Allow PKCS8 EC private keys to be loaded #61
Conversation
|
Tests do not work anymore with current logstash version because of #51. |
|
@tsaarni please rebase this to |
tsaarni
force-pushed
the
ec-private-key-fix
branch
from
a21ee96 to
a6818d8
Compare
Done! |
| @@ -238,7 +238,7 @@ def setup_ssl | |||
| require "openssl" | |||
| ssl_context = OpenSSL::SSL::SSLContext.new | |||
| ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert)) | |||
| ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase) | |||
| ssl_context.key = OpenSSL::PKey::read(File.read(@ssl_key),@ssl_key_passphrase) | |||
There was a problem hiding this comment.
Yes absolutely, let's do that.
There was a problem hiding this comment.
The diff looks bit confusing, but this is what was done:
I added RSA and EC test but at the same time I needed to remove test for invalid client private key, which was previously added in TLS tests. I now realized that OpenSSL::PKey::read() does not raise error when given invalid PEM file, unlike OpenSSL::PKey::RSA.new did. Instead, it returns instance of OpenSSL::PKey::RSA even though invalid.pem clearly is not an RSA key.
When I fixed support for EC pkey to PKey::read() in jruby-openssl, I did not check this. Maybe it lacks negative checks.
There was a problem hiding this comment.
I think that it worthwhile to open an issue in https://github.com/jruby/jruby-openssl repository, accepting silently an improper file is misleading.
There was a problem hiding this comment.
Maybe the difference is that the read method instantiate the RSA key
https://github.com/jruby/jruby-openssl/blob/19135259f121f9c9e95ee7f0b4c830f9267680e0/src/main/java/org/jruby/ext/openssl/PKey.java#L124
instead of the initiliaze method
https://github.com/jruby/jruby-openssl/blob/19135259f121f9c9e95ee7f0b4c830f9267680e0/src/main/java/org/jruby/ext/openssl/PKeyRSA.java#L223
There was a problem hiding this comment.
In my test case I used input that does not even have valid PEM block inside, so I would have expected that even PEM block parsing should fail here https://github.com/jruby/jruby-openssl/blob/19135259f121f9c9e95ee7f0b4c830f9267680e0/src/main/java/org/jruby/ext/openssl/PKey.java#L117 ->
https://github.com/jruby/jruby-openssl/blob/19135259f121f9c9e95ee7f0b4c830f9267680e0/src/main/java/org/jruby/ext/openssl/x509store/PEMInputOutput.java#L317
Requires some additional debugging on jruby-openssl to find out what is going on there...
I've created new issue jruby/jruby-openssl#285. I added also the CA case which I noticed earlier.
There was a problem hiding this comment.
Oks, let's see what they answer and then I'll merge this.
Signed-off-by: Tero Saarni <[email protected]>
tsaarni
force-pushed
the
ec-private-key-fix
branch
from
7f420eb to
7380004
Compare
This change makes it possible to use EC (elliptic curve) private keys as client credentials.
Depends on jruby/jruby-openssl#267. Without that fix being applied, this change has no effect.This is now released.Part of elastic/logstash#15236