Finalize private key deserialization/serialization #224
Comments
|
Regarding OpenSSL support: According to openssl/openssl@8fc06e8, the default for OpenSSL's pkcs8 command was changed to AES-256-CBC and PBKDF2-SHA-256 very recently. Previously, the defaults were "DES and MD5" (not even 3DES, but original DES) and PBKDF2-HMAC-SHA1. The Support for the ECC support was added a while back, it seems: openssl/openssl@0fbffe7. Not sure how long ago AES support was added. |
|
Based on the above investigation, we may want to add support for AES-{128,256}-CBC encryption and PBKDF2-HMAC-SHA1 for the purpose of being able to import OpenSSL encrypted keys. I'm not sure how valuable it is to support such importing though. I suspect most web server keys stored in files are unencrypted, as the web server typically needs to automatically load the key so a password rarely makes sense. |
|
One issue BoringSSL ran into was that OpenSSL, until very recently, generated EC private keys using the specifiedCurve form, not the namedCurve form. RFC5915, which seems to be the ECC companion to RFC5958, only specifies the namedCurve choice. This makes it more likely that we'd have to write our own normalization code and/or support the older PKCS#8 spec, at least for EC keys. |
|
evp_extra_test.cc in BoringSSL contains some test data that will probably be worth looking at for this. |
|
What are your feelings about PKCS#12? I'm looking through what it would hypothetically take to add rustls as an option to native-tls and one of the bits missing seems to be PKCS#12 support which is part of the common interface exposed by native-tls regardless of which tls implementation you're using. It likely wouldn't need to be a complete implementation (I understand the full spec is quite complex), one that can handle retrieving a private key + chain of certificates (as well as passwords) would be sufficient (which openssl and boringssl both do). Two comments up it sounds like you're saying that the PKCS#12 code in boringssl may have issues with some private keys generated by openssl so it's not quite as simple as re-adding |
PKCS#12 is about certificates, which is something at a higher layer than what ring does. I don't think it makes sense to do PKCS#12 in ring, but it may make sense to do it in webpki. As far as ring is concerned, the main issue is whether ring's API allows a PKCS#12 implementation to be written on top of it. For RSA, we support the bare
It would be helpful to know whether @ctz wants to support PKCS#12 in Rustls. If so then we could consider adding it to webpki, in which case we should discuss it in a new issue in the webpki repo. FWIW, I'll be working on adding PKCS#8 support to ring sometime before March 31st. |
I don't think it's necessary to put it in rustls - if I can use PKCS#12 deserialisation from webpki, I can then pass the chain and private key to rustls so it doesn't need to concern itself with where they've come from. If other crates then pop up with alternative certificate format deserialising then in theory rustls doesn't need to be changed. Raised briansmith/webpki#41
That sounds good. |
|
has there been any interest in adding support for encrypted PKCS#8? I was looking for this feature as I want to generate and store private keys for an end-user application. I have to store the key in the user's home dir and don't want some other application to be able to use it. |
I don't anticipate working on encrypted PKCS#8 unless/until somebody sponsors it. I think there are much better alternatives to encrypted PKCS#8 and I'd rather implement those instead. |
|
As of now, all signing keys support serialization and deserialization via PKCS#8, and that's good enough to close this. Feel free to file new, specific, issues, regarding any deficiencies or missing functionality here. |
|
how can I do serialization for agreement::EphemeralPrivateKey ? I wasn't able to find an API? |
When we generate an RSA, ECDSA, or Ed25519 key, we need to be able to serialize it into some binary format for storage. There are a myriad of formats to choose from, but supporting a myriad of formats is counter to the goals and design of ring. I propose, instead, that we support only PKCS#8 format for all keys, and document how users can convert their keys to PKCS#8 format, specifically the version specified in RFC5958.
There is a simple unencrypted form and a more complex encrypted form. I propose that we start by supporting the simple unencrypted form and then add the encrypted form later.
References
ECPrivateKey: https://tools.ietf.org/html/rfc5915#section-3Unencrypted
This is
OneAsymmetricKey, orPrivateKeyInfoin the older version of the spec.To convert a traditional (PKCS#5?) private key to the supported form using a newish version of OpenSSL:
Encrypted
This is
EncryptedPrivateKeyInfoand alsoEncryptedPrivateKeyInfoin the older version of the spec.To convert from the traditional (PKCS#5?) format to this format using a newish version of OpenSSL, using the default parameters of AES-256 (which mode?) and PBKDF2-HMAC-SHA256 (what parameters?):
The design of this API needs to take the acceptable key stretching algorithms (PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA384, etc.) and the acceptable encryption/authentication modes (which ring might not even support yet!) as parameters to avoid hard-linking any algorithms.
Unanswered Questions
p>qand recover the CRT parameters if they are missing, and convert the OpenSSH bcrypt-based format to PKCS#8.The text was updated successfully, but these errors were encountered: