Recovery python script not asking for private key password on OpenSSL >3 versions #16
Description
Hi Fireblocks
In the fireblocks Hard Key Recovery Setup Usage Guide it is mentioned that Ubuntu 18.04 or newer is required to run the key recovery tool. Generating the private key with the OpenSSL version (3.0.2) that ships with Ubuntu 20.04, results in a private key file format that is slightly different to prior OpenSSL versions, which in turn skips detection of password prompt in the fb_recovery_key.py script.
With OpenSSL 3.0.2 the result is
$ openssl genrsa -aes128 -out fb-recovery-prv.pem 4096
$ cat fb-recovery-prv.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
compare this to prior OpenSSL versions
$ openssl genrsa -aes128 -out fb-recovery-prv.pem 4096
$ cat fb-recovery-prv.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
...
On line fb_recovery_key.py#87 only the second line of the file is checked for the occurrence of ENCRYPTED:
with open(args.key, 'r') as _key:
if 'ENCRYPTED' in _key.readlines()[1]:
key_pass = getpass.getpass(prompt='Please enter recovery RSA private key passphrase:')
else:
key_pass = None
Checking for the encrypted mobile_key presumably suffers from the same problem L83.
The fix is as easy as changing the conditional to
if 'ENCRYPTED' in ''.join(_key.readlines()[0:2]):
I will be providing a PR with the fix shortly.
Note that I'm not aware if this is specific to the OpenSSL version that ships with Ubuntu 20.04 or not. But I think making the detection more robust may benefit future changes too.