Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

serve: add support for ECC certificates #7768

Merged
merged 2 commits into from Aug 22, 2019

Conversation

@vszakats
Copy link
Contributor

commented Aug 3, 2019

This is either a 馃悰 bug fix or an 馃檵 enhancement.

Summary

Jekyll, currently does not accept an ECC (Elliptic-Curve) private key via its --ssl-key option when running the serve command, because the key loading code only assumes an RSA key with no other key types considered. Even though, even the older OpenSSL 1.0.2 supports EC keys. It means that Jekyll will fail to start with this error when an EC key is provided:

jekyll 3.8.5 | Error:  Neither PUB key nor PRIV key: nested asn1 error

This patch will try to load the provided key file as an ECC key if loading it as an RSA key failed. It also checks if the ECC key load method exists, as some Ruby variants (JRuby?) may not have it.

[ My Ruby is very rudimentary, so any suggestion for improvement is welcome. ]

Context

Jekyll server.

Test files

Script to generate a self-signed ECC certificate, mk-ec-test.sh:

#!/bin/sh

# OpenSSL 1.0.2 or newer required.
# (the one shipping with macOS won't work, use the Homebrew one.)

case "$(uname)" in
  *Darwin*) alias openssl=/usr/local/opt/openssl/bin/openssl
esac

name='test-ec'

cat << EOF > ${name}.csr.config
[req]
encrypt_key = no
prompt = no
distinguished_name = dn
req_extensions = v3_req

[dn]
O = ${name}

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF

openssl genpkey -algorithm EC \
  -pkeyopt ec_paramgen_curve:P-256 \
  -pkeyopt ec_param_enc:named_curve \
  -out ${name}-private.pem
openssl req -batch -new -sha256 \
  -config ${name}.csr.config \
  -key ${name}-private.pem -out ${name}.csr
openssl req -batch -x509 -sha256 -days 90 \
  -config ${name}.csr.config -extensions v3_req \
  -in ${name}.csr -key ${name}-private.pem -out ${name}.crt

Certificate, test-ec.crt:

-----BEGIN CERTIFICATE-----
MIIBNzCB36ADAgECAgkA2xqOONFPqpMwCgYIKoZIzj0EAwIwEjEQMA4GA1UECgwH
dGVzdC1lYzAeFw0xOTA4MDMxNjE3NTJaFw0yMjA4MDIxNjE3NTJaMBIxEDAOBgNV
BAoMB3Rlc3QtZWMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQPgZsj6HESaGGc
k2Mb+sFU9v5ztsK3MkFziou0TaTA0qmDRqe9G5Ik8/riz6gs/t3rplQzj18qRLKF
pmJFaGyQox4wHDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0E
AwIDRwAwRAIgUdlIpX+GlwuobrSOfUYEnlgcSkq34jDu6/gm0cj9T5ACIBkmdWlz
7hehEEkxQ+6nBObgFNhZ3QnszkiHWNt8B1ke
-----END CERTIFICATE-----

Private key, test-ec-private.pem:

-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgVNt4PoQFTZfMZwlN
whUFa6MyHx7OmsbtMdYkmDbOa4qhRANCAAQPgZsj6HESaGGck2Mb+sFU9v5ztsK3
MkFziou0TaTA0qmDRqe9G5Ik8/riz6gs/t3rplQzj18qRLKFpmJFaGyQ
-----END PRIVATE KEY-----

Test command:

jekyll serve --ssl-key test-ec-private.pem --ssl-cert test-ec.crt

@DirtyF DirtyF requested a review from jekyll/core Aug 3, 2019

@DirtyF DirtyF added the enhancement label Aug 3, 2019

lib/jekyll/commands/serve.rb Outdated Show resolved Hide resolved
@mattr-

This comment has been minimized.

Copy link
Member

commented Aug 4, 2019

@vszakats Could you update to the latest master on your branch please? That should allow CI to start passing. Thanks!

vszakats and others added 2 commits Aug 3, 2019
Update lib/jekyll/commands/serve.rb
Co-Authored-By: Frank Taillandier <frank.taillandier@gmail.com>

@vszakats vszakats force-pushed the vszakats:patch-1 branch from 52c04a2 to 001ac18 Aug 4, 2019

@vszakats

This comment has been minimized.

Copy link
Contributor Author

commented Aug 4, 2019

@mattr- Okay, done that!

@mattr-
mattr- approved these changes Aug 5, 2019
Copy link
Member

left a comment

This is great! Thanks for doing this! 鉂 I'm going to save this for Jekyll 4.1 since Jekyll 4.0 is nearing its final release.

@mattr- mattr- added this to In progress in Jekyll 4.1 via automation Aug 5, 2019

@mattr- mattr- added this to the 4.1 milestone Aug 5, 2019

@DirtyF DirtyF added this to Ideas/Unconfirmed in Jekyll 4.1 Aug 14, 2019

@DirtyF DirtyF moved this from Ideas/Unconfirmed to Reviewable in Jekyll 4.1 Aug 14, 2019

@DirtyF

This comment has been minimized.

Copy link
Member

commented Aug 22, 2019

@jekyllbot: merge +minor

@jekyllbot jekyllbot merged commit 650dcc6 into jekyll:master Aug 22, 2019

3 checks passed

continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
netlify/jekyllrb/deploy-preview Deploy preview ready!
Details

Jekyll 4.1 automation moved this from Reviewable to Done Aug 22, 2019

jekyllbot added a commit that referenced this pull request Aug 22, 2019

@DirtyF DirtyF moved this from In progress to Done in Jekyll 4.1 Aug 22, 2019

@vszakats vszakats deleted the vszakats:patch-1 branch Sep 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
You can鈥檛 perform that action at this time.