Bug #5951

Exported RSA keys allow pass phrases that are too short

Added by drbrain (Eric Hodel) almost 9 years ago. Updated over 8 years ago.

Target version:
ruby -v:
ruby 2.0.0dev (2011-12-20 trunk 34073) [x86_64-darwin11.2.0]



Exporting a key with this code:

cipher = 'AES-128-CBC'
pass_phrase = 'woo'

key_secure = key.export cipher, pass_phrase

open '', 'w' do |io|
io.write key_secure

Is not loadable:

$ ruby20 -v -ropenssl -e ' ""'
ruby 2.0.0dev (2011-12-20 trunk 34073) [x86_64-darwin11.2.0]
Enter PEM pass phrase: # I typed woo
phrase is too short, needs to be at least 4 chars


Updated by MartinBosslet (Martin Bosslet) almost 9 years ago

  • Status changed from Open to Assigned

Aah, that's bad. You can override the check for four characters by passing the password as an additional parameter (probably not what you want) or by giving a block that returns the password to
Other than that, I fear the only option to get consistent behavior here is to either require passwords to be at least four characters long everywhere, or to override OpenSSL's default PEM callback entirely and to provide our own.

The first acknowledges the four character restriction as a sort of "viral constraint", something I'd like to avoid. The second solution could be based on a call to gets or something. I'd prefer that.

What do you think?


Updated by Anonymous over 8 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r36001.
Eric, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

  • ext/openssl/ossl.c ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel.
  • ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract.
  • test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951]

Updated by MartinBosslet (Martin Bosslet) over 8 years ago

I couldn't find a way to generally override the OpenSSL check, so I simply enforced the same check on our side to at least guarantee consistency.

Also available in: Atom PDF