swipl-devel icon indicating copy to clipboard operation
swipl-devel copied to clipboard

Published 20 hours ago verified publisher icon SWI-Prolog

library(crypto): support for openssl Curve25519

Open erlanger opened this issue 5 years ago • 5 comments

@triska , New versions of Openssl (since 1.1.0) support Curve25519, but load_private_key/3 does not work with it:

$ openssl genpkey -algorithm x25519 -out /tmp/key 

25 ?- open('/tmp/key',read,S),load_private_key(S,'',K),close(S).
ERROR: Cannot represent due to `ssl_key'
ERROR: In:
ERROR:   [11] ssl:load_private_key(<stream>(0x55a975169140),'',_2244)
ERROR:   [10] '<meta-call>'(user:(...,...)) <foreign>
ERROR:    [9] <user>

Other older curves work fine:

openssl genpkey -algorithm EC -out /tmp/key-p384 -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve

26 ?- open('/tmp/key-p384',read,S),load_private_key(S,'',K),close(S).
S = <stream>(0x55a975169030),
K = private_key(ec("2771624A7D73AF96AC6125315CC5C8D45ECC3C975A8B59E5E91C6F752150DB98B8C15BFD52A6B983E2E103C37F8E3DE0", "041A23C529CCBCB3FA99F410225A5F0404F42DEFC4AFA615C3EE71389637D7362F62F8C21C462153EE2CA1D8E1BCC9F200DA21F32AE67BF8353D3F9AFA86112D5B9C9F4F3A0F8042B9072228465DBEF648F33D6ABE5CB269DC742D9C2ACDBD9273", secp384r1)).

The wikipedia article, in the Popularity section, shows why support for this curve is important.

erlanger avatar Oct 10 '19 21:10 erlanger

Yes, I fully agree, thank you for filing this!

In the future, could you please file library(crypto)-related issues in the ssl package at:

https://github.com/SWI-Prolog/packages-ssl/issues

This is so that interested readers can subscribe selectively to notifications regarding exclusively the cryptography-related functionality.

triska avatar Oct 11 '19 00:10 triska

In the future, could you please file library(crypto)-related issues in the ssl package

Sure, would be happy to do it. Thanks for handling the issue and for the great work you've done with the crypto lib.

erlanger avatar Oct 11 '19 02:10 erlanger

By the way, TLS 1.3 (RFC 8446) requires support for the Curve25519 algorithm (X25519) and also Ed25519 and X448, Ed448. All of them are supported by openssl 1.1.1 but I don't think they are yet in library(crypto).

erlanger avatar Oct 11 '19 18:10 erlanger

You can already use TLS 1.3 with SWI-Prolog if you compile with OpenSSL ≥ 1.1.1.

For example, try:

$ openssl s_client -connect www.metalevel.at:443 -tls1_3

to connect to an SWI-powered site with TLS 1.3.

What you are asking for, in the original issue, is to be able to load and reason about private keys using Curve25519 with library(crypto). This is needed if you want to manually use this curve for specific applications. Do you already have a concrete use case in mind? I am asking out of personal interest, not as an argument against implementing this.

triska avatar Oct 12 '19 02:10 triska

Do you already have a concrete use case in mind?

Yes, but can't talk about it.

BTW, crypto_name_curve/2 would also need to be extended somehow (new api?) to support Curve25519.

erlanger avatar Oct 13 '19 02:10 erlanger