OpenSSL::PKey::RSA.new behaves differently than MRI #2697

Closed
rampion opened this Issue Mar 13, 2015 · 1 comment

Comments

Projects
None yet
3 participants
@rampion

rampion commented Mar 13, 2015

One of the ways that OpenSSL::PKey::RSA.new may be called is with a PEM-formatted string and no password. For example, see rubygems/request.

In the MRI implementation, when OpenSSL::PKey::RSA.new is called with an PEM-formatted string containing an encrypted RSA key but no password, it opens /dev/tty to prompt the user for a pass phrase:

% rvm use ruby-2.1
Using /usr/local/rvm/gems/ruby-2.1.5
% ruby example.rb
Decrypting key using password "correct horse battery staple"
success
Decrypting key using password nil
Enter PEM pass phrase:
success

When JRuby attempts the same, it raises an error instead of attempting to prompt the user for a pass phrase:

% rvm use jruby
Using /usr/local/rvm/gems/jruby-1.7.19
% JRUBY_OPTS=-J-Djruby.openssl.debug=true ruby example.rb
Decrypting key using password "correct horse battery staple"
success
Decrypting key using password nil
java.io.IOException: problem creating RSA private key: java.io.IOException: Password is null, but a password is required
        at org.jruby.ext.openssl.x509store.PEMInputOutput.readPrivateKey(PEMInputOutput.java:308)
        at org.jruby.ext.openssl.PKeyRSA.initialize(PKeyRSA.java:237)
...
failure: Neither PUB key nor PRIV key:
        org/jruby/ext/openssl/PKeyRSA.java:280:in `initialize'
        example.rb:6:in `test'
        example.rb:17:in `(root)'

Example code:

# example.rb
require 'openssl'

def test pemkey_text, pemkey_pass
  puts "Decrypting key using password #{pemkey_pass.inspect}"
  begin
    key = OpenSSL::PKey::RSA.new pemkey_text, pemkey_pass
    puts "success"
  rescue OpenSSL::PKey::RSAError => e
    puts %(failure: #{e.message}\n\t#{e.backtrace.join("\n\t")})
  end
end

pemkey_text = DATA.read
pemkey_pass = "correct horse battery staple"

test pemkey_text, pemkey_pass
test pemkey_text, nil

__END__
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,40D5A4CB36A82BF11E864AB17F4796BF

OfBi5HqB22AhV9pEtyf2/LIGt+80Dd53po8i+MXa2rBTSzHVDIqtECDjXogJjfYi
osuCQTTDddYtXL00LBYKxO94mERmfpYg94oiccBQRbSCkvYmxoY5Tw9ExllPcORR
M0BqvpVlGBZeHDSqrsHXM1ApREx8Iz9IaR3ZR0cX5DXHWlo3qEumKiafAcd5PdRJ
o7fFY6tt4zCzNZ63yK9lt6/M3KNeY9stPOwoHm3R548HQwIz+m6M5CVwy40XejEM
5O2LS5AUoib0GxFHOQJBDGf9wcq35ivyz4bhDzRYPBaoA6/SCACiW8e4jLkqhw4B
ye1f3ESBmpFEPRTwBVA+vnvYkfVLf0MlGWNY3J3zxJKC9TJUT3tkNY41gndh6761
i41ObaTIV+DlL4uNB7UDkS+8PjTQ+ndAbu3277yI+UCu8RbebpnWpmTDviTigH4z
zZSCrW1A0OLWwFr+sfKPo8QSkcA+H4fMX3IER7tl77I62idRO+jbZzauhj8lyiHO
LJt3AIOEjQ9YZm0GSLbWbZvu2fN9WP5BVrTcrKXAhjTTdQoNWgwVKVSbs6v0umvM
fOIUZ4I1VPBpdfd6Q0XL4LtvNf/nUh+o92Udmuguj/mOwrlh1Aujkfjy0U/jBbIw
ieXUC3CvWKkD9AzXwln7FbsFq6HdFZ6QUFc63WxzoEY6G6R0dK8U1zEy+cNbtlgD
IeXmldJ+hdbP32BOnBfKYAEWvCTJXjixvM25B5v4S5HqUW5CzATszMD+TvNuOpt0
Unca2Dl25FJnhAVE0TScfhMXLdaQv3cP1PRa4ylEL8dg3L8HsdYD6hgAlrHFRnKF
-----END RSA PRIVATE KEY-----

@kares kares added the openssl label Mar 16, 2015

@rtyler rtyler added the JRuby 1.7.x label Mar 22, 2015

@kares

This comment has been minimized.

Show comment
Hide comment
@kares

kares Jan 12, 2016

Member

there's some naive prompting implemented since jruby-openssl 0.9.14 jruby/jruby-openssl@098ad46 ...
if more is needed please consider helping us out, thanks!

Member

kares commented Jan 12, 2016

there's some naive prompting implemented since jruby-openssl 0.9.14 jruby/jruby-openssl@098ad46 ...
if more is needed please consider helping us out, thanks!

@kares kares closed this Jan 12, 2016

@kares kares added this to the JRuby 1.7.25 milestone Jan 12, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment