fix loading ECDSA keys in new openssh private key format

(also Blacken new ecdsa format key test)
jordigh · Dec 5, 2019 · 59c1c9e · 59c1c9e
1 parent bc6a789
commit 59c1c9e
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 6 deletions.
diff --git a/paramiko/ecdsakey.py b/paramiko/ecdsakey.py
@@ -292,10 +292,21 @@ def _decode_key(self, data):
             except (ValueError, AssertionError) as e:
                 raise SSHException(str(e))
         elif pkformat == self._PRIVATE_KEY_FORMAT_OPENSSH:
-            curve, verkey, sigkey = self._uint32_cstruct_unpack(data, "sss")
             try:
-                key = ec.derive_private_key(sigkey, curve, default_backend())
-            except (AttributeError, TypeError) as e:
+                msg = Message(data)
+                curve_name = msg.get_text()
+                verkey = msg.get_binary()  # noqa: F841
+                sigkey = msg.get_mpint()
+                name = "ecdsa-sha2-" + curve_name
+                curve = self._ECDSA_CURVES.get_by_key_format_identifier(name)
+                if not curve:
+                    raise SSHException("Invalid key curve identifier")
+                key = ec.derive_private_key(
+                    sigkey, curve.curve_class(), default_backend()
+                )
+            except Exception as e:
+                # PKey._read_private_key_openssh() should check or return
+                # keytype - parsing could fail for any reason due to wrong type
                 raise SSHException(str(e))
         else:
             self._got_bad_key_format_id(pkformat)

diff --git a/tests/test_pkey.py b/tests/test_pkey.py
@@ -467,12 +467,12 @@ def test_load_openssh_format_DSS_key(self):
 
     def test_load_openssh_format_EC_key(self):
         key = ECDSAKey.from_private_key_file(
-            _support('test_ecdsa_384_openssh.key'), b'television'
+            _support("test_ecdsa_384_openssh.key"), b"television"
         )
-        self.assertEqual('ecdsa-sha2-nistp384', key.get_name())
+        self.assertEqual("ecdsa-sha2-nistp384", key.get_name())
         self.assertEqual(PUB_EC_384_OPENSSH.split()[1], key.get_base64())
         self.assertEqual(384, key.get_bits())
-        exp_fp = b(FINGER_EC_384_OPENSSH.split()[1].replace(':', ''))
+        exp_fp = b(FINGER_EC_384_OPENSSH.split()[1].replace(":", ""))
         my_fp = hexlify(key.get_fingerprint())
         self.assertEqual(exp_fp, my_fp)