Exported RSA keys allow pass phrases that are too short
Exporting a key with this code:
cipher = OpenSSL::Cipher::Cipher.new 'AES-128-CBC'
pass_phrase = 'woo'
key_secure = key.export cipher, pass_phrase
open 'private.secure.pem', 'w' do |io|
Is not loadable:
$ ruby20 -v -ropenssl -e 'OpenSSL::PKey::RSA.new File.read "private.secure.pem"'
ruby 2.0.0dev (2011-12-20 trunk 34073) [x86_64-darwin11.2.0]
Enter PEM pass phrase: # I typed woo
phrase is too short, needs to be at least 4 chars
Updated by MartinBosslet (Martin Bosslet) about 8 years ago
- Status changed from Open to Assigned
Aah, that's bad. You can override the check for four characters by passing the password as an additional parameter (probably not what you want) or by giving a block that returns the password to PKey.new.
Other than that, I fear the only option to get consistent behavior here is to either require passwords to be at least four characters long everywhere, or to override OpenSSL's default PEM callback entirely and to provide our own.
The first acknowledges the four character restriction as a sort of "viral constraint", something I'd like to avoid. The second solution could be based on a call to gets or something. I'd prefer that.
What do you think?
Updated by Anonymous almost 8 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
This issue was solved with changeset r36001.
Eric, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
- ext/openssl/ossl.c ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel.
- ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract.
- test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951]