-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DiffieHellman/ECDH Generates invalid keypairs #14628
Comments
/cc @nodejs/crypto (also edited the OP to add syntax highlighting) |
Let me confirm that in your sample code you created a DH public and private key pair and tried to use them in
|
This seems like a wrong expectation to me. The documentation is clear that I'll close this out. |
FWIW I have to do the same thing in my I think that is what the OP is requesting, to be able to pass in an RSA, etc. key without the PEM formatting (just binary). That is a valid feature request to me IMHO. |
@mgwhitfield Is ^ what you are requesting? |
I'm going to close this out again since OP didn't follow up. @mscdex If you think this is a worthwhile feature, can you open a new issue with a better description? |
Currently, |
Though the heuristics to detect DER are pretty robust, IIRC its 2 fixed bytes at the beginning for a constructed sequence, then a couple bytes for a length that has to match the buffer length, so hard to confuse with PEM. |
Yeah, but a DER-encoded value can be one of several things: a public or private RSA, DSA or EC key (maybe more) in PKCS#1, PKCS#8 or PKCS#12 format (again, maybe more.) I know my crypto standards pretty well and I still wouldn't want to vouch you can parse them unambiguously. |
Yes, if its not just PEM vs DER, its more than a quick check. I implemented all three of those PKCS standards for all three of those key types and I'm pretty sure my CLI detected them just fine, but I had a BER decoder API so I could peek into the structure for OIDs and element counts, it might be hard without that. I've added it to my (exceedingly deep) list of things to try, running code being the most convincing. |
Error is thrown:
error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
User Experience Log:
A user should not have to manually wrap the generated keys in the proper "PEM" format since PEM is very precious about spaces. Without wanting to be pejorative, that sucks. The fact that this code example still doesn't work after the fact also sucks.
Suggestion:
Remove/deprecate this API or fix it or provide clearer examples to perform this common functionality.
Workaround:
Utilize
openssl
executable as a child proc to generate keys instead.The text was updated successfully, but these errors were encountered: