Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECC PKCS7 keys do not work #255

Open
robbat2 opened this issue Dec 28, 2017 · 3 comments
Open

ECC PKCS7 keys do not work #255

robbat2 opened this issue Dec 28, 2017 · 3 comments

Comments

@robbat2
Copy link
Contributor

robbat2 commented Dec 28, 2017

I'm trying to use elliptic curve certs rather than RSA, and running into weirdness.

$ openssl ecparam -name prime256v1 -genkey  -out keys/private_key.pkcs7.pem
$ openssl req -x509 -nodes -days 100000 -key keys/private_key.pkcs7.pem -subj '/' -out keys/public_key.pkcs7.pem
$ eyaml encrypt -n pkcs7 -s testcase -v
[hiera-eyaml-core] Loaded config from /home/robbat2/.eyaml/config.yaml
[hiera-eyaml-core] error adding recipient
[hiera-eyaml-core] /usr/lib64/ruby/gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/encryptors/pkcs7.rb:37:in `encrypt'
                   /usr/lib64/ruby/gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/encryptors/pkcs7.rb:37:in `encrypt'
                   /usr/lib64/ruby/gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/subcommands/encrypt.rb:80:in `execute'
                   /usr/lib64/ruby/gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/CLI.rb:46:in `execute'
                   /usr/lib64/ruby/gems/2.3.0/gems/hiera-eyaml-2.1.0/bin/eyaml:21:in `<top (required)>'
                   /usr/bin/eyaml:9:in `load'
                   /usr/bin/eyaml:9:in `<main>'

If the key is generated as RSA instead, everything is fine:

$ openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout keys/private_key.pkcs7.pem -out keys/public_key.pkcs7.pem -subj '/'
$ eyaml encrypt -n pkcs7 -s testcase -v
[hiera-eyaml-core] Loaded config from /home/robbat2/.eyaml/config.yaml
string: ENC[PKCS7,MIIBgQY...=]
...
@robbat2
Copy link
Contributor Author

robbat2 commented Dec 28, 2017

So this seems to be a shortcoming of OpenSSL.
http://ruby-doc.org/stdlib-2.4.2/libdoc/openssl/rdoc/OpenSSL/PKCS7.html doesn't mention it at all, but digging deeper down, I found this:
https://mta.openssl.org/pipermail/openssl-dev/2016-May/007241.html

None of the OpenSSL CMS utility/api is exposed via Ruby :-(

@rnelson0
Copy link
Member

@robbat2 That's unfortunate. Is it possible that the use of the newly released ruby 2.5 provides better hooks into openssl??

@robbat2
Copy link
Contributor Author

robbat2 commented Dec 31, 2017

I checked, the OpenSSL gem doesn't support any of the CMS functions.
On deeper inspection, I'm wondering if the SMIME (PCKS#7) & CMS structures are overkill for what we're doing. I'm going to see about exploring that as different encryption method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robbat2 @rnelson0