-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Transit: Add public key format #86
Comments
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Migration guide: https://www.openssl.org/docs/man3.1/man7/migration_guide.html The OpenSSL 1.1.1 apis went EOL back in November. We should probably work on migrating these to the current 3.2 version. |
@naphelps Note that we do not use OpenSSL; this was advice I was giving to OP on how they could call a different function for Ed25519 keys (in their app, which they say uses OpenSSL) to support the format Go uses, described in https://pkg.go.dev/crypto/ed25519 The public key, as discussed in RFC 8032 is 32 bytes. It is not a PEM blob, like they requested. It looks like these functions are still present in OpenSSL 3.1 though: https://www.openssl.org/docs/man3.1/man3/EVP_PKEY_get_raw_public_key.html so OP should be good even on a later version. I'd still probably implement both formats for all keys for consistency. |
Transit's export functionality didn't allow choosing the desired output key format and was largely inconsistent about typing. Symmetric keys (and ed25519!) were returned in raw (base64-encoded byte array) format, but RSA and EC keys were returned in their native container formats. This prevents easy interoperability as some tools will not read all of these formats easily; add "der" and "pem" forms for asymmetric keys, to allow native PKIX-typed exports (in typed SubjectPublicKeyInfo or PrivateKeyInfo containers). Resolves: openbao#86 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Transit's export functionality didn't allow choosing the desired output key format and was largely inconsistent about typing. Symmetric keys (and ed25519!) were returned in raw (base64-encoded byte array) format, but RSA and EC keys were returned in their native container formats. This prevents easy interoperability as some tools will not read all of these formats easily; add "der" and "pem" forms for asymmetric keys, to allow native PKIX-typed exports (in typed SubjectPublicKeyInfo or PrivateKeyInfo containers). Resolves: openbao#86 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Transit's export functionality didn't allow choosing the desired output key format and was largely inconsistent about typing. Symmetric keys (and ed25519!) were returned in raw (base64-encoded byte array) format, but RSA and EC keys were returned in their native container formats. This prevents easy interoperability as some tools will not read all of these formats easily; add "der" and "pem" forms for asymmetric keys, to allow native PKIX-typed exports (in typed SubjectPublicKeyInfo or PrivateKeyInfo containers). Resolves: openbao#86 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Transit's export functionality didn't allow choosing the desired output key format and was largely inconsistent about typing. Symmetric keys (and ed25519!) were returned in raw (base64-encoded byte array) format, but RSA and EC keys were returned in their native container formats. This prevents easy interoperability as some tools will not read all of these formats easily; add "der" and "pem" forms for asymmetric keys, to allow native PKIX-typed exports (in typed SubjectPublicKeyInfo or PrivateKeyInfo containers). Resolves: #86 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Per @SchulzeStTSI on hashicorp/vault#25141:
Since changing the key format now will likely break compatibility, we should probably add a new
format
parameter to thetransit/export/:type/:key
API. This would allow callers to specify the format (defaulting perhaps tonative
).However, if the OpenSSL application is modifiable, I believe the
EVP_PKEY_new_raw_private_key
andEVP_PKEY_new_raw_public_key
API calls are useful for parsing Vault keys. Not sure if there's a comparable OpenSSL 3.0 API though.The text was updated successfully, but these errors were encountered: