pkey: restore support for decoding "openssl ecparam -genkey" output #540
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix potential error queue leak.
Scan through the input for a private key, then fallback to generic decoder. OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding formats. While this is useful for OpenSSL::PKey::PKey, an edge case has been discovered. The openssl CLI command line "openssl ecparam -genkey" prints two PEM blocks in a row, one for EC parameters and another for the private key. Feeding the whole output into OSSL_DECODER results in only the first PEM block, the key parameters, being decoded. Previously, ruby/openssl did not support decoding key parameters and it would decode the private key PEM block instead. While the new behavior is technically correct, "openssl ecparam -genkey" is so widely used that ruby/openssl does not want to break existing applications. Fixes ruby#535
|
@rhenium Thanks! Do you have an idea around when this (and the other OpenSSL 3.0 related fixes) would be released? Does this gem see separate releases from Ruby or would it be waiting for the next Ruby (patch) release? |
|
I plan to publish it on rubygems.org today. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Scan through the input for a private key, then fallback to generic
decoder.
OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM
header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding
formats. While this is useful for OpenSSL::PKey::PKey, an edge case has
been discovered.
The openssl CLI command line "openssl ecparam -genkey" prints two PEM
blocks in a row, one for EC parameters and another for the private key.
Feeding the whole output into OSSL_DECODER results in only the first PEM
block, the key parameters, being decoded. Previously, ruby/openssl did
not support decoding key parameters and it would decode the private key
PEM block instead.
While the new behavior is technically correct, "openssl ecparam -genkey"
is so widely used that ruby/openssl does not want to break existing
applications.
Fixes #535