Allow PKCS8 EC private keys to be loaded

Signed-off-by: Tero Saarni <[email protected]>
logstash-plugins · Sep 14, 2023 · 7380004 · 7380004
1 parent f2cdc0b
commit 7380004
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
   - Added support for RFC5424 structured data [#67](https://github.com/logstash-plugins/logstash-output-syslog/pull/67)
   - The SNI (Server Name Indication) extension is now used when connecting to syslog server with TLS and `host` is set to FQDN (Fully Qualified Domain Name) [#66](https://github.com/logstash-plugins/logstash-output-syslog/pull/66)
   - Add support for CRL to check for the server certificate is revocation status [#62](https://github.com/logstash-plugins/logstash-output-syslog/pull/62)
+  - Support loading of PKCS8 EC private keys [#61](https://github.com/logstash-plugins/logstash-output-syslog/pull/61)
 
 ## 3.0.5
   - Docs: Set the default_codec doc attribute.

diff --git a/lib/logstash/outputs/syslog.rb b/lib/logstash/outputs/syslog.rb
@@ -246,7 +246,7 @@ def setup_ssl
     require "openssl"
     ssl_context = OpenSSL::SSL::SSLContext.new
     ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
-    ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase)
+    ssl_context.key = OpenSSL::PKey::read(File.read(@ssl_key),@ssl_key_passphrase)
     if @ssl_verify
       cert_store = OpenSSL::X509::Store.new
       # Load the system default certificate path to the store

diff --git a/spec/fixtures/certs.yaml b/spec/fixtures/certs.yaml
@@ -32,3 +32,6 @@ subject: cn=client
 issuer: cn=ca
 key_type: RSA
 ---
+subject: cn=client-ec
+issuer: cn=ca
+key_type: EC
diff --git a/spec/fixtures/client-ec-key.pem b/spec/fixtures/client-ec-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6P7i1NqXVKChh8dR
+pqHcCSwlxDjKoaDBGiYzWHgy5vqhRANCAAQSX1YGFCuXL7f5Utp5X45+h7ixghyQ
+vhYfT4gY6M31DAUaf59DENYUZ36k4IYrWP6lU/ChBH0Mlntjb1TCD+Tw
+-----END PRIVATE KEY-----
diff --git a/spec/fixtures/client-ec.pem b/spec/fixtures/client-ec.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICCjCB86ADAgECAggXhLgPAPW4dzANBgkqhkiG9w0BAQsFADANMQswCQYDVQQD
+EwJjYTAeFw0yMzA5MTQwODU1MzRaFw0yNDA5MTMwODU1MzRaMBQxEjAQBgNVBAMT
+CWNsaWVudC1lYzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBJfVgYUK5cvt/lS
+2nlfjn6HuLGCHJC+Fh9PiBjozfUMBRp/n0MQ1hRnfqTghitY/qVT8KEEfQyWe2Nv
+VMIP5PCjMzAxMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSMEGDAWgBRNukfgtxJMkwu7
+XMvQ8ETWqi5BVTANBgkqhkiG9w0BAQsFAAOCAQEAP+HsEKYA2d6kCAH/JJSpxMnP
+gwMfjDkmV1bMguYSoOv8fbD17WqpyRojhi+THInP6ggXhJW0Zbz6UNy2GHXtO4+o
+OGLKI2FMUnaLRDMF4NL//FcC1unRQxyw8HQ2oMPNtWVEoo8KURLe0IW2q9/afT89
+59RAZYxizFKSWcoIQGeCoyWzVIa/E+MB4cFKgpTF3zkxr6uWJvXYYwkVtzknsGvW
+v0c2h2Ck//kuQatJSZQpbMaYMEE2480VnwskiOTu1ltxrmcQxz5P0g1zcjEnKQAm
+kB3ENdewzHIq8yaybbf+a/WCsNyyEjKPOsSWeElk77v719B24x1HqkV8FW/eRA==
+-----END CERTIFICATE-----
diff --git a/spec/outputs/syslog_tls_spec.rb b/spec/outputs/syslog_tls_spec.rb
@@ -109,29 +109,42 @@
   context "read PEM" do
     let(:options) { { "host" => "localhost", "port" => port, "protocol" => "ssl-tcp", "ssl_verify" => true } }
 
-    context "invalid client certificate" do
+    context "RSA certificate and private key" do
       let(:options ) { super().merge(
-        "ssl_cert" => File.join(FIXTURES_PATH, "invalid.pem"),
+        "ssl_cert" => File.join(FIXTURES_PATH, "client.pem"),
         "ssl_key" => File.join(FIXTURES_PATH, "client-key.pem"),
         "ssl_cacert" => File.join(FIXTURES_PATH, "ca.pem"),
         "ssl_crl"  => File.join(FIXTURES_PATH, "ca-crl.pem")
       ) }
 
-      it "register raises error" do
-        expect { subject.register }.to raise_error(OpenSSL::X509::CertificateError, /malformed PEM data/)
+      it "register succeeds" do
+        expect { subject.register }.not_to raise_error
       end
     end
 
-    context "invalid client private key" do
+    context "EC certificate and private key" do
       let(:options ) { super().merge(
-        "ssl_cert" => File.join(FIXTURES_PATH, "client.pem"),
-        "ssl_key" => File.join(FIXTURES_PATH, "invalid.pem"),
+        "ssl_cert" => File.join(FIXTURES_PATH, "client-ec.pem"),
+        "ssl_key" => File.join(FIXTURES_PATH, "client-ec-key.pem"),
+        "ssl_cacert" => File.join(FIXTURES_PATH, "ca.pem"),
+        "ssl_crl"  => File.join(FIXTURES_PATH, "ca-crl.pem")
+      ) }
+
+      it "register succeeds" do
+        expect { subject.register }.not_to raise_error
+      end
+    end
+
+    context "invalid client certificate" do
+      let(:options ) { super().merge(
+        "ssl_cert" => File.join(FIXTURES_PATH, "invalid.pem"),
+        "ssl_key" => File.join(FIXTURES_PATH, "client-key.pem"),
         "ssl_cacert" => File.join(FIXTURES_PATH, "ca.pem"),
         "ssl_crl"  => File.join(FIXTURES_PATH, "ca-crl.pem")
       ) }
 
       it "register raises error" do
-        expect { subject.register }.to raise_error(OpenSSL::PKey::RSAError, /Neither PUB key nor PRIV key/)
+        expect { subject.register }.to raise_error(OpenSSL::X509::CertificateError, /malformed PEM data/)
       end
     end