Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transit: Add public key format #86

Closed
cipherboy opened this issue Feb 1, 2024 · 2 comments · Fixed by #212
Closed

Transit: Add public key format #86

cipherboy opened this issue Feb 1, 2024 · 2 comments · Fixed by #212
Labels
good first issue Good for newcomers

Comments

@cipherboy
Copy link
Member

cipherboy commented Feb 1, 2024
edited

Per @SchulzeStTSI on hashicorp/vault#25141:

Describe the bug When retrieving the public key of an ed25519 key pair from the transit API the key is formatted in a strange encoding. After checking it, i found out that the key is simply a base64 encoding of ed25519.PublicKey which is the internal go type representation.

To Reproduce Generate ed25519 keypair and use the private one to extract the public:

p := key.Public().(ed25519.PublicKey)
b := base64.StdEncoding.EncodeToString(p)

Output is an base64 string which is not a PEM or anything else "usable" by openssl. Something like this: DixHOIHXtDW0l6DHE2qGCRCfC/XjS5CHxHS+sEUICH0=

Expected behavior Convert the key into a PEM format/standard encoding that it matches with the other key pair types in format (they use all pub keys in PEM format) to have this format:

-----BEGIN PUBLIC KEY----- MCowBQYDK2VwAyEA8eIBpK/74foJBEzRn2kCImhWyVnOcqV5aX1L8DSHyxA= -----END PUBLIC KEY-----

This is then readable by openssl.

bytes, err := x509.MarshalPKIXPublicKey(key.PublicKey())

if err != nil {
return nil, err
}

pemBlock := &pem.Block{
Type:  "PUBLIC KEY",
Bytes: bytes,
}

pubkey_bytes := pem.EncodeToMemory(pemBlock)

Since changing the key format now will likely break compatibility, we should probably add a new format parameter to the transit/export/:type/:key API. This would allow callers to specify the format (defaulting perhaps to native).

However, if the OpenSSL application is modifiable, I believe the EVP_PKEY_new_raw_private_key and EVP_PKEY_new_raw_public_key API calls are useful for parsing Vault keys. Not sure if there's a comparable OpenSSL 3.0 API though.
@naphelps naphelps added the good first issue Good for newcomers label Feb 1, 2024
naphelps pushed a commit that referenced this issue Feb 2, 2024
@dependabot
Bump github.com/go-ldap/ldap/v3 from 3.4.1 to 3.4.4 (#86)
e6edd00 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@naphelps
Copy link
Member

naphelps commented Feb 5, 2024

Migration guide: https://www.openssl.org/docs/man3.1/man7/migration_guide.html

The OpenSSL 1.1.1 apis went EOL back in November. We should probably work on migrating these to the current 3.2 version.

@cipherboy
Copy link
Member Author

cipherboy commented Feb 5, 2024
edited

@naphelps Note that we do not use OpenSSL; this was advice I was giving to OP on how they could call a different function for Ed25519 keys (in their app, which they say uses OpenSSL) to support the format Go uses, described in https://pkg.go.dev/crypto/ed25519

The public key, as discussed in RFC 8032 is 32 bytes. It is not a PEM blob, like they requested.

It looks like these functions are still present in OpenSSL 3.1 though: https://www.openssl.org/docs/man3.1/man3/EVP_PKEY_get_raw_public_key.html so OP should be good even on a later version.

I'd still probably implement both formats for all keys for consistency.

cipherboy added a commit to cipherboy/openbao that referenced this issue Mar 16, 2024
@cipherboy
Allow customizing key export format in Transit
d6ade22 
Transit's export functionality didn't allow choosing the desired output
key format and was largely inconsistent about typing. Symmetric keys
(and ed25519!) were returned in raw (base64-encoded byte array) format,
but RSA and EC keys were returned in their native container formats.
This prevents easy interoperability as some tools will not read all of
these formats easily; add "der" and "pem" forms for asymmetric keys, to
allow native PKIX-typed exports (in typed SubjectPublicKeyInfo or
PrivateKeyInfo containers).

Resolves: openbao#86

Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
@cipherboy cipherboy mentioned this issue Mar 16, 2024
Merged
cipherboy added a commit to cipherboy/openbao that referenced this issue Mar 16, 2024
@cipherboy
Allow customizing key export format in Transit
d362e80 
Transit's export functionality didn't allow choosing the desired output
key format and was largely inconsistent about typing. Symmetric keys
(and ed25519!) were returned in raw (base64-encoded byte array) format,
but RSA and EC keys were returned in their native container formats.
This prevents easy interoperability as some tools will not read all of
these formats easily; add "der" and "pem" forms for asymmetric keys, to
allow native PKIX-typed exports (in typed SubjectPublicKeyInfo or
PrivateKeyInfo containers).

Resolves: openbao#86

Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
naphelps pushed a commit to cipherboy/openbao that referenced this issue Mar 18, 2024
@cipherboy @naphelps
Allow customizing key export format in Transit
c0f44d8 
Transit's export functionality didn't allow choosing the desired output
key format and was largely inconsistent about typing. Symmetric keys
(and ed25519!) were returned in raw (base64-encoded byte array) format,
but RSA and EC keys were returned in their native container formats.
This prevents easy interoperability as some tools will not read all of
these formats easily; add "der" and "pem" forms for asymmetric keys, to
allow native PKIX-typed exports (in typed SubjectPublicKeyInfo or
PrivateKeyInfo containers).

Resolves: openbao#86

Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
naphelps pushed a commit that referenced this issue Mar 18, 2024
@cipherboy @naphelps
Allow customizing key export format in Transit
4b51c20 
Transit's export functionality didn't allow choosing the desired output
key format and was largely inconsistent about typing. Symmetric keys
(and ed25519!) were returned in raw (base64-encoded byte array) format,
but RSA and EC keys were returned in their native container formats.
This prevents easy interoperability as some tools will not read all of
these formats easily; add "der" and "pem" forms for asymmetric keys, to
allow native PKIX-typed exports (in typed SubjectPublicKeyInfo or
PrivateKeyInfo containers).

Resolves: #86

Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow customizing key export format in Transit cipherboy/openbao
2 participants
@cipherboy @naphelps