Project

General

Profile

Actions

Bug #10257

closed

Generate X.509 certificate/request/CRL with elliptic curve keys

Added by jtdowney (John Downey) over 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.2.0dev (2014-09-18 trunk 47624) [x86_64-darwin13]
[ruby-core:65106]

Description

Elliptic curve keys (OpenSSL::PKey::EC) cannot currently be used with the X.509 classes in Ruby OpenSSL. This is due to a few slight incompatibilities between the way RSA/DSA are implemented and the way EC is implemented.

  • OpenSSL::PKey::EC does not respond to #private? which is used by the #sign method on OpenSSL::X509::Certificate, OpenSSL::X509::Request, and OpenSSL::X509::CRL
  • The #public_key method on OpenSSL::PKey::EC returns a OpenSSL::PKey::EC::Point instead of a OpenSSL::PKey::EC object with just public key fields

This patch adds an alias for #public? and #private? to OpenSSL::PKey::EC that correspond to #public_key? and #private_key?. This brings it in line with the same interface on OpenSSL::PKey::RSA and OpenSSL::PKey::DSA. This also allows the key to be used with the X.509 classes I mentioned.

The second issue is unfortunately more complex as it does not look like it is possible to fix without either breaking backwards compatibility or putting some branching deeper in OpenSSL::X509::Certificate, OpenSSL::X509::Request, and OpenSSL::X509::CRL. The good news is you can pass the private OpenSSL::PKey::EC key to #public_key= and it still does the right thing.


Files

ec_x509.patch (8.06 KB) ec_x509.patch jtdowney (John Downey), 09/18/2014 03:10 PM

Related issues

Related to Ruby master - Bug #6567: Let OpenSSL::PKey::EC follow the general PKey interface ClosedActions
Actions

Also available in: Atom PDF