Bug #5951
closedExported RSA keys allow pass phrases that are too short
Description
=begin
Exporting a key with this code:
cipher = OpenSSL::Cipher::Cipher.new 'AES-128-CBC'
pass_phrase = 'woo'
key_secure = key.export cipher, pass_phrase
open 'private.secure.pem', 'w' do |io|
io.write key_secure
end
Is not loadable:
$ ruby20 -v -ropenssl -e 'OpenSSL::PKey::RSA.new File.read "private.secure.pem"'
ruby 2.0.0dev (2011-12-20 trunk 34073) [x86_64-darwin11.2.0]
Enter PEM pass phrase: # I typed woo
phrase is too short, needs to be at least 4 chars
=end
Updated by MartinBosslet (Martin Bosslet) about 12 years ago
- Status changed from Open to Assigned
Aah, that's bad. You can override the check for four characters by passing the password as an additional parameter (probably not what you want) or by giving a block that returns the password to PKey.new.
Other than that, I fear the only option to get consistent behavior here is to either require passwords to be at least four characters long everywhere, or to override OpenSSL's default PEM callback entirely and to provide our own.
The first acknowledges the four character restriction as a sort of "viral constraint", something I'd like to avoid. The second solution could be based on a call to gets or something. I'd prefer that.
What do you think?
Updated by Anonymous almost 12 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
This issue was solved with changeset r36001.
Eric, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
- ext/openssl/ossl.c
ext/openssl/ossl_pkey_rsa.c
ext/openssl/ossl_pkey_dsa.c
ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less
than four characters long, as OpenSSL itself does not allow this.
Issue found by Eric Hodel. - ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem,
following the PKey interface contract. - test/openssl/test_pkey_dsa.rb
test/openssl/test_pkey_rsa.rb
test/openssl/test_pkey_ec.rb: Add tests that assert correct
behaviour when dealing with passwords that are less than four
characters long.
[ruby-core: 42281][ruby-trunk - Bug #5951]
Updated by MartinBosslet (Martin Bosslet) almost 12 years ago
I couldn't find a way to generally override the OpenSSL check, so I simply enforced the same check on our side to at least guarantee consistency.