Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

public_key: EDDSA private-key DER encode/decode does not wrap/unwrap the CurvePrivateKey #5156

Closed
sg2342 opened this issue Aug 27, 2021 · 1 comment · Fixed by #5157
Closed

public_key: EDDSA private-key DER encode/decode does not wrap/unwrap the CurvePrivateKey #5156

sg2342 opened this issue Aug 27, 2021 · 1 comment · Fixed by #5157
Assignees
@IngelaAndin
Labels
bug Issue is reported as a bug team:PS Assigned to OTP team PS

Comments

@sg2342
Copy link
Contributor

sg2342 commented Aug 27, 2021

Describe the bug
RFC8410 Section 7 states:

the private key is wrapped in a CurvePrivateKey object and wrapped by the OCTET STRING of the "privateKey" field.

public_key:der_decode/2 does not unwrap the EDDSA private key.
All other functions assume that #'ECPrivateKey'.privateKey holds the raw key.

crypto:* calls fail with badarg when a EDDSA private key obtained from public_keys ASN-1 processing is used.

It is impossible to use a EDDSA private keys in tls_client_option() and tls_server_option().

public_key:der_encode/2 does not wrap EDDSA private keys.
EDDSA private keys obtained from public_key:generate_key1 and encoded to DER with public_key:der_encode/2 do not work with openssl (or any other standard conforming tool).

To Reproduce

the eddsa_pri_pkcs8.pem test file in public_key_SUITE_data (also documented in RFC8410 Section-10.3):

$ openssl pkey -noout -text -in $ERL_TOP/lib/public_key/test/public_key_SUITE_data/eddsa_key_pkcs8.pem
ED25519 Private-Key:
priv:
    d4:ee:72:db:f9:13:58:4a:d5:b6:d8:f1:f7:69:f8:
    ad:3a:fe:7c:28:cb:f1:d4:fb:e0:97:a8:8f:44:75:
    58:42
pub:
    19:bf:44:09:69:84:cd:fe:85:41:ba:c1:67:dc:3b:
    96:c8:50:86:aa:30:b6:b6:cb:0c:5c:38:ad:70:31:
    66:e1
$ openssl asn1parse -in $ERL_TOP/lib/public_key/test/public_key_SUITE_data/eddsa_key_pkcs8.pem
    0:d=0  hl=2 l=  46 cons: SEQUENCE          
    2:d=1  hl=2 l=   1 prim: INTEGER           :00
    5:d=1  hl=2 l=   5 cons: SEQUENCE          
    7:d=2  hl=2 l=   3 prim: OBJECT            :ED25519
   12:d=1  hl=2 l=  34 prim: OCTET STRING      [HEX DUMP]:0420D4EE72DBF913584AD5B6D8F1F769F8AD3AFE7C28CBF1D4FBE097A88F44755842
$ openssl asn1parse -offset 14 -in $ERL_TOP/lib/public_key/test/public_key_SUITE_data/eddsa_key_pkcs8.pem
    0:d=0  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:D4EE72DBF913584AD5B6D8F1F769F8AD3AFE7C28CBF1D4FBE097A88F44755842

an attempt to get the private key with erlang:

Eshell V12.0.2  (abort with ^G)
1> rr(code:lib_dir(public_key)++"/include/OTP-PUB-KEY.hrl",'ECPrivateKey').
['ECPrivateKey']
2> {ok, ECPrivPem} = file:read_file(os:getenv("ERL_TOP")++"/lib/public_key/test/public_key_SUITE_data/eddsa_key_pkcs8.pem").
{ok,<<"-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC\n-----END PRIVAT"...>>}
3> [{'PrivateKeyInfo', _, not_encrypted} = PKCS8Key] = public_key:pem_decode(ECPrivPem).
[{'PrivateKeyInfo',<<48,46,2,1,0,48,5,6,3,43,101,112,4,34,
                     4,32,212,238,114,219,249,19,88,74,
                     213,182,...>>,
                   not_encrypted}]
4> ECPrivKey = public_key:pem_entry_decode(PKCS8Key).
#'ECPrivateKey'{version = 1,
                privateKey = <<4,32,212,238,114,219,249,19,88,74,213,182,
                               216,241,247,105,248,173,58,254,124,40,203,
                               241,212,251,...>>,
                parameters = {namedCurve,{1,3,101,112}},
                publicKey = asn1_NOVALUE,attributes = asn1_NOVALUE}
5> size(ECPrivKey#'ECPrivateKey'.privateKey).
34
6> binary:encode_hex(ECPrivKey#'ECPrivateKey'.privateKey).
<<"0420D4EE72DBF913584AD5B6D8F1F769F8AD3AFE7C28CBF1D4FBE097A88F44755842">>

the result is the still wrapped (34 octes long, prefixed by 16#04, 16#20) private key.
An attempt to use it will fail (the C code checks the key-length).

7> public_key:sign(<<>>, none, ECPrivKey).
** exception error: bad argument
     in function  crypto:pkey_sign_nif/5
        called as crypto:pkey_sign_nif(eddsa,none,<<>>,
                                       [<<4,32,212,238,114,219,249,19,88,74,213,182,216,
                                          241,247,105,248,173,58,254,124,40,203,241,...>>,
                                        ed25519],
                                       [])
     in call from crypto:sign/5 (crypto.erl, line 1366)

Expected behavior

public_key:der_decode/2 must unwrap EDDSA private keys
public_key:der_encode/2 must wrap EDDSA private keys

Affected versions
24.0.*

Additional context
this was found by trying to use X509 certificates with ed-25519 keys in erlang ssl.
@sg2342 sg2342 added the bug Issue is reported as a bug label Aug 27, 2021
@sg2342 sg2342 mentioned this issue Aug 27, 2021
Merged
@HansN HansN added the team:PS Assigned to OTP team PS label Aug 27, 2021
@IngelaAndin IngelaAndin added testing currently being tested, tag is used by OTP internal CI and removed testing currently being tested, tag is used by OTP internal CI labels Aug 30, 2021
@IngelaAndin IngelaAndin self-assigned this Aug 31, 2021
@IngelaAndin IngelaAndin removed the testing currently being tested, tag is used by OTP internal CI label Aug 31, 2021
@seriyps seriyps mentioned this issue Sep 2, 2021
Merged
@IngelaAndin
Copy link
Contributor

Solved by #5157

@sg2342 sg2342 mentioned this issue Sep 10, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IngelaAndin IngelaAndin

Labels
bug Issue is reported as a bug team:PS Assigned to OTP team PS
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

public_key: Fix EDDSA private key ASN-1 decode/encode
3 participants
@sg2342 @HansN @IngelaAndin