fix: openssh key parsing issue

[NilanshBansal]

Description

Tip

Add a TL;DR when the description is longer than 500 words or extremely technical (helps the content, marketing, and DevRel team).

Please also include relevant motivation and context. List any dependencies that are required for this change. Add links to Notion, Figma or any other documents that might be relevant to the PR.

Fixes #Issue Number
or
Fixes Issue URL

Warning

If no issue exists, please create an issue first, and check with the maintainers if the issue is valid.

Automation

/ok-to-test tags="@tag.Datasource"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/19168276106
Commit: d156b8d
Cypress dashboard.
Tags: @tag.Datasource
Spec:

---

Fri, 07 Nov 2025 13:06:53 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• New Features
  • SSH connections now support RSA PKCS#1 private key format in addition to existing PKCS#8 and OpenSSH formats. Users can utilize a wider variety of private keys for SSH authentication without requiring manual conversion, as the system automatically handles all necessary format conversions transparently.

[NilanshBansal]

/build-deploy-preview skip-tests=true

[github-actions]

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/19168275199.
Workflow: On demand build Docker image and deploy preview.
skip-tests: true.
env: ``.
PR: 41369.
recreate: .

[coderabbitai]

Walkthrough

The PR extends SSH key handling to support RSA PKCS#1 private keys by converting them to PKCS#8 format. A new helper method handles the ASN.1 conversion transparently. Tests are refactored to use BouncyCastleProvider with dynamic RSA key generation.

Changes

Cohort / File(s)	Summary
SSH Key Format Conversion app/server/appsmith-interfaces/src/main/java/com/appsmith/external/helpers/SSHUtils.java	Added convertRsaPkcs1ToPkcs8 helper method to convert RSA PKCS#1 keys to PKCS#8 format. Reworked key type detection to handle PKCS#8, PKCS#1, OpenSSH, and PEM formats via distinct code paths. Introduced ASN.1 and Base64 imports to support PrivateKeyInfo reconstruction with rsaEncryption OID.
SSH Key Format Tests app/server/appsmith-interfaces/src/test/java/com/appsmith/external/helpers/SSHUtilsTest.java	Replaced hard-coded OpenSSH key test with BouncyCastleProvider-based setup. Added dynamic RSA key pair generation and tests for PKCS#8 and PKCS#1→PKCS#8 conversion flows. Introduced private helper methods for key generation and PEM formatting utilities.

Sequence Diagram

sequenceDiagram
    participant Client
    participant SSHUtils
    participant KeyDetection
    participant PKCS1Converter
    participant PKCS8KeyFile

    Client->>SSHUtils: parseKey(keyContent)
    SSHUtils->>KeyDetection: Detect key format
    
    alt PKCS#8 Format
        KeyDetection-->>PKCS8KeyFile: Feed directly
    else PKCS#1 Format (RSA)
        KeyDetection->>PKCS1Converter: convertRsaPkcs1ToPkcs8(keyContent)
        Note over PKCS1Converter: Parse ASN.1, build PrivateKeyInfo,<br/>encode to PKCS#8 PEM
        PKCS1Converter-->>KeyDetection: PKCS#8 PEM string
        KeyDetection->>PKCS8KeyFile: Feed converted key
    else OpenSSH/Other
        KeyDetection-->>PKCS8KeyFile: Handle via existing path
    end
    
    PKCS8KeyFile-->>Client: KeyFile object

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• ASN.1 and PrivateKeyInfo reconstruction: Verify correctness of OID handling and ASN.1 encoding logic in convertRsaPkcs1ToPkcs8
• Key format detection paths: Ensure all branches handle edge cases and error conditions appropriately
• Security implications: Confirm cryptographic operations follow best practices and key material is handled securely
• Test coverage: Validate that dynamic RSA key generation covers representative key sizes and formats

Poem

🔑 PKCS#1 meets PKCS#8 today,
ASN.1 shows the format way,
Keys convert with grace and care,
Stronger SSH keychain everywhere! 🔐

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description check	⚠️ Warning	Pull request description is incomplete; missing issue reference, motivation, context, and technical details about the SSH key parsing fix.	Fill in the issue number/URL, add TL;DR explaining the PKCS#1 to PKCS#8 conversion logic, describe the motivation for supporting RSA PKCS#1 keys, and specify any testing details.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: openssh key parsing issue' clearly summarizes the main change—adding RSA PKCS#1 support to SSH key handling.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/openssh-key-parsing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Deploy-Preview-URL: https://ce-41369.dp.appsmith.com