Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS#8 V2 test files #1077

Open
vavroch2010 opened this issue Jan 27, 2025 · 7 comments
Open

PKCS#8 V2 test files #1077

vavroch2010 opened this issue Jan 27, 2025 · 7 comments
Assignees
@baentsch

Comments

@vavroch2010
Copy link

No description provided.

@github-project-automation github-project-automation bot moved this to Pre-Refinement in Development Board Jan 27, 2025
@vavroch2010 vavroch2010 moved this from Pre-Refinement to Todo in Development Board Jan 27, 2025
@baentsch
Copy link

This is to ask @vdukhovni for the pointer to the tooling to create arbitrary P8 files.

@vdukhovni
Copy link

This is to ask @vdukhovni for the pointer to the tooling to create arbitrary P8 files.

Sent you a message on Element already.

@baentsch
Copy link

Thanks -- to retain here: https://github.com/google/der-ascii

@baentsch
Copy link

baentsch commented Feb 3, 2025

Quick question: Is there a rule demanding that test data must be generated by a script like "test/certs/setup.sh"?

Or asked differently: Would a PR be accepted adding a V2 test file using the der2ascii tool above as per this procedure:

openssl ecparam -name prime256v1 -genkey -noout -out ec.key

openssl pkcs8 -topk8 -inform PEM -outform DER -in ec.key -out ec.p8 -nocrypt

der2ascii -i ec.p8 > ec.p8.txt

[Editing version to read incorrect "2"]

ascii2der -i ec.p8.txt > bad-ec.p8

openssl pkey -inform der -in bad-ec.p8 -out bad-ec.p8.pem

If not, it'd probably require substantial work to ensure this script can run within openssl proper.

Thanks in advance for any feedback.

@vdukhovni
Copy link

vdukhovni commented Feb 3, 2025
edited
Loading

Quick question: Is there a rule demanding that test data must be generated by a script like "test/certs/setup.sh"?

Or asked differently: Would a PR be accepted adding a V2 test file using the der2ascii tool above as per this procedure:

[...]

If not, it'd probably require substantial work to ensure this script can run within openssl proper.

There's no obligation to use that script, it is a convenience tool for creating certificates with a variety of features, but is not even a hard requirement for those. Mind you, you're generating P8 files in a roundabout way. Suggestion:

openssl genpkey -algorithm ec  \
    -pkeyopt ec_paramgen_curve:prime256v1 \
    -pkeyopt ec_param_enc:named_curve |
  openssl base64 -d |
  der2ascii |
  sed '2s/INTEGER { 0 }/INTEGER { 2 }/' |
  ascii2der |
  printf -- "-----BEGIN PRIVATE KEY-----\n%s\n-----END PRIVATE KEY-----\n" \
    "$(openssl base64)" > bad-ec.p8.pem

You can't use pkey(1) for the final PEM encoding step, because that'll reset the version back to 1 (0).
Also, surprisingly, genpkey with -outform DER does not output PKCS#8!

@baentsch
Copy link

baentsch commented Feb 3, 2025

you're generating P8 files in a roundabout way

Yup - I'm known to not do things in the way they "should be" done :) On the other hand, this might be indicative of the tooling to be too "flexible" (convoluted?).

Thanks very much for the simplification, guidance and advice above, @vdukhovni ! Please let me know if you'd like to quickly close out the issue via PR yourself then or whether I should keep slogging on.

@vdukhovni
Copy link

Please slog on, I'm swamped.

@vavroch2010 vavroch2010 moved this from Todo to In Progress in Development Board Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@baentsch baentsch

Labels
None yet
Projects
Development Board
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vdukhovni @vavroch2010 @baentsch