File add-support-for-new-OpenSSH-private-key-format.patch of Package saltbundlepy-paramiko
From eff204faf5624c51b7ac96b9b93e4ce9622f853a Mon Sep 17 00:00:00 2001
From: Jared Hobbs <jared@pyhacker.com>
Date: Tue, 27 Nov 2018 17:22:59 -0700
Subject: [PATCH] add support for new OpenSSH private key format
This work is based off the work done in https://github.com/paramiko/paramiko/pull/618
---
paramiko/dsskey.py | 15 +++-
paramiko/ecdsakey.py | 22 +++--
paramiko/ed25519key.py | 4 +-
paramiko/pkey.py | 191 +++++++++++++++++++++++++++++++++++++---
paramiko/rsakey.py | 30 +++++--
tests/test_dss_1k_o.key | 22 +++++
tests/test_pkey.py | 25 +++++-
tests/test_rsa_2k_o.key | 28 ++++++
9 files changed, 307 insertions(+), 31 deletions(-)
create mode 100644 tests/test_dss_1k_o.key
create mode 100644 tests/test_rsa_2k_o.key
diff --git a/paramiko/dsskey.py b/paramiko/dsskey.py
index ec358ee2..a1adf818 100644
--- a/paramiko/dsskey.py
+++ b/paramiko/dsskey.py
@@ -229,12 +229,19 @@ class DSSKey(PKey):
self._decode_key(data)
def _decode_key(self, data):
+ pkformat, data = data
# private key file contains:
# DSAPrivateKey = { version = 0, p, q, g, y, x }
- try:
- keylist = BER(data).decode()
- except BERException as e:
- raise SSHException("Unable to parse key file: " + str(e))
+ if pkformat == self.PRIVATE_KEY_FORMAT_ORIGINAL:
+ try:
+ keylist = BER(data).decode()
+ except BERException as e:
+ raise SSHException("Unable to parse key file: " + str(e))
+ elif pkformat == self.PRIVATE_KEY_FORMAT_OPENSSH:
+ keylist = self._uint32_cstruct_unpack(data, 'iiiii')
+ keylist = [0] + list(keylist)
+ else:
+ raise SSHException('private key format.')
if type(keylist) is not list or len(keylist) < 6 or keylist[0] != 0:
raise SSHException(
"not a valid DSA private key file (bad ber encoding)"
diff --git a/paramiko/ecdsakey.py b/paramiko/ecdsakey.py
index b73a969e..c3ef8e4d 100644
--- a/paramiko/ecdsakey.py
+++ b/paramiko/ecdsakey.py
@@ -283,12 +283,22 @@ class ECDSAKey(PKey):
self._decode_key(data)
def _decode_key(self, data):
- try:
- key = serialization.load_der_private_key(
- data, password=None, backend=default_backend()
- )
- except (ValueError, AssertionError) as e:
- raise SSHException(str(e))
+ pkformat, data = data
+ if pkformat == self.PRIVATE_KEY_FORMAT_ORIGINAL:
+ try:
+ key = serialization.load_der_private_key(
+ data, password=None, backend=default_backend()
+ )
+ except (ValueError, AssertionError) as e:
+ raise SSHException(str(e))
+ elif pkformat == self.PRIVATE_KEY_FORMAT_OPENSSH:
+ curve, verkey, sigkey = self._uint32_cstruct_unpack(data, 'sss')
+ try:
+ key = ec.derive_private_key(sigkey, curve, default_backend())
+ except TypeError as e:
+ raise SSHException(str(e))
+ else:
+ raise SSHException('unknown private key format.')
self.signing_key = key
self.verifying_key = key.public_key()
diff --git a/paramiko/ed25519key.py b/paramiko/ed25519key.py
index 68ada224..3bd0ff10 100644
--- a/paramiko/ed25519key.py
+++ b/paramiko/ed25519key.py
@@ -73,9 +73,9 @@ class Ed25519Key(PKey):
verifying_key = nacl.signing.VerifyKey(msg.get_binary())
elif filename is not None:
with open(filename, "r") as f:
- data = self._read_private_key("OPENSSH", f)
+ pkformat, data = self._read_private_key("OPENSSH", f)
elif file_obj is not None:
- data = self._read_private_key("OPENSSH", file_obj)
+ pkformat, data = self._read_private_key("OPENSSH", file_obj)
if filename or file_obj:
signing_key = self._parse_signing_key_data(data, password)
diff -ur paramiko-2.4.3.orig/paramiko/pkey.py paramiko-2.4.3/paramiko/pkey.py
--- paramiko-2.4.3.orig/paramiko/pkey.py 2019-06-24 00:45:29.000000000 +0200
+++ paramiko-2.4.3/paramiko/pkey.py 2022-09-02 15:45:18.345029737 +0200
@@ -24,6 +24,10 @@
from binascii import unhexlify
import os
from hashlib import md5
+import re
+import struct
+
+import bcrypt
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
@@ -31,7 +35,8 @@
from paramiko import util
from paramiko.common import o600
-from paramiko.py3compat import u, encodebytes, decodebytes, b, string_types
+from paramiko.py3compat import u, encodebytes, decodebytes, b, string_types,\
+ byte_ord
from paramiko.ssh_exception import SSHException, PasswordRequiredException
from paramiko.message import Message
@@ -62,6 +67,12 @@
"mode": modes.CBC,
},
}
+ PRIVATE_KEY_FORMAT_ORIGINAL = 1
+ PRIVATE_KEY_FORMAT_OPENSSH = 2
+ BEGIN_TAG = re.compile(
+ '^-{5}BEGIN (RSA|DSA|EC|OPENSSH) PRIVATE KEY-{5}\s*$'
+ )
+ END_TAG = re.compile('^-{5}END (RSA|DSA|EC|OPENSSH) PRIVATE KEY-{5}\s*$')
def __init__(self, msg=None, data=None):
"""
@@ -281,12 +292,47 @@
def _read_private_key(self, tag, f, password=None):
lines = f.readlines()
+
+ # find the BEGIN tag
start = 0
- beginning_of_key = "-----BEGIN " + tag + " PRIVATE KEY-----"
- while start < len(lines) and lines[start].strip() != beginning_of_key:
+ m = self.BEGIN_TAG.match(lines[start])
+ line_range = len(lines) - 1
+ while start < line_range and not m:
start += 1
+ m = self.BEGIN_TAG.match(lines[start])
+ start += 1
+ keytype = m.group(1)
if start >= len(lines):
raise SSHException("not a valid " + tag + " private key file")
+
+ # find the END tag
+ end = start
+ m = self.END_TAG.match(lines[end])
+ while end < line_range and not m:
+ end += 1
+ m = self.END_TAG.match(lines[end])
+
+ if keytype == tag:
+ data = self._read_private_key_old_format(
+ lines,
+ password,
+ )
+ pkformat = self.PRIVATE_KEY_FORMAT_ORIGINAL
+ elif keytype == 'OPENSSH':
+ data = self._read_private_key_new_format(
+ lines[start:end],
+ password,
+ )
+ pkformat = self.PRIVATE_KEY_FORMAT_OPENSSH
+ else:
+ raise SSHException(
+ 'encountered {} key, expected {} key'.format(keytype, tag)
+ )
+
+ return pkformat, data
+
+ def _read_private_key_old_format(self, lines, password):
+ start = 0
# parse any headers first
headers = {}
start += 1
@@ -296,14 +342,9 @@
break
headers[line[0].lower()] = line[1].strip()
start += 1
- # find end
- end = start
- ending_of_key = "-----END " + tag + " PRIVATE KEY-----"
- while end < len(lines) and lines[end].strip() != ending_of_key:
- end += 1
# if we trudged to the end of the file, just try to cope.
try:
- data = decodebytes(b("".join(lines[start:end])))
+ data = decodebytes(b(''.join(lines[start:])))
except base64.binascii.Error as e:
raise SSHException("base64 decoding error: " + str(e))
if "proc-type" not in headers:
@@ -337,6 +378,132 @@
).decryptor()
return decryptor.update(data) + decryptor.finalize()
+ def _read_private_key_new_format(self, lines, password):
+ """
+ Read the new OpenSSH SSH2 private key format available
+ since OpenSSH version 6.5
+ Reference:
+ https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
+ """
+ try:
+ data = decodebytes(b(''.join(lines)))
+ except base64.binascii.Error as e:
+ raise SSHException('base64 decoding error: ' + str(e))
+
+ # read data struct
+ auth_magic = data[:14]
+ if auth_magic != b('openssh-key-v1'):
+ raise SSHException('unexpected OpenSSH key header encountered')
+
+ cstruct = self._uint32_cstruct_unpack(data[15:], 'sssur')
+ cipher, kdfname, kdf_options, num_pubkeys, remainder = cstruct
+ # For now, just support 1 key.
+ if num_pubkeys > 1:
+ raise SSHException(
+ 'unsupported: private keyfile has multiple keys'
+ )
+ pubkey, privkey_blob = self._uint32_cstruct_unpack(remainder, 'ss')
+
+ if kdfname == b('bcrypt'):
+ if cipher == b('aes256-cbc'):
+ mode = modes.CBC
+ elif cipher == b('aes256-ctr'):
+ mode = modes.CTR
+ else:
+ raise SSHException(
+ 'unknown cipher `{}` used in private key file'.format(
+ cipher.decode('utf-8')
+ )
+ )
+ # Encrypted private key.
+ # If no password was passed in, raise an exception pointing
+ # out that we need one
+ if password is None:
+ raise PasswordRequiredException(
+ 'private key file is encrypted'
+ )
+
+ # Unpack salt and rounds from kdfoptions
+ salt, rounds = self._uint32_cstruct_unpack(kdf_options, 'su')
+
+ # run bcrypt kdf to derive key and iv/nonce (32 + 16 bytes)
+ key_iv = bcrypt.kdf(b(password), b(salt), 48, rounds)
+ key = key_iv[:32]
+ iv = key_iv[32:]
+
+ # decrypt private key blob
+ decryptor = Cipher(
+ algorithms.AES(key), mode(iv), default_backend()
+ ).decryptor()
+ decrypted_privkey = decryptor.update(privkey_blob)
+ decrypted_privkey += decryptor.finalize()
+ elif cipher == b('none') and kdfname == b('none'):
+ # Unencrypted private key
+ decrypted_privkey = privkey_blob
+ else:
+ raise SSHException(
+ 'unknown cipher or kdf used in private key file'
+ )
+
+ # Unpack private key and verify checkints
+ cstruct = self._uint32_cstruct_unpack(decrypted_privkey, 'uusr')
+ checkint1, checkint2, keytype, keydata = cstruct
+
+ if checkint1 != checkint2:
+ raise SSHException(
+ 'OpenSSH private key file checkints do not match'
+ )
+
+ # Remove padding
+ padlen = byte_ord(keydata[len(keydata) - 1])
+ return keydata[:len(keydata) - padlen]
+
+ def _uint32_cstruct_unpack(self, data, strformat):
+ """
+ Used to read new OpenSSH private key format.
+ Unpacks a c data structure containing a mix of 32-bit uints and
+ variable length strings prefixed by 32-bit uint size field,
+ according to the specified format. Returns the unpacked vars
+ in a tuple.
+ Format strings:
+ s - denotes a string
+ i - denotes a long integer, encoded as a byte string
+ u - denotes a 32-bit unsigned integer
+ r - the remainder of the input string, returned as a string
+ """
+ arr = []
+ idx = 0
+ try:
+ for f in strformat:
+ if f == 's':
+ # string
+ s_size = struct.unpack('>L', data[idx:idx + 4])[0]
+ idx += 4
+ s = data[idx:idx + s_size]
+ idx += s_size
+ arr.append(s)
+ if f == 'i':
+ # long integer
+ s_size = struct.unpack('>L', data[idx:idx + 4])[0]
+ idx += 4
+ s = data[idx:idx + s_size]
+ idx += s_size
+ i = util.inflate_long(s, True)
+ arr.append(i)
+ elif f == 'u':
+ # 32-bit unsigned int
+ u = struct.unpack('>L', data[idx:idx + 4])[0]
+ idx += 4
+ arr.append(u)
+ elif f == 'r':
+ # remainder as string
+ s = data[idx:]
+ arr.append(s)
+ break
+ except Exception as e:
+ raise SSHException(str(e))
+ return tuple(arr)
+
def _write_private_key_file(self, filename, key, format, password=None):
"""
Write an SSH2-format private key file in a form that can be read by
diff --git a/paramiko/rsakey.py b/paramiko/rsakey.py
index 442bfe1f..3ff601ec 100644
--- a/paramiko/rsakey.py
+++ b/paramiko/rsakey.py
@@ -180,12 +180,30 @@ class RSAKey(PKey):
self._decode_key(data)
def _decode_key(self, data):
- try:
- key = serialization.load_der_private_key(
- data, password=None, backend=default_backend()
+ pkformat, data = data
+ if pkformat == self.PRIVATE_KEY_FORMAT_ORIGINAL:
+ try:
+ key = serialization.load_der_private_key(
+ data, password=None, backend=default_backend()
+ )
+ except ValueError as e:
+ raise SSHException(str(e))
+ elif pkformat == self.PRIVATE_KEY_FORMAT_OPENSSH:
+ n, e, d, iqmp, q, p = self._uint32_cstruct_unpack(data, 'iiiiii')
+ public_numbers = rsa.RSAPublicNumbers(
+ e=e,
+ n=n,
)
- except ValueError as e:
- raise SSHException(str(e))
-
+ key = rsa.RSAPrivateNumbers(
+ p=p,
+ q=q,
+ d=d,
+ dmp1=d % (p - 1),
+ dmq1=d % (q - 1),
+ iqmp=iqmp,
+ public_numbers=public_numbers,
+ ).private_key(default_backend())
+ else:
+ raise SSHException('unknown private key format.')
assert isinstance(key, rsa.RSAPrivateKey)
self.key = key
diff --git a/tests/test_dss_1k_o.key b/tests/test_dss_1k_o.key
new file mode 100644
index 00000000..2a9f8922
--- /dev/null
+++ b/tests/test_dss_1k_o.key
@@ -0,0 +1,22 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAsyq4pxL
+R5sOprPDHGpvzxAAAAEAAAAAEAAAGxAAAAB3NzaC1kc3MAAACBAL8XEx7F9xuwBNles+vW
+pNF+YcofrBhjX1r5QhpBe0eoYWLHRcroN6lxwCdGYRfgOoRjTncBiixQX/uUxAY96zDh3i
+r492s2BcJt4ihvNn/AY0I0OTuX/2IwGk9CGzafjaeZNVYxMa8lcVt0hSOTjkPQ7gVuk6bJ
+zMInvie+VWKLAAAAFQDUgYdY+rhR0SkKbC09BS/SIHcB+wAAAIB44+4zpCNcd0CGvZlowH
+99zyPX8uxQtmTLQFuR2O8O0FgVVuCdDgD0D9W8CLOp32oatpM0jyyN89EdvSWzjHzZJ+L6
+H1FtZps7uhpDFWHdva1R25vyGecLMUuXjo5t/D7oCDih+HwHoSAxoi0QvsPd8/qqHQVznN
+JKtR6thUpXEwAAAIAG4DCBjbgTTgpBw0egRkJwBSz0oTt+1IcapNU2jA6N8urMSk9YXHEQ
+HKN68BAF3YJ59q2Ujv3LOXmBqGd1T+kzwUszfMlgzq8MMu19Yfzse6AIK1Agn1Vj6F7YXL
+sXDN+T4KszX5+FJa7t/Zsp3nALWy6l0f4WKivEF5Y2QpEFcQAAAgCH6XUl1hYWB6kgCSHV
+a4C+vQHrgFNgNwEQnE074LXHXlAhxC+Dm8XTGqVPX1KRPWzadq9/+v6pqLFqiRueB86uRb
+J5WtAbUs3WwxAaC5Mi+mn42MBfL9PIwWPWCvstrAq9Nyj3EBMeX3XFLxN3RuGXIQnY/5rF
+f5hriUVxhWDQGIVbBKhkpn7Geqg6nLpn7iqQhzFmFGjPmAdrllgdVGJRLyIN6BRsaltDdy
+vxufkvGzKudvQ85QvsaoFJQ6K1d0S7907pexvxmWpcO7zchXb6i09BITWOAKIcHpVkbNQw
++8pzSdpggsAwCRbfk/Jkezz8sXVUCfmmJ23NFUw04/0ZbilCADRsUaPfafgVPeDznBnuCm
+tfXa4JSrVUvPdwoex3SKZmYsFXwsuOEQnFkhUGHfWwTbmOmxzy6dtC24KYhnWG5OGFVJXh
+3B8jQJGGs2ANfusI/Z0o15tAnQy5fqsLf9TT3RX7RG2ujIiDBsU+A1g//IXmSxxkUOQMZs
+v+cMI8KfODAXmQtB30+yAgoV03Zb/bdptv+HqPT4eeecstJUxzEGYADt1mDq3uV7fQbNmo
+80bppU52JjztrJb7hBmXsXHPRRK6spQ1FCatqvu1ggZeXZpEifNsHeqCljt87ueXsQsORY
+pvhLzjTbTKZmjLDPuB+GxUNLEKh1ZNyAqKng==
+-----END OPENSSH PRIVATE KEY-----
diff -u paramiko-2.4.3.orig/tests/test_pkey.py paramiko-2.4.3/tests/test_pkey.py
--- paramiko-2.4.3.orig/tests/test_pkey.py 2019-06-24 00:45:29.000000000 +0200
+++ paramiko-2.4.3/tests/test_pkey.py 2022-09-02 15:47:02.217412268 +0200
@@ -38,6 +38,8 @@
PUB_ECDSA_256 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJSPZm3ZWkvk/Zx8WP+fZRZ5/NBBHnGQwR6uIC6XHGPDIHuWUzIjAwA0bzqkOUffEsbLe+uQgKl5kbc/L8KA/eo=" # noqa
PUB_ECDSA_384 = "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBBbGibQLW9AAZiGN2hEQxWYYoFaWKwN3PKSaDJSMqmIn1Z9sgRUuw8Y/w502OGvXL/wFk0i2z50l3pWZjD7gfMH7gX5TUiCzwrQkS+Hn1U2S9aF5WJp0NcIzYxXw2r4M2A==" # noqa
PUB_ECDSA_521 = "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACaOaFLZGuxa5AW16qj6VLypFbLrEWrt9AZUloCMefxO8bNLjK/O5g0rAVasar1TnyHE9qj4NwzANZASWjQNbc4MAG8vzqezFwLIn/kNyNTsXNfqEko9OgHZknlj2Z79dwTJcRAL4QLcT5aND0EHZLB2fAUDXiWIb2j4rg1mwPlBMiBXA==" # noqa
+PUB_RSA_2K_OPENSSH = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF+Dpr54DX0WdeTDpNAMdkCWEkl3OXtNgf58qlN1gX572OLBqLf0zT4bHstUEpU3piazph/rSWcUMuBoD46tZ6jiH7H9b9Pem2eYQWaELDDkM+v9BMbEy5rMbFRLol5OtEvPFqneyEAanPOgvd8t3yyhSev9QVusakzJ8j8LGgrA8huYZ+Srnw0shEWLG70KUKCh3rG0QIvA8nfhtUOisr2Gp+F0YxMGb5gwBlQYAYE5l6u1SjZ7hNjyNosjK+wRBFgFFBYVpkZKJgWoK9w4ijFyzMZTucnZMqKOKAjIJvHfKBf2/cEfYxSq1EndqTqjYsd9T7/s2vcn1OH5a0wkER'
+PUB_DSS_1K_OPENSSH = 'ssh-dss AAAAB3NzaC1kc3MAAACBAL8XEx7F9xuwBNles+vWpNF+YcofrBhjX1r5QhpBe0eoYWLHRcroN6lxwCdGYRfgOoRjTncBiixQX/uUxAY96zDh3ir492s2BcJt4ihvNn/AY0I0OTuX/2IwGk9CGzafjaeZNVYxMa8lcVt0hSOTjkPQ7gVuk6bJzMInvie+VWKLAAAAFQDUgYdY+rhR0SkKbC09BS/SIHcB+wAAAIB44+4zpCNcd0CGvZlowH99zyPX8uxQtmTLQFuR2O8O0FgVVuCdDgD0D9W8CLOp32oatpM0jyyN89EdvSWzjHzZJ+L6H1FtZps7uhpDFWHdva1R25vyGecLMUuXjo5t/D7oCDih+HwHoSAxoi0QvsPd8/qqHQVznNJKtR6thUpXEwAAAIAG4DCBjbgTTgpBw0egRkJwBSz0oTt+1IcapNU2jA6N8urMSk9YXHEQHKN68BAF3YJ59q2Ujv3LOXmBqGd1T+kzwUszfMlgzq8MMu19Yfzse6AIK1Agn1Vj6F7YXLsXDN+T4KszX5+FJa7t/Zsp3nALWy6l0f4WKivEF5Y2QpEFcQ=='
FINGER_RSA = "1024 60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5"
FINGER_DSS = "1024 44:78:f0:b9:a2:3c:c5:18:20:09:ff:75:5b:c1:d2:6c"
@@ -45,6 +47,8 @@
FINGER_ECDSA_384 = "384 c1:8d:a0:59:09:47:41:8e:a8:a6:07:01:29:23:b4:65"
FINGER_ECDSA_521 = "521 44:58:22:52:12:33:16:0e:ce:0e:be:2c:7c:7e:cc:1e"
SIGNED_RSA = "20:d7:8a:31:21:cb:f7:92:12:f2:a4:89:37:f5:78:af:e6:16:b6:25:b9:97:3d:a2:cd:5f:ca:20:21:73:4c:ad:34:73:8f:20:77:28:e2:94:15:08:d8:91:40:7a:85:83:bf:18:37:95:dc:54:1a:9b:88:29:6c:73:ca:38:b4:04:f1:56:b9:f2:42:9d:52:1b:29:29:b4:4f:fd:c9:2d:af:47:d2:40:76:30:f3:63:45:0c:d9:1d:43:86:0f:1c:70:e2:93:12:34:f3:ac:c5:0a:2f:14:50:66:59:f1:88:ee:c1:4a:e9:d1:9c:4e:46:f0:0e:47:6f:38:74:f1:44:a8" # noqa
+FINGER_RSA_2K_OPENSSH = '2048 68:d1:72:01:bf:c0:0c:66:97:78:df:ce:75:74:46:d6'
+FINGER_DSS_1K_OPENSSH = '1024 cf:1d:eb:d7:61:d3:12:94:c6:c0:c6:54:35:35:b0:82'
RSA_PRIVATE_OUT = """\
-----BEGIN RSA PRIVATE KEY-----
@@ -437,6 +441,26 @@
pub = ECDSAKey(data=key.asbytes())
self.assertTrue(pub.verify_ssh_sig(b"ice weasels", msg))
+ def test_22_load_RSA_key_new_format(self):
+ key = RSAKey.from_private_key_file(
+ _support('test_rsa_2k_o.key'), b'television')
+ self.assertEqual('ssh-rsa', key.get_name())
+ self.assertEqual(PUB_RSA_2K_OPENSSH.split()[1], key.get_base64())
+ self.assertEqual(2048, key.get_bits())
+ exp_rsa = b(FINGER_RSA_2K_OPENSSH.split()[1].replace(':', ''))
+ my_rsa = hexlify(key.get_fingerprint())
+ self.assertEqual(exp_rsa, my_rsa)
+
+ def test_23_load_DSS_key_new_format(self):
+ key = DSSKey.from_private_key_file(
+ _support('test_dss_1k_o.key'), b'television')
+ self.assertEqual('ssh-dss', key.get_name())
+ self.assertEqual(PUB_DSS_1K_OPENSSH.split()[1], key.get_base64())
+ self.assertEqual(1024, key.get_bits())
+ exp_rsa = b(FINGER_DSS_1K_OPENSSH.split()[1].replace(':', ''))
+ my_rsa = hexlify(key.get_fingerprint())
+ self.assertEqual(exp_rsa, my_rsa)
+
def test_salt_size(self):
# Read an existing encrypted private key
file_ = _support("test_rsa_password.key")
diff --git a/tests/test_rsa_2k_o.key b/tests/test_rsa_2k_o.key
new file mode 100644
index 00000000..afc15f1c
--- /dev/null
+++ b/tests/test_rsa_2k_o.key
@@ -0,0 +1,28 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+ b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABD0R3hOFS
+ FMb2SJeo5h8QPNAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDF+Dpr54DX
+ 0WdeTDpNAMdkCWEkl3OXtNgf58qlN1gX572OLBqLf0zT4bHstUEpU3piazph/rSWcUMuBo
+ D46tZ6jiH7H9b9Pem2eYQWaELDDkM+v9BMbEy5rMbFRLol5OtEvPFqneyEAanPOgvd8t3y
+ yhSev9QVusakzJ8j8LGgrA8huYZ+Srnw0shEWLG70KUKCh3rG0QIvA8nfhtUOisr2Gp+F0
+ YxMGb5gwBlQYAYE5l6u1SjZ7hNjyNosjK+wRBFgFFBYVpkZKJgWoK9w4ijFyzMZTucnZMq
+ KOKAjIJvHfKBf2/cEfYxSq1EndqTqjYsd9T7/s2vcn1OH5a0wkERAAAD0JnzCJYfDeiUQ6
+ 9LOAb6/NnhKvFjCdBYal60MfLcLBHvzHLJvTneQ4f1Vknq8xEVmRba7SDSfwaEybP/1FsP
+ SGH6FNKA5gKllemgmcaUVr3wtNPtjX4WgsyHcwCRgHmOiyNrUj0OZR5wbZabHIIyirl4wa
+ LBz8Jb3GalKEagtyWsBKDCKHCFNzh8xmsT1SWhnC7baRyC8e3krQm9hGbNhpj6Q5AtN3ql
+ wBVamUp0eKxkt70mKBKI4v3DR8KqrEndeK6d0cegVEkE67fqa99a5J3uSDC8mglKrHiKEs
+ dU1dh/bOF/H3aFpINlRwvlZ95Opby7rG0BHgbZONq0+VUnABVzNTM5Xd5UKjjCF28CrQBf
+ XS6WeHeUx2zHtOmL1xdePk+Bii+SSUl3pLa4SDwX4nV95cSPx8vMm8dJEruxad6+MPoSuy
+ Oyho89jqUTSgC/RPejuTgrnB3WbzE5SJb+V3zMata0J1wxbNfYKG9U+VucUZhP4+jzfNqH
+ B/v8JqtuxnqR8NjPsK2+8wJxebL2KVNjKOm//6P3KSDsavpscGpVWOM06zUlwWCB26W3pP
+ X/+xO9aR5wiBteFKoJG1waziIjqhOJSmvq+I/texUKEUd/eEFNt10Ubc0zy0sRYVN8rIRJ
+ masQzCYuUylDzCa4ar1s4qngBZzWL2PRkPuXuhoHuT0J5no174GR6+6EAYZZhnq0tkYrhZ
+ Ar0tQ4CDlI235a3MPHzvABuwYuWys1tBuLAb+6Gc6CmCiQ+mhojfQUBYG5T65iRFA5UQsH
+ O1RLEC3yasxGcBI6d0J/fwOP/YLktNu3AeUumr0N9Xgf02DlBNwd+4GOI0LcQvl/3J8ppo
+ bamTppKPEZ2d32VNEO+Z6Zx5DlIVm5gDeMvIvdwap445VnhL3ZZH2NCkAcXM9+0WH+Quas
+ JCAMgPYiP9FzF+8Onmj2OmhgIVj/9eanhS3/GLrRC4xCvER2V7PwgB0I5qY110BPEttDyo
+ IvYE51kvtdW447SK7HZywJnkyw2RNm+29dvWJJwSQckUHuZkXEtmEPk0ePL3yf2NH5XYJc
+ pXX6Zac0KemCPIHr8l7GogE4Rb2BBTqddkegb9piz6QTAPcQnn+GuMFG06IBhUrgcMEQ8x
+ UOXYUUrT5HvSxWUcgaYH1nfC3bTWmDaodw8/HQKyF6c44rujO2s2NLFOCAyQMUNdhh3lfD
+ yHYLO7xYkP6xzzkpk+2lwBoeYdQdAwlKN/XqC8ZhBfwTdem/1hh1BpQJFbbFftWxU8gxxi
+ iuI+vmlsuIsxKoGCq8YXuophx62lo=
+ -----END OPENSSH PRIVATE KEY-----
--
2.25.1
