Bug #5600

OpenSSL::X509::Request can't sign() an OpenSSL::PKey::EC

Added by Steve Caligo over 2 years ago. Updated about 1 year ago.

[ruby-core:40853]
Status:Assigned
Priority:Normal
Assignee:Martin Bosslet
Category:ext
Target version:next minor
ruby -v:ruby 1.9.3p0 (2011-10-30 revision 33570) [x86_64-linux] Backport:

Description

Unlike the PKey::DSA and PKey::RSA classes, PKey::EC provides a private_key?() rather than private?() method and is thus incompatible with the other OpenSSL classes that rely on them, i.e. it makes impossible to generate a certificate signing request:

key = OpenSSL::PKey::EC.new('secp521r1')
key.generate_key

req = OpenSSL::X509::Request.new
req.public_key = key
req.subject = OpenSSL::X509::Name.parse('CN=whatever')
req.sign(key, OpenSSL::Digest::SHA384.new)

which produces the error:

in sign': undefined methodprivate?' for #OpenSSL::PKey::EC:0x000000021b4980 (NoMethodError)

osslpkeyec.c should either:
- rbdefinemethod() the missing private? and public? methods
- rename publickey? to public? and privatekey? to private?

Judging by the source code, this should be present in branch 1.8 as well.

History

#1 Updated by Martin Bosslet over 2 years ago

  • Status changed from Open to Assigned
  • Assignee set to Martin Bosslet
  • Target version set to 2.0.0

#2 Updated by Martin Bosslet almost 2 years ago

Unfortunately it's not done by simply renaming the methods appropriately. It still would fail because OpenSSL::PKey::EC#publickey returns an OpenSSL::PKey::EC::Point instead of another OpenSSL::PKey::EC, and as a consequence, there's no reference to an EVPPKEY that is needed internally. The whole EC interface needs an overhaul. I'll set up a parent task referencing all the issues that piled up since the release of 1.9.3. The goal would be to make EC follow the general PKey interface, allowing to use them interchangeably wherever a PKey instance is expected.

#3 Updated by Yusuke Endoh about 1 year ago

  • Subject changed from OpenSSL::X509::Request can't sign() an OpenSSL::PKey::EC to OpenSSL::X509::Request can't sign() an OpenSSL::PKey::EC
  • Target version changed from 2.0.0 to next minor

It is too late for "an overhaul". Postponing to next minor.

Yusuke Endoh mame@tsg.ne.jp

Also available in: Atom PDF