Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pkey: deprecate PKey::*#set_* and PKey::{DH,EC}#generate_key! #480

Merged
merged 5 commits into from
Dec 20, 2021

Conversation

rhenium
Copy link
Member

@rhenium rhenium commented Dec 16, 2021

This is part of #369 (Support OpenSSL 3.0). These patches were originally submitted in #399.


pkey/dh: avoid using DH#set_key in DH#compute_key

DH#set_key will not work on OpenSSL 3.0 because keys are immutable.
For now, let's reimplement DH#compute_key by manually constructing a
DER-encoded SubjectPublicKeyInfo structure and feeding it to
OpenSSL::PKey.read.

Eventually, we should implement a new method around EVP_PKEY_fromdata()
and use it instead.


pkey/ec: avoid using EC#public_key= in EC#dh_compute_key

Similarly to DH#compute_key, work around it by constructing a
SubjectPublicKeyInfo. This should be considered as a temporary
implementation.


pkey/dh: deprecate OpenSSL::PKey::DH#generate_key!

OpenSSL::PKey::DH#generate_key! will not work on OpenSSL 3.0 because
keys are made immutable. Users should use OpenSSL::PKey.generate_key
instead.


pkey/ec: deprecate OpenSSL::PKey::EC#generate_key!

OpenSSL::PKey::EC#generate_key! will not work on OpenSSL 3.0 because
keys are made immutable. Users should use OpenSSL::PKey.generate_key
instead.


pkey: deprecate PKey#set_* methods

OpenSSL 3.0 made EVP_PKEY immutable. This means we can only have a const
pointer of the low level struct and the following methods can no longer
be provided when linked against OpenSSL 3.0:

  • OpenSSL::PKey::RSA#set_key
  • OpenSSL::PKey::RSA#set_factors
  • OpenSSL::PKey::RSA#set_crt_params
  • OpenSSL::PKey::DSA#set_pqg
  • OpenSSL::PKey::DSA#set_key
  • OpenSSL::PKey::DH#set_pqg
  • OpenSSL::PKey::DH#set_key
  • OpenSSL::PKey::EC#group=
  • OpenSSL::PKey::EC#private_key=
  • OpenSSL::PKey::EC#public_key=

There is no direct replacement for this functionality at the moment.
I plan to introduce a wrapper around EVP_PKEY_fromdata(), which takes
all key components at once to construct an EVP_PKEY.

DH#set_key will not work on OpenSSL 3.0 because keys are immutable.
For now, let's reimplement DH#compute_key by manually constructing a
DER-encoded SubjectPublicKeyInfo structure and feeding it to
OpenSSL::PKey.read.

Eventually, we should implement a new method around EVP_PKEY_fromdata()
and use it instead.
Similarly to DH#compute_key, work around it by constructing a
SubjectPublicKeyInfo. This should be considered as a temporary
implementation.
@rhenium rhenium changed the title pkey: deprecate PKey#set_* and PKey::DH#generate_key! pkey: deprecate PKey::*#set_* and PKey::{DH,EC}#generate_key! Dec 16, 2021
OpenSSL::PKey::DH#generate_key! will not work on OpenSSL 3.0 because
keys are made immutable. Users should use OpenSSL::PKey.generate_key
instead.
OpenSSL::PKey::EC#generate_key! will not work on OpenSSL 3.0 because
keys are made immutable. Users should use OpenSSL::PKey.generate_key
instead.
OpenSSL 3.0 made EVP_PKEY immutable. This means we can only have a const
pointer of the low level struct and the following methods can no longer
be provided when linked against OpenSSL 3.0:

 - OpenSSL::PKey::RSA#set_key
 - OpenSSL::PKey::RSA#set_factors
 - OpenSSL::PKey::RSA#set_crt_params
 - OpenSSL::PKey::DSA#set_pqg
 - OpenSSL::PKey::DSA#set_key
 - OpenSSL::PKey::DH#set_pqg
 - OpenSSL::PKey::DH#set_key
 - OpenSSL::PKey::EC#group=
 - OpenSSL::PKey::EC#private_key=
 - OpenSSL::PKey::EC#public_key=

There is no direct replacement for this functionality at the moment.
I plan to introduce a wrapper around EVP_PKEY_fromdata(), which takes
all key components at once to construct an EVP_PKEY.
@rhenium rhenium merged commit 5d0df40 into ruby:master Dec 20, 2021
@simi
Copy link

simi commented Aug 20, 2022

There is no direct replacement for this functionality at the moment.
I plan to introduce a wrapper around EVP_PKEY_fromdata(), which takes
all key components at once to construct an EVP_PKEY.

@rhenium any news on this? I'm having hard time to port this code (https://github.com/rubygems/rubygems.org/blob/40c04887ba09a35953457e6f38d5e65f34bed086/test/integration/api/v1/github_secret_scanning_test.rb#L17-L21) to OpenSSL 3.

@rhenium
Copy link
Member Author

rhenium commented Aug 21, 2022

any news on this?

It is not finished yet.

However I think that specific code can use openssl v2.2 feature OpenSSL::PKey::PKey#public_to_pem (also part of Ruby 3.0).

--- github_secret_scanning_test.rb.orig	2022-08-21 18:06:05.807934775 +0900
+++ github_secret_scanning_test.rb	2022-08-21 18:07:07.400718332 +0900
@@ -14,11 +14,9 @@
 
   context "on POST to revoke" do
     setup do
-      key = OpenSSL::PKey::EC.new("secp256k1").generate_key
+      key = OpenSSL::PKey::EC.generate("secp256k1")
       @private_key_pem = key.to_pem
-      pkey = OpenSSL::PKey::EC.new(key.public_key.group)
-      pkey.public_key = key.public_key
-      @public_key_pem = pkey.to_pem
+      @public_key_pem = pkey.public_to_pem
 
       h = KEYS_RESPONSE_BODY.dup
       h["public_keys"][0]["key"] = @public_key_pem

@ariccio
Copy link

ariccio commented Sep 6, 2022

I don't want to rush you on writing that wrapper, but can you suggest a workaround? I'm seeing this in the googleauth library for ruby:
googleapis/google-auth-library-ruby#381

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants