diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2022-09-02 22:40:54 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2022-10-17 16:35:35 +0900 |
| commit | 0677b2fb87fa4bdff64e650e5df0fd7bf684bd2e (patch) | |
| tree | c4a81b156dcc58fd47b4ef02e35c95adb8d290a9 /test/openssl | |
| parent | 4fb2845c7b71d94f01a224020e4eb91c99f99d66 (diff) | |
| download | ruby-0677b2fb87fa4bdff64e650e5df0fd7bf684bd2e.tar.gz | |
[ruby/openssl] pkey: restore support for decoding "openssl ecparam -genkey" output
Scan through the input for a private key, then fallback to generic
decoder.
OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM
header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding
formats. While this is useful for OpenSSL::PKey::PKey, an edge case has
been discovered.
The openssl CLI command line "openssl ecparam -genkey" prints two PEM
blocks in a row, one for EC parameters and another for the private key.
Feeding the whole output into OSSL_DECODER results in only the first PEM
block, the key parameters, being decoded. Previously, ruby/openssl did
not support decoding key parameters and it would decode the private key
PEM block instead.
While the new behavior is technically correct, "openssl ecparam -genkey"
is so widely used that ruby/openssl does not want to break existing
applications.
Fixes https://github.com/ruby/openssl/pull/535
https://github.com/ruby/openssl/commit/d486c82833
Diffstat (limited to 'test/openssl')
| -rw-r--r-- | test/openssl/test_pkey_ec.rb | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb index ffe5a94e5b..23c6c4d421 100644 --- a/test/openssl/test_pkey_ec.rb +++ b/test/openssl/test_pkey_ec.rb @@ -199,6 +199,29 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase assert_equal pem, p256.export end + def test_ECPrivateKey_with_parameters + p256 = Fixtures.pkey("p256") + + # The format used by "openssl ecparam -name prime256v1 -genkey -outform PEM" + # + # "EC PARAMETERS" block should be ignored if it is followed by an + # "EC PRIVATE KEY" block + in_pem = <<~EOF + -----BEGIN EC PARAMETERS----- + BggqhkjOPQMBBw== + -----END EC PARAMETERS----- + -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIID49FDqcf1O1eO8saTgG70UbXQw9Fqwseliit2aWhH1oAoGCCqGSM49 + AwEHoUQDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7lSZ/ArK41eGy5wAzU/0G51Xtt + CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== + -----END EC PRIVATE KEY----- + EOF + + key = OpenSSL::PKey::EC.new(in_pem) + assert_same_ec p256, key + assert_equal p256.to_der, key.to_der + end + def test_ECPrivateKey_encrypted p256 = Fixtures.pkey("p256") # key = abcdef |