How to verify a wireguard public key?

Sat Dec 26 00:47:08 CET 2020

On Sat, Dec 26, 2020 at 12:38 AM Matthias May <matthias.may at westermo.com> wrote:
>
> On 25/12/2020 10:10, Nico Schottelius wrote:
> >
> > Good morning Adam and Jason,
> >
> > thanks for your qualified and fast answers! It's nice to see Dan's
> > website still referenced in almost 2021 and also that it can be easily
> > enough verified.
> >
> > For reference and if anyone ever looks up this thread, I am using
> > the following code within the Django Rest Framework [0]:
> >
> > --------------------------------------------------------------------------------
> >     def validate_wireguard_public_key(self, value):
> >         msg = _("Supplied key is not a valid wireguard public key")
> >
> >         """
> >         Verify wireguard key.
> >         See https://urldefense.com/v3/__https://lists.zx2c4.com/pipermail/wireguard/2020-December/006221.html__;!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNgCByOzQ$
> >         """
> >
> >         try:
> >             decoded_key = base64.standard_b64decode(value)
> >         except Exception as e:
> >             raise serializers.ValidationError(msg)
> >
> >         if not len(decoded_key) == 32:
> >             raise serializers.ValidationError(msg)
> >
> >         return value
> > --------------------------------------------------------------------------------
> >
> > Thanks again and enjoy the quite time over Christmas!
> >
> > Best regards,
> >
> > Nico
> >
> > [0] https://urldefense.com/v3/__https://code.ungleich.ch/uncloud/uncloud/-/blob/master/uncloud_net/serializers.py*L37__;Iw!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNb-aKgNg$
> >
> >
> > Adam Stiles <ajstiles at gmail.com> writes:
> >
> >> Hi Nico,
> >>
> >> WireGuard uses Curve25519 keys. A Curve25519 secret key is a random 32
> >> byte value with a few special bits flipped, and a public key is
> >> calculated from a secret key.
> >>
> >> There's some good info here (https://urldefense.com/v3/__https://cr.yp.to/ecdh.html__;!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNDoxdskk$ ), including
> >> this questions and answer:
> >>
> >> "How do I validate Curve25519 public keys?"
> >>
> >> "Don't. The Curve25519 function was carefully designed to allow all
> >> 32-byte strings as Diffie-Hellman public keys."
> >>
> >> I just saw Jason's response, and so this is a bit redundant, but the
> >> reference above is a good one.
> >>
> >> Best,
> >>
> >> Adam
> >>
> >>
> >> On Thu, Dec 24, 2020 at 3:21 PM Nico Schottelius
> >> <nico.schottelius at ungleich.ch> wrote:
> >>>
> >>>
> >>> Good morning,
> >>>
> >>> I am currently extending uncloud [0] to support wireguard tunnels and
> >>> keys. At the moment it is not entirely clear how to verify that a
> >>> certain string is a valid wireguard key.
> >>>
> >>> I first tried checking that it is valid base64, but not all base64
> >>> strings are valid wireguard keys.
> >>>
> >>> Then I tried using `echo $key | wg pubkey && echo ok` - which seems to
> >>> check the key format, however the intended behaviour here is misused.
> >>>
> >>> Does anyone have a pointer on how to reliably identify wireguard public
> >>> keys?
> >>>
> >>> Is the wireguard key always 32 bytes when decoded from base64? Tests
> >>> with a number of public keys seems to indicate that.
> >>>
> >>> Best regards,
> >>>
> >>> Nico
> >>>
> >>>
> >>> [0] https://urldefense.com/v3/__https://code.ungleich.ch/uncloud/uncloud__;!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNE6JpRjQ$
> >>>
> >>> --
> >>> Modern, affordable, Swiss Virtual Machines. Visit https://urldefense.com/v3/__http://www.datacenterlight.ch__;!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNmbUvisY$
> >
> >
> > --
> > Modern, affordable, Swiss Virtual Machines. Visit https://urldefense.com/v3/__http://www.datacenterlight.ch__;!!I9LPvj3b!XDmxiY_v3yY5wQI9GfFvshrCIUcqg4vvKg35qvL0fFajgNHTwr3LcySSqHrNmbUvisY$
> >
>
>
> Hi
> On this topic, i recently implemented a check if a key is valid in cpp with the following rather crude code:
>
> bool isValidWgKey(const string& usage, const string& key)
> {
>         /* Wireguard keys are BASE64 encoded */
>         unsigned int _key_length = 44;
>         unsigned int _key_offset = _key_length -1;
>         if (key.length() != _key_length) {
>                 log("Wireguard " + usage + " has wrong length (" + to_string(key.length()) + " instead of 44)!");
>                 return false;
>         }
>         size_t found = key.substr(0,_key_offset).find_first_not_of("abcdefghijklmnopqrstuvwxyz"
>                                                                    "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/");
>         if (found != std::string::npos) {
>                 log("Wireguard " + usage + " contains invalid character '" + key.substr(found, 1) + "'");
>                 return false;
>         }
>         if (key.substr(_key_offset,1) != "=") {
>                 log("Wireguard " + usage + " ends with invalid character '" +
>                     key.substr(found, 1) + "' instead of '='");
>                 return false;
>         }
>         return true;
> }

This code is incorrect because it allows keys that are up to 258bits,
instead of being exactly 256bits. See my post a few messages ago about
different rules for the penultimate character.

https://lists.zx2c4.com/pipermail/wireguard/2020-December/006222.html

Jason