How to verify a wireguard public key?
ajstiles at gmail.com
Fri Dec 25 00:42:00 CET 2020
WireGuard uses Curve25519 keys. A Curve25519 secret key is a random 32
byte value with a few special bits flipped, and a public key is
calculated from a secret key.
There's some good info here (https://cr.yp.to/ecdh.html), including
this questions and answer:
"How do I validate Curve25519 public keys?"
"Don't. The Curve25519 function was carefully designed to allow all
32-byte strings as Diffie-Hellman public keys."
I just saw Jason's response, and so this is a bit redundant, but the
reference above is a good one.
On Thu, Dec 24, 2020 at 3:21 PM Nico Schottelius
<nico.schottelius at ungleich.ch> wrote:
> Good morning,
> I am currently extending uncloud  to support wireguard tunnels and
> keys. At the moment it is not entirely clear how to verify that a
> certain string is a valid wireguard key.
> I first tried checking that it is valid base64, but not all base64
> strings are valid wireguard keys.
> Then I tried using `echo $key | wg pubkey && echo ok` - which seems to
> check the key format, however the intended behaviour here is misused.
> Does anyone have a pointer on how to reliably identify wireguard public
> Is the wireguard key always 32 bytes when decoded from base64? Tests
> with a number of public keys seems to indicate that.
> Best regards,
>  https://code.ungleich.ch/uncloud/uncloud
> Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
More information about the WireGuard