Project

General

Profile

Actions

Bug #5951

closed

Exported RSA keys allow pass phrases that are too short

Added by drbrain (Eric Hodel) about 12 years ago. Updated almost 12 years ago.

Status:
Closed
Target version:
-
ruby -v:
ruby 2.0.0dev (2011-12-20 trunk 34073) [x86_64-darwin11.2.0]
Backport:
[ruby-core:42281]

Description

=begin

Exporting a key with this code:

cipher = OpenSSL::Cipher::Cipher.new 'AES-128-CBC'
pass_phrase = 'woo'

key_secure = key.export cipher, pass_phrase

open 'private.secure.pem', 'w' do |io|
io.write key_secure
end

Is not loadable:

$ ruby20 -v -ropenssl -e 'OpenSSL::PKey::RSA.new File.read "private.secure.pem"'
ruby 2.0.0dev (2011-12-20 trunk 34073) [x86_64-darwin11.2.0]
Enter PEM pass phrase: # I typed woo
phrase is too short, needs to be at least 4 chars

=end

Updated by MartinBosslet (Martin Bosslet) about 12 years ago

  • Status changed from Open to Assigned

Aah, that's bad. You can override the check for four characters by passing the password as an additional parameter (probably not what you want) or by giving a block that returns the password to PKey.new.
Other than that, I fear the only option to get consistent behavior here is to either require passwords to be at least four characters long everywhere, or to override OpenSSL's default PEM callback entirely and to provide our own.

The first acknowledges the four character restriction as a sort of "viral constraint", something I'd like to avoid. The second solution could be based on a call to gets or something. I'd prefer that.

What do you think?

Actions #2

Updated by Anonymous almost 12 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r36001.
Eric, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • ext/openssl/ossl.c
    ext/openssl/ossl_pkey_rsa.c
    ext/openssl/ossl_pkey_dsa.c
    ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less
    than four characters long, as OpenSSL itself does not allow this.
    Issue found by Eric Hodel.
  • ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem,
    following the PKey interface contract.
  • test/openssl/test_pkey_dsa.rb
    test/openssl/test_pkey_rsa.rb
    test/openssl/test_pkey_ec.rb: Add tests that assert correct
    behaviour when dealing with passwords that are less than four
    characters long.
    [ruby-core: 42281][ruby-trunk - Bug #5951]

Updated by MartinBosslet (Martin Bosslet) almost 12 years ago

I couldn't find a way to generally override the OpenSSL check, so I simply enforced the same check on our side to at least guarantee consistency.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0