How to verify a wireguard public key?
Adam Stiles
ajstiles at gmail.com
Fri Dec 25 00:42:00 CET 2020
Hi Nico,
WireGuard uses Curve25519 keys. A Curve25519 secret key is a random 32
byte value with a few special bits flipped, and a public key is
calculated from a secret key.
There's some good info here (https://cr.yp.to/ecdh.html), including
this questions and answer:
"How do I validate Curve25519 public keys?"
"Don't. The Curve25519 function was carefully designed to allow all
32-byte strings as Diffie-Hellman public keys."
I just saw Jason's response, and so this is a bit redundant, but the
reference above is a good one.
Best,
Adam
On Thu, Dec 24, 2020 at 3:21 PM Nico Schottelius
<nico.schottelius at ungleich.ch> wrote:
>
>
> Good morning,
>
> I am currently extending uncloud [0] to support wireguard tunnels and
> keys. At the moment it is not entirely clear how to verify that a
> certain string is a valid wireguard key.
>
> I first tried checking that it is valid base64, but not all base64
> strings are valid wireguard keys.
>
> Then I tried using `echo $key | wg pubkey && echo ok` - which seems to
> check the key format, however the intended behaviour here is misused.
>
> Does anyone have a pointer on how to reliably identify wireguard public
> keys?
>
> Is the wireguard key always 32 bytes when decoded from base64? Tests
> with a number of public keys seems to indicate that.
>
> Best regards,
>
> Nico
>
>
> [0] https://code.ungleich.ch/uncloud/uncloud
>
> --
> Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
More information about the WireGuard
mailing list