cryptography Release 45.0 can't decode RSA private key with DES-EDE3-CBC,0FC613071E6D505D encryption

Hi, Thank you for cryptography.

I'm using cryptography with paramiko with python 3.10.

I have an RSA private key encrypted with a passphrase using DES-EDE3-CBC,0FC613071E6D505D encryption.

It loads correctly with cryptography 44.0.3 but with the 45.x.x releases I get a ValueError:

paramiko.ssh_exception.SSHException: Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters). Details: ASN.1 parsing error: unexpected tag (got Tag { value: 2, constructed: false, class: Universal })

I noticed the openssl default_backend version changed between these versions so that might be the reason:

# with cryptography 44.0.3 
<OpenSSLBackend(version: OpenSSL 3.4.1 11 Feb 2025, FIPS: False, Legacy: True)>

# with cryptography 45.0.3 
<OpenSSLBackend(version: OpenSSL 3.5.0 8 Apr 2025, FIPS: False, Legacy: True)>

Jun 06 '25 09:06 Timost

Are you able to share an example key (not a real one, obviously) with this encryption?

Jun 06 '25 11:06 alex

I can't replicate this with DES-EDE3-CBC keys (both PEM encryption and PKCS8) that I'm generating locally, so we definitely need a reproducer to understand.

Example key that is working in 44/45 (password is password):

Jun 11 '25 16:06 reaperhulk

Hi, Sorry for the delay and thank you for your answers, I'll try to get a reproducer key I can share (I can't share the original one)

Jun 11 '25 20:06 Timost

This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days.

Jun 15 '25 00:06 github-actions[bot]

This issue has not received a reporter response and has been auto-closed. If the issue is still relevant please leave a comment and we can reopen it.

Jun 21 '25 00:06 github-actions[bot]