Project

General

Profile

Actions

Bug #8177

closed

ext/openssl/pkcs7 signing fails with EC keys

Added by Jacob640 (Joseph Coyle) about 11 years ago. Updated over 7 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.1.0dev (2013-03-27 trunk 39950) [x86_64-darwin11.4.2]
Backport:
[ruby-core:53776]

Description

ext/openssl/pkcs7 signing fails with EC keys. This happens because the EC keys do not respond to key.private? method which is used to check that the key is a private key. Aliasing the instance method OpenSSL::PKey::EC.private_key? as OpenSSL::PKey::EC.private? fixes this problem and allows EC keys to be used for EC key signing.

This problem is demonstrated at https://gist.github.com/Jacob640/5239454

One potential fix which makes the key interface more consistent is here: https://github.com/ruby/ruby/pull/265

This request also improves the EC public key interface by producing a warning if the public key is set before setting an EC group as required.


Files

265.patch (1.87 KB) 265.patch zzak (zzak _), 04/05/2013 11:51 AM

Related issues 1 (0 open1 closed)

Related to Ruby master - Bug #6567: Let OpenSSL::PKey::EC follow the general PKey interface ClosedActions

Updated by MartinBosslet (Martin Bosslet) about 11 years ago

  • Category set to ext
  • Status changed from Open to Assigned
  • Assignee set to MartinBosslet (Martin Bosslet)

Hi Joseph,

thanks for your analysis! You are right, there are several incosistencies when comparing EC's implementation to the PKey interface as it is implemented in RSA or DSA. I actually opened #6567 some time ago, collecting several of these inconsistencies. Fixing them completely will take some refactoring, but I'll certainly consider your pull request for that - thanks a lot for your work!

Please feel free to skim through the issues I opened myself, I'd appreciate your input!

Updated by Jacob640 (Joseph Coyle) about 11 years ago

=begin
Hi Martin,

It's only a one liner aliasing public_key? to public? but I did it partly to check that nothing disastrous happened if that change were made.

RE: the PKey interface I agree that the present situation does seem problematic. Looking at the issues you have collected there it definitely seems like there are a lot of inconsistancies One particular area I've experienced is the public key interface several methods assume that a public key will have the same class as private keys. I particularly encountered this when writing a unit test for pkcs7 signing with EC keys after applying the patch above.

The current pkcs7 unit tests dynamically construct x509 certificates from precomputed keys feeding the keys and desired attributes to a create_cert utility function in test/openssl/utils.rb. However substituting in an EC key for an RSA/DSA key does not work because the function expects the response to key.public_key to conform to the PKey specification. Particularly it expects that the output of key.public_key can be used as a valid argument to key.public_key= which is not true in the case of EC keys. In order to create a working test the most expedient solution was to add an explicit test to the certificate issuing function.

This had the effect of changing this simple statement:
cert.public_key = key.public_key

To this:
...

EC keys need special handeling

case key.is_a?(OpenSSL::PKey::EC)
when true
    ec_pub_key = OpenSSL::PKey::EC.new(key.group)
    ec_pub_key.public_key = key.public_key
    cert.public_key = ec_pub_key
else
    cert.public_key = key.public_key
end

end

A branch containing a prototype test and the required alterations in the test utility function are available here: https://github.com/Jacob640/ruby/commit/afc1582a0000a021f4ee24d3cd3520f010f7f666

One aspect of the above code that particularly grates is the requirement for EC group parameter to be set before the public key info can be set.

Updated by hsbt (Hiroshi SHIBATA) about 10 years ago

  • Target version changed from 2.1.0 to 2.2.0

Updated by davispuh (Dāvis Mosāns) about 10 years ago

I'm still encountering similar issue with ruby 2.1.1p76 when using OpenSSL::PKey::EC#sign. Will it be fixed only in 2.2?

Using the following monkey-patch it does work.

class OpenSSL::PKey::EC
  def private?
    private_key?
  end
end
Actions #6

Updated by zzak (zzak _) over 8 years ago

  • Assignee changed from MartinBosslet (Martin Bosslet) to 7150

Updated by rhenium (Kazuki Yamaguchi) over 7 years ago

  • Status changed from Assigned to Closed

r55098 added OpenSSL::PKey::EC#private?. So it should work now!

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0