.16.0
- pycparser 2.21
- OpenSSL 3.0.11
To reproduce I created a new python venv:
# python3 -m venv ec-key-loading-bug
# ec-key-loading-bug/bin/pip3 install cryptography
[...]
Installing collected packages: pycparser, cffi, cryptography
Successfully installed cffi-1.16.0 cryptography-42.0.2 pycparser-2.21
And then ran this script:
from cryptography.hazmat.primitives import serialization
password = 'Aegy>pBl;v<<'
der_encoded = b'0w0\x1b\x06\t*\x86H\x86\xf7\r\x01\x05\x030\x0e\x04\x08\xc6[\xd3\xc4\xb7~^\xe4\x02\x02\x08\x00\x04X\x99\x0f&\x0b\x16: \xf4\x1d/S\xbe\xe0\xb7\xa1\x93\xd6\x16\xfaR\x95\xdb\xa2\xa1d\x13\x1f\x1f\x8by\x10\xb8\x7f"\xdf#\xd4\xed\xde\xfcs\xc2\xdf\xe2\x90fvC\n\xe8\x8f\xffA\xa7\xb6\x1f.\t\xbcx\xa1\xd3\xaf#\xfd;\x029\xfc\x1f\x83\xf1\xef\x0f\xa8\x8bK\xfe>\xae\xf2\xed\xff\xb5r\x03\xa7:'
for attempt in range(0,100):
try:
key = serialization.load_der_private_key(der_encoded, password = password.encode())
print(f'Attempt {attempt} succeeded!')
except ValueError as e:
print(f'Attempt {attempt} failed: {e}')
The output is:
Attempt 0 failed: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=50856204, lib=6, reason=524556, reason_text=unsupported)>])
Attempt 1 succeeded!
Attempt 2 succeeded!
Attempt 3 succeeded!
[...]
Attempt 99 succeeded!
This same key decodes just fine with the python3-cryptography package you can install from Debian (38.0.4-3), as well as the older version I was using (41.0.1)
I have a unit test at work that ends up loading an EC key (generated by java) that is stored in a PKCS8 blob. Has been working like a champ for quite a while, but I am doing an update of our 3rd party python packages and am upgrading to 42.0.2 as part of that effort. The first time I try to load this key in a python instance, it fails. After that it works fine.
Environment (Debian 12.x):
To reproduce I created a new python venv:
And then ran this script:
The output is:
This same key decodes just fine with the python3-cryptography package you can install from Debian (38.0.4-3), as well as the older version I was using (41.0.1)