Change key loading APIs to not require knowing so much stuff #1269

Closed
alex opened this Issue Jul 16, 2014 · 13 comments

Projects

None yet

3 participants

@alex
Member
alex commented Jul 16, 2014

Specifically it seems like there's consensus on just moving to load_pem_private_key and load_pem_public_key.

Tasks

  • Introduce new interface PEMLoadingBackend or something.
  • Expose public API for it.
  • Implement interface on OpenSSL backend.
  • Deprecate old interface, and implementation
  • Add new load_pem_public_key API.
@alex alex added this to the Sixth Release milestone Jul 16, 2014
@public
Member
public commented Jul 16, 2014

Do we actually need a new backend interface for this?

@alex
Member
alex commented Jul 16, 2014

@public I think so? Right now both of the serialization backend APIs are specific to the exact key format (OpenSSLTraditional and PKCS8).

@alex
Member
alex commented Jul 16, 2014

What was your alternate suggestion?

@reaperhulk
Member

I'm still curious if people think there's a useful distinction between PEM and DER given that a PEM is just a base64 encoded DER without delimiters.

@alex
Member
alex commented Jul 16, 2014

With PEM the delimiters give you some info about what the payload is, DER
you sometimes need to know stuff a-priori, right?

On Wed, Jul 16, 2014 at 10:23 AM, Paul Kehrer notifications@github.com
wrote:

I'm still curious if people think there's a useful distinction between PEM
and DER given that a PEM is just a base64 encoded DER without delimiters.


Reply to this email directly or view it on GitHub
#1269 (comment).

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

@public
Member
public commented Jul 16, 2014

See also #614

@public
Member
public commented Jul 16, 2014

@alex OpenSSL can't do the format detection for us can it? We're going to need to implement that ourselves, so why rely on a backend for it?

@alex
Member
alex commented Jul 16, 2014

So you're proposing to leave the existing APIs around, and then have the
frontend which does the detection and calls the right API?

On Wed, Jul 16, 2014 at 10:27 AM, Alex Stapleton notifications@github.com
wrote:

@alex https://github.com/alex OpenSSL can't do the format detection for
us can it? We're going to need to implement that ourselves, so why rely on
a backend for it?


Reply to this email directly or view it on GitHub
#1269 (comment).

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

@public
Member
public commented Jul 16, 2014

Yes I am.

@alex
Member
alex commented Jul 16, 2014

Is it really the case that OpenSSL can't do the detection? So far both PKCS8 and OpenSSLTraditional both use the exact same implementation; are there other key types that OpenSSL can load, and if yes, what is the API for them?

@public
Member
public commented Jul 16, 2014

For the existing 2 key types sure but there are also OpenSSH and JWK keys to think about.

@alex
Member
alex commented Jul 16, 2014

Can OpenSSL load those at all though? (Do JWKs even go in a PEM?)

On Wed, Jul 16, 2014 at 12:54 PM, Alex Stapleton notifications@github.com
wrote:

For the existing 2 key types sure but there are also OpenSSH and JWK keys
to think about.


Reply to this email directly or view it on GitHub
#1269 (comment).

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

@public
Member
public commented Jul 21, 2014

JWKs are basically the PKCS#8 translated into JSON. OpenSSL can't load them natively but extracting the data from the JSON and loading it into a key should be easy enough for us to implement.

OpenSSH is uses the traditional OpenSSL PEM format for private keys, and is almost the same for public keys, except it uses special non-PEM format headers. There's also a specific SSH2 PEM format with different headers but very few implementations seem to actually use it.

@alex alex closed this Sep 26, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment