supporting private keys other than RSA (#148)

* also fixes `File` leakage in `MQTT::Client#key_file=` Fixes #147
njh · Apr 2, 2024 · 52ef5ff · 52ef5ff
1 parent 0b967ff
commit 52ef5ff
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 4 deletions.
diff --git a/lib/mqtt/client.rb b/lib/mqtt/client.rb
@@ -193,13 +193,13 @@ def cert=(cert)
     # Set a path to a file containing a PEM-format client private key
     def key_file=(*args)
       path, passphrase = args.flatten
-      ssl_context.key = OpenSSL::PKey::RSA.new(File.open(path), passphrase)
+      ssl_context.key = OpenSSL::PKey.read(File.binread(path), passphrase)
     end
 
     # Set to a PEM-format client private key
     def key=(*args)
       cert, passphrase = args.flatten
-      ssl_context.key = OpenSSL::PKey::RSA.new(cert, passphrase)
+      ssl_context.key = OpenSSL::PKey.read(cert, passphrase)
     end
 
     # Set a path to a file containing a PEM-format CA certificate and enable peer verification

diff --git a/spec/fixtures/ec.key b/spec/fixtures/ec.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIE2eyE3r4eoZCbHMYIwLCW42IKqaCkTSpw4dE4+j2TTqoAoGCCqGSM49
+AwEHoUQDQgAEoAyjMxTzzh9dEkzmXk26Vomq7HQFon/m4hDcKNAbqcrLVJI8bcQt
+yewCuHTAu3A6ymRxZnYvcNgMPyK+Oc+umA==
+-----END EC PRIVATE KEY-----
diff --git a/spec/fixtures/ec.pass.key b/spec/fixtures/ec.pass.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,0727A85143BDD14830310915273C3879
+
+vbjVLdV7YvVWnRHUzKVZjO5YR+q4GL3LU/BAlAj/E0klH+6ytEU34tpEtBfyC5QR
+bkDd/40qO6NGh81VvvEzafGQbnBHlBRxWZ52FspFob9ry+bW8F6sGbp46Ny6vTc/
+BSOtHDN+tDG5PQx9YXSVgBwRkekX86/63Zgh3jiy6rg=
+-----END EC PRIVATE KEY-----
diff --git a/spec/mqtt_client_spec.rb b/spec/mqtt_client_spec.rb
@@ -232,10 +232,46 @@ def now
   describe "setting an encrypted client private key, w/an incorrect passphrase" do
     let(:key_pass) { 'ttqm' }
 
-    it "should raise an OpenSSL::PKey::RSAError exception" do
+    it "should raise an exception" do
       expect(client.ssl_context.key).to be_nil
       expect { client.key_file = [fixture_path('client.pass.key'), key_pass] }.to(
-        raise_error(OpenSSL::PKey::RSAError, /Neither PUB key nor PRIV key/))
+        raise_error(/Could not parse PKey/))
+    end
+  end
+
+  describe "setting a client private EC key file path" do
+    it "should add a certificate to the SSL context" do
+      expect(client.ssl_context.key).to be_nil
+      client.key_file = fixture_path('ec.key')
+      expect(client.ssl_context.key).to be_a(OpenSSL::PKey::EC)
+    end
+  end
+
+  describe "setting a client private EC key directly" do
+    it "should add a certificate to the SSL context" do
+      expect(client.ssl_context.key).to be_nil
+      client.key = File.read(fixture_path('ec.key'))
+      expect(client.ssl_context.key).to be_a(OpenSSL::PKey::EC)
+    end
+  end
+
+  describe "setting an encrypted client private EC key, w/the correct passphrase" do
+    let(:key_pass) { 'mqtt' }
+
+    it "should add the decrypted certificate to the SSL context" do
+      expect(client.ssl_context.key).to be_nil
+      client.key_file = [fixture_path('ec.pass.key'), key_pass]
+      expect(client.ssl_context.key).to be_a(OpenSSL::PKey::EC)
+    end
+  end
+
+  describe "setting an encrypted client private EC key, w/an incorrect passphrase" do
+    let(:key_pass) { 'ttqm' }
+
+    it "should raise an exception" do
+      expect(client.ssl_context.key).to be_nil
+      expect { client.key_file = [fixture_path('ec.pass.key'), key_pass] }.to(
+        raise_error(/Could not parse PKey/))
     end
   end