Add suppot for X25519 #117
Comments
|
X25519 won't be accessible through OpenSSL::PKey::EC because it's not implemented on top of the EC API. However we currently lack bindings for the EVP API that would be useful for X25519. See #119. |
|
+1 |
|
In the meantime, I've released an X25519 gem which provides a highly optimized X25519 implementation: https://github.com/cryptosphere/x25519 |
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Mar 21, 2019
Adds two settings `key_type` and `named_curve`. If the former is set to `ec` then the agent will generate an EC private key. Note this only occurs if the agent needs to generate a private key, it will have no effect if the agent has a previously saved RSA key. Puppet will use the named curve specified by `:named_curve`, which defaults to 'prime256v1'. Unfortunately ruby does not yet support X25519[1] Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. [1] ruby/openssl#117
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Mar 22, 2019
Adds two settings `key_type` and `named_curve`. If the former is set to `ec` then the agent will generate an EC private key, but only if it doesn't have a key yet. If an agent has a previously saved RSA key, then it will have no effect. Puppet will use the named curve specified by `:named_curve`, which defaults to 'prime256v1'. Unfortunately ruby does not yet support X25519[1] Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. [1] ruby/openssl#117
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Mar 22, 2019
Adds two settings `key_type` and `named_curve`. If the former is set to `ec` then the agent will generate an EC private key, but only if it doesn't have a key yet. If an agent has a previously saved RSA key, then it will have no effect. Puppet will use the named curve specified by `:named_curve`, which defaults to 'prime256v1'. Unfortunately ruby does not yet support X25519[1] Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. [1] ruby/openssl#117
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Mar 22, 2019
Adds two settings `key_type` and `named_curve`. If the former is set to `ec` then the agent will generate an EC private key, but only if it doesn't have a key yet. If an agent has a previously saved RSA key, then it will have no effect. Puppet will use the named curve specified by `:named_curve`, which defaults to 'prime256v1'. Unfortunately ruby does not yet support X25519[1] Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. [1] ruby/openssl#117
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Mar 22, 2019
Adds two settings `key_type` and `named_curve`. If the former is set to `ec` then the agent will generate an EC private key, but only if it doesn't have a key yet. If an agent has a previously saved RSA key, then it will have no effect. Puppet will use the named curve specified by `named_curve`, which defaults to 'prime256v1'. Unfortunately ruby does not yet support X25519[1] Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. [1] ruby/openssl#117
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Apr 12, 2019
Adds two settings `key_type` and `named_curve`. If the former is set to `ec` then the agent will generate an EC private key, but only if it doesn't have a key yet. If an agent has a previously saved RSA key, then it will have no effect. Puppet will use the named curve specified by `named_curve`, which defaults to 'prime256v1'. Unfortunately ruby does not yet support X25519[1] Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. Ruby modified the EC class extensively in 2.4 so that it followed the generic OpenSSL::PKey interface. To ensure compatibility across different ruby versions this commit monkey patches the `EC#private_key?` and `EC.generate` methods, but only if the methods are not defined. [1] ruby/openssl#117
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Apr 12, 2019
Adds two settings `key_type` and `named_curve`. If the former is set to `ec` then the agent will generate an EC private key, but only if it doesn't have a key yet. If an agent has a previously saved RSA key, then it will have no effect. Puppet will use the named curve specified by `named_curve`, which defaults to 'prime256v1'. Unfortunately ruby does not yet support X25519[1] Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. Ruby modified the EC class extensively in 2.4 so that it followed the generic OpenSSL::PKey interface. To ensure compatibility across different ruby versions this commit monkey patches the `EC#private_key?` and `EC.generate` methods, but only if the methods are not defined. [1] ruby/openssl#117
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Apr 12, 2019
Adds two settings `key_type` and `named_curve`. If the former is set to `ec` then the agent will generate an EC private key, but only if it doesn't have a key yet. If an agent has a previously saved RSA key, then it will have no effect. Puppet will use the named curve specified by `named_curve`, which defaults to 'prime256v1'. Unfortunately ruby does not yet support X25519[1] Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. Ruby modified the EC class extensively in 2.4 so that it followed the generic OpenSSL::PKey interface. To ensure compatibility across different ruby versions this commit monkey patches the `EC#private_key?` and `EC.generate` methods, but only if the methods are not defined. [1] ruby/openssl#117
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Apr 22, 2019
Adds two Puppet settings `key_type` and `named_curve`. If the `key_type` is set to `ec` then the agent will generate an elliptic curve (EC) private key, but only if it doesn't have a key yet. If it has a previously saved RSA key, then this commit has no effect. Puppet defaults to the elliptic curve 'prime256v1', but alternate curves may be specified using the `named_curve` setting, provided OpenSSL and ruby support it. For example, ruby does not yet support X25519[1]. The list of currently supported curves is available from `OpenSSL::PKey::EC.builtin_curves`. The `named_curve` setting only affects how EC keys are generated (and the resulting client certificate, since the public key is embedded in the cert), but not the list of supported curves in TLS[2], which are configurable via `OpenSSL::SSL::SSLContext#ecdh_curves=`. Note it is perfectly acceptable for an agent to use EC keys, while puppetserver uses RSA, provided the server supports `ECDHE_RSA` or `ECDH_RSA` key exchange. Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. Ruby modified the EC class extensively in 2.4 so that it followed the generic OpenSSL::PKey interface. To ensure compatibility across different ruby versions this commit monkey patches the `EC#private_key?` and `EC.generate` methods, but only if the methods are not defined. [1] ruby/openssl#117 [2] https://tools.ietf.org/html/rfc4492#section-5.1.1
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Apr 23, 2019
Adds two Puppet settings `key_type` and `named_curve`. If the `key_type` is set to `ec` then the agent will generate an elliptic curve (EC) private key, but only if it doesn't have a key yet. If it has a previously saved RSA key, then this commit has no effect. Puppet defaults to the elliptic curve 'prime256v1', but alternate curves may be specified using the `named_curve` setting, provided OpenSSL and ruby support it. For example, ruby does not yet support X25519[1]. The list of currently supported curves is available from `OpenSSL::PKey::EC.builtin_curves`. The `named_curve` setting only affects how EC keys are generated (and the resulting client certificate, since the public key is embedded in the cert), but not the list of supported curves in TLS[2], which are configurable via `OpenSSL::SSL::SSLContext#ecdh_curves=`. Note it is perfectly acceptable for an agent to use EC keys, while puppetserver uses RSA, provided the server supports `ECDHE_RSA` or `ECDH_RSA` key exchange. Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. However, JRuby's implementation is broken, so check for EC or fallback to RSA. Ruby modified the EC class extensively in 2.4 so that it followed the generic OpenSSL::PKey interface. To ensure compatibility across different ruby versions this commit monkey patches the `EC#private_key?` and `EC.generate` methods, but only if the methods are not defined. [1] ruby/openssl#117 [2] https://tools.ietf.org/html/rfc4492#section-5.1.1
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Apr 23, 2019
Adds two Puppet settings `key_type` and `named_curve`. If the `key_type` is set to `ec` then the agent will generate an elliptic curve (EC) private key, but only if it doesn't have a key yet. If it has a previously saved RSA key, then this commit has no effect. Puppet defaults to the elliptic curve 'prime256v1', but alternate curves may be specified using the `named_curve` setting, provided OpenSSL and ruby support it. For example, ruby does not yet support X25519[1]. The list of currently supported curves is available from `OpenSSL::PKey::EC.builtin_curves`. The `named_curve` setting only affects how EC keys are generated (and the resulting client certificate, since the public key is embedded in the cert), but not the list of supported curves in TLS[2], which are configurable via `OpenSSL::SSL::SSLContext#ecdh_curves=`. Note it is perfectly acceptable for an agent to use EC keys, while puppetserver uses RSA, provided the server supports `ECDHE_RSA` or `ECDH_RSA` key exchange. Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. However, JRuby's implementation is broken, so check for EC or fallback to RSA. Ruby modified the EC class extensively in 2.4 so that it followed the generic OpenSSL::PKey interface. To ensure compatibility across different ruby versions this commit monkey patches the `EC#private_key?` and `EC.generate` methods, but only if the methods are not defined. [1] ruby/openssl#117 [2] https://tools.ietf.org/html/rfc4492#section-5.1.1
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Apr 24, 2019
Adds two Puppet settings `key_type` and `named_curve`. If the `key_type` is set to `ec` then the agent will generate an elliptic curve (EC) private key, but only if it doesn't have a key yet. If it has a previously saved RSA key, then this commit has no effect. Puppet defaults to the elliptic curve 'prime256v1', but alternate curves may be specified using the `named_curve` setting, provided OpenSSL and ruby support it. For example, ruby does not yet support X25519[1]. The list of currently supported curves is available from `OpenSSL::PKey::EC.builtin_curves`. The `named_curve` setting only affects how EC keys are generated (and the resulting client certificate, since the public key is embedded in the cert), but not the list of supported curves in TLS[2], which are configurable via `OpenSSL::SSL::SSLContext#ecdh_curves=`. Note it is perfectly acceptable for an agent to use EC keys, while puppetserver uses RSA, provided the server supports `ECDHE_RSA` or `ECDH_RSA` key exchange. Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. However, JRuby's implementation is broken, so check for EC or fallback to RSA. Ruby modified the EC class extensively in 2.4 so that it followed the generic OpenSSL::PKey interface. To ensure compatibility across different ruby versions this commit monkey patches the `EC#private_key?` and `EC.generate` methods, but only if the methods are not defined. [1] ruby/openssl#117 [2] https://tools.ietf.org/html/rfc4492#section-5.1.1
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Apr 24, 2019
Adds two Puppet settings `key_type` and `named_curve`. If the `key_type` is set to `ec` then the agent will generate an elliptic curve (EC) private key, but only if it doesn't have a key yet. If it has a previously saved RSA key, then this commit has no effect. Puppet defaults to the elliptic curve 'prime256v1', but alternate curves may be specified using the `named_curve` setting, provided OpenSSL and ruby support it. For example, ruby does not yet support X25519[1]. The list of currently supported curves is available from `OpenSSL::PKey::EC.builtin_curves`. The `named_curve` setting only affects how EC keys are generated (and the resulting client certificate, since the public key is embedded in the cert), but not the list of supported curves in TLS[2], which are configurable via `OpenSSL::SSL::SSLContext#ecdh_curves=`. Note it is perfectly acceptable for an agent to use EC keys, while puppetserver uses RSA, provided the server supports `ECDHE_RSA` or `ECDH_RSA` key exchange. Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. However, JRuby's implementation is broken, so check for EC or fallback to RSA. Ruby modified the EC class extensively in 2.4 so that it followed the generic OpenSSL::PKey interface. To ensure compatibility across different ruby versions this commit monkey patches the `EC#private_key?` and `EC.generate` methods, but only if the methods are not defined. [1] ruby/openssl#117 [2] https://tools.ietf.org/html/rfc4492#section-5.1.1
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Apr 24, 2019
Adds two Puppet settings `key_type` and `named_curve`. If the `key_type` is set to `ec` then the agent will generate an elliptic curve (EC) private key, but only if it doesn't have a key yet. If it has a previously saved RSA key, then this commit has no effect. Puppet defaults to the elliptic curve 'prime256v1', but alternate curves may be specified using the `named_curve` setting, provided OpenSSL and ruby support it. For example, ruby does not yet support X25519[1]. The list of currently supported curves is available from `OpenSSL::PKey::EC.builtin_curves`. The `named_curve` setting only affects how EC keys are generated (and the resulting client certificate, since the public key is embedded in the cert), but not the list of supported curves in TLS[2], which are configurable via `OpenSSL::SSL::SSLContext#ecdh_curves=`. Note it is perfectly acceptable for an agent to use EC keys, while puppetserver uses RSA, provided the server supports `ECDHE_RSA` or `ECDH_RSA` key exchange. Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. However, JRuby's implementation is broken, so check for EC or fallback to RSA. Ruby modified the EC class extensively in 2.4 so that it followed the generic OpenSSL::PKey interface. To ensure compatibility across different ruby versions this commit monkey patches the `EC#private_key?` and `EC.generate` methods, but only if the methods are not defined. [1] ruby/openssl#117 [2] https://tools.ietf.org/html/rfc4492#section-5.1.1
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Apr 24, 2019
Adds two Puppet settings `key_type` and `named_curve`. If the `key_type` is set to `ec` then the agent will generate an elliptic curve (EC) private key, but only if it doesn't have a key yet. If it has a previously saved RSA key, then this commit has no effect. Puppet defaults to the elliptic curve 'prime256v1', but alternate curves may be specified using the `named_curve` setting, provided OpenSSL and ruby support it. For example, ruby does not yet support X25519[1]. The list of currently supported curves is available from `OpenSSL::PKey::EC.builtin_curves`. The `named_curve` setting only affects how EC keys are generated (and the resulting client certificate, since the public key is embedded in the cert), but not the list of supported curves in TLS[2], which are configurable via `OpenSSL::SSL::SSLContext#ecdh_curves=`. Note it is perfectly acceptable for an agent to use EC keys, while puppetserver uses RSA, provided the server supports `ECDHE_RSA` or `ECDH_RSA` key exchange. Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. However, JRuby's implementation is broken, so check for EC or fallback to RSA. Ruby modified the EC class extensively in 2.4 so that it followed the generic OpenSSL::PKey interface. To ensure compatibility across different ruby versions this commit monkey patches the `EC#private_key?` and `EC.generate` methods, but only if the methods are not defined. [1] ruby/openssl#117 [2] https://tools.ietf.org/html/rfc4492#section-5.1.1
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
May 1, 2019
Adds two Puppet settings `key_type` and `named_curve`. If the `key_type` is set to `ec` then the agent will generate an elliptic curve (EC) private key, but only if it doesn't have a key yet. If it has a previously saved RSA key, then this commit has no effect. Puppet defaults to the elliptic curve 'prime256v1', but alternate curves may be specified using the `named_curve` setting, provided OpenSSL and ruby support it. For example, ruby does not yet support X25519[1]. The list of currently supported curves is available from `OpenSSL::PKey::EC.builtin_curves`. The `named_curve` setting only affects how EC keys are generated (and the resulting client certificate, since the public key is embedded in the cert), but not the list of supported curves in TLS[2], which are configurable via `OpenSSL::SSL::SSLContext#ecdh_curves=`. Note it is perfectly acceptable for an agent to use EC keys, while puppetserver uses RSA, provided the server supports `ECDHE_RSA` or `ECDH_RSA` key exchange. Since the saved private key can be either RSA or EC, use the more generic `OpenSSL::PKey.read` method which returns the appropriate class of private key. However, JRuby's implementation is broken, so check for EC or fallback to RSA. Ruby modified the EC class extensively in 2.4 so that it followed the generic OpenSSL::PKey interface. To ensure compatibility across different ruby versions this commit monkey patches the `EC#private_key?` and `EC.generate` methods, but only if the methods are not defined. It also monkey patches ruby 2.3 so `OpenSSL::PKey.read` raises `OpenSSL::PKey::KeyError` if the wrong passphrase is given when trying to decrypt a passphrase protected private key[3]. [1] ruby/openssl#117 [2] https://tools.ietf.org/html/rfc4492#section-5.1.1 [3] https://bugs.ruby-lang.org/issues/11774
|
@tarcieri do you know where we got with this? |
|
Nope |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
OpenSSL 1.1 add support for X25519 Eliptic Curve Cryptography. Current release of ruby-openssl gem (v2.0.3) do not seems to support it through PKey::EC
Could/will X25519 support be added to release 2.1 ?
The text was updated successfully, but these errors were encountered: