Project

General

Profile

Bug #5951

Exported RSA keys allow pass phrases that are too short

Added by drbrain (Eric Hodel) over 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
ruby -v:
ruby 2.0.0dev (2011-12-20 trunk 34073) [x86_64-darwin11.2.0]
Backport:
[ruby-core:42281]

Description

=begin

Exporting a key with this code:

cipher = OpenSSL::Cipher::Cipher.new 'AES-128-CBC'
pass_phrase = 'woo'

key_secure = key.export cipher, pass_phrase

open 'private.secure.pem', 'w' do |io|
io.write key_secure
end

Is not loadable:

$ ruby20 -v -ropenssl -e 'OpenSSL::PKey::RSA.new File.read "private.secure.pem"'
ruby 2.0.0dev (2011-12-20 trunk 34073) [x86_64-darwin11.2.0]
Enter PEM pass phrase: # I typed woo
phrase is too short, needs to be at least 4 chars

=end

Associated revisions

Revision 5bd7899b
Added by emboss almost 7 years ago

  • ext/openssl/ossl.c ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel.
  • ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract.
  • test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36001 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 36001
Added by emboss almost 7 years ago

  • ext/openssl/ossl.c ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel.
  • ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract.
  • test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951]

Revision 36001
Added by emboss almost 7 years ago

  • ext/openssl/ossl.c ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel.
  • ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract.
  • test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951]

Revision 36001
Added by emboss almost 7 years ago

  • ext/openssl/ossl.c ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel.
  • ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract.
  • test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951]

Revision 36001
Added by emboss almost 7 years ago

  • ext/openssl/ossl.c ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel.
  • ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract.
  • test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951]

Revision 36001
Added by emboss almost 7 years ago

  • ext/openssl/ossl.c ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel.
  • ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract.
  • test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951]

Revision 36001
Added by emboss almost 7 years ago

  • ext/openssl/ossl.c ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel.
  • ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract.
  • test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951]

History

Updated by MartinBosslet (Martin Bosslet) over 7 years ago

  • Status changed from Open to Assigned

Aah, that's bad. You can override the check for four characters by passing the password as an additional parameter (probably not what you want) or by giving a block that returns the password to PKey.new.
Other than that, I fear the only option to get consistent behavior here is to either require passwords to be at least four characters long everywhere, or to override OpenSSL's default PEM callback entirely and to provide our own.

The first acknowledges the four character restriction as a sort of "viral constraint", something I'd like to avoid. The second solution could be based on a call to gets or something. I'd prefer that.

What do you think?

#2

Updated by Anonymous almost 7 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r36001.
Eric, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • ext/openssl/ossl.c ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel.
  • ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract.
  • test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951]

Updated by MartinBosslet (Martin Bosslet) almost 7 years ago

I couldn't find a way to generally override the OpenSSL check, so I simply enforced the same check on our side to at least guarantee consistency.

Also available in: Atom PDF