swap to PKCS8 form

this allows storing different keys

Author: TheFox0x7

modules/ssh/ssh.go

@@ -55,6 +55,12 @@ import (
 
 const giteaPermissionExtensionKeyID = "gitea-perm-ext-key-id"
 
+type KeyType string
+
+const (
+	RSA KeyType = "rsa"
+)
+
 func getExitStatusFromError(err error) int {
 	if err == nil {
 		return 0
@@ -373,7 +379,7 @@ func Listen(host string, port int, ciphers, keyExchanges, macs []string) {
 			log.Error("Failed to create dir %s: %v", filePath, err)
 		}
 
-		err := GenKeyPair(setting.SSH.ServerHostKeys[0])
+		err := GenKeyPair(setting.SSH.ServerHostKeys[0], RSA)
 		if err != nil {
 			log.Fatal("Failed to generate private key: %v", err)
 		}
@@ -388,7 +394,6 @@ func Listen(host string, port int, ciphers, keyExchanges, macs []string) {
 			log.Error("Failed to set Host Key. %s", err)
 		}
 	}
-
 	go func() {
 		_, _, finished := process.GetManager().AddTypedContext(graceful.GetManager().HammerContext(), "Service: Built-in SSH server", process.SystemProcessType, true)
 		defer finished()
@@ -399,13 +404,18 @@ func Listen(host string, port int, ciphers, keyExchanges, macs []string) {
 // GenKeyPair make a pair of public and private keys for SSH access.
 // Public key is encoded in the format for inclusion in an OpenSSH authorized_keys file.
 // Private Key generated is PEM encoded
-func GenKeyPair(keyPath string) error {
-	privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
+func GenKeyPair(keyPath string, keyType KeyType) error {
+	privateKey, publicKey, err := keyGen(keyType)
 	if err != nil {
 		return err
 	}
 
-	privateKeyPEM := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}
+	privateKeyPKCS8, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	if err != nil {
+		return err
+	}
+
+	privateKeyPEM := &pem.Block{Type: "PRIVATE KEY", Bytes: privateKeyPKCS8}
 	f, err := os.OpenFile(keyPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
 	if err != nil {
 		return err
@@ -421,7 +431,7 @@ func GenKeyPair(keyPath string) error {
 	}
 
 	// generate public key
-	pub, err := gossh.NewPublicKey(&privateKey.PublicKey)
+	pub, err := gossh.NewPublicKey(publicKey)
 	if err != nil {
 		return err
 	}
@@ -439,3 +449,16 @@ func GenKeyPair(keyPath string) error {
 	_, err = p.Write(public)
 	return err
 }
+
+func keyGen(keytype KeyType) (any, any, error) {
+	switch keytype {
+	case RSA:
+		privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
+		if err != nil {
+			return nil, nil, err
+		}
+		return privateKey, &privateKey.PublicKey, nil
+	default:
+		return nil, nil, errors.New("unknown keyType")
+	}
+}

modules/ssh/ssh_test.go

@@ -1,6 +1,7 @@
 package ssh_test
 
 import (
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"io"
@@ -14,7 +15,7 @@ import (
 
 func TestGenKeyPair(t *testing.T) {
 	path := t.TempDir() + "/gitea.rsa"
-	ssh.GenKeyPair(path)
+	require.NoError(t, ssh.GenKeyPair(path, ssh.RSA))
 
 	file, err := os.Open(path)
 	require.NoError(t, err)
@@ -24,9 +25,9 @@ func TestGenKeyPair(t *testing.T) {
 
 	block, _ := pem.Decode(bytes)
 	require.NotNil(t, block)
-	assert.Equal(t, "RSA PRIVATE KEY", block.Type)
+	assert.Equal(t, "PRIVATE KEY", block.Type)
 
-	privateKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	privateKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
 	require.NoError(t, err)
-	assert.NotNil(t, privateKey)
+	assert.IsType(t, &rsa.PrivateKey{}, privateKey)
 }