Release 45.0 can't decode RSA private key with DES-EDE3-CBC,0FC613071E6D505D encryption

[Timost]

Hi,
Thank you for cryptography.

I'm using cryptography with paramiko with python 3.10.

I have an RSA private key encrypted with a passphrase using DES-EDE3-CBC,0FC613071E6D505D encryption.

It loads correctly with cryptography 44.0.3 but with the 45.x.x releases I get a ValueError:

paramiko.ssh_exception.SSHException: Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters). Details: ASN.1 parsing error: unexpected tag (got Tag { value: 2, constructed: false, class: Universal })

I noticed the openssl default_backend version changed between these versions so that might be the reason:

# with cryptography 44.0.3 
<OpenSSLBackend(version: OpenSSL 3.4.1 11 Feb 2025, FIPS: False, Legacy: True)>

# with cryptography 45.0.3 
<OpenSSLBackend(version: OpenSSL 3.5.0 8 Apr 2025, FIPS: False, Legacy: True)>

[alex]

Are you able to share an example key (not a real one, obviously) with this encryption?

[reaperhulk]

I can't replicate this with DES-EDE3-CBC keys (both PEM encryption and PKCS8) that I'm generating locally, so we definitely need a reproducer to understand.

Example key that is working in 44/45 (password is password):

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,EF55C27E1056555D

vfO7uVTeGyAGqUd1AXD5tZujdUC61oNmKpiHJ/D7e3nmxlXOru9xXfd0QWMnM5A7
t+Vnwk0X0KxRYJ4C5mWwEUF8xbpLhoKG2IYx7eJZZsr8qZs6wDvi+RxiklQYdpxy
zhyLJrPbvSMXxZ/0lr7zp35n9bZVkFVifJ09YEDDGa0=
-----END EC PRIVATE KEY-----

[Timost]

Hi,
Sorry for the delay and thank you for your answers, I'll try to get a reproducer key I can share (I can't share the original one)

[github-actions]

This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days.