ring icon indicating copy to clipboard operation
ring copied to clipboard

Published 20 hours ago verified publisher icon briansmith

Can't load openssl generated rsa-pss keys

Open est31 opened this issue 2 years ago • 2 comments

While Ring can load traditional PKCS#1 1.5 RSA keys, it can't load RSA-PSS (PKCS#1 2.1) keys. Example:

extern crate ring;
extern crate pem;

fn main() {
	use ring::signature::RsaKeyPair;
	/*
	Generated by: openssl genpkey -algorithm RSA \
	-pkeyopt rsa_keygen_bits:2048 \
	-pkeyopt rsa_keygen_pubexp:65537 | \
	openssl pkcs8 -topk8 -nocrypt -outform pem
	*/
	let pem_1 = "
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyWjDPqoE7YDwj
1EkccsLWukm5NucXpSE25sNcycVMVPn0AjRjUcsHOA4wGq51NsKuT+bE4HNt+K0s
ItNuX1u9OGGvdqBaa7XtaZtoIzCU4f5QyFbJ04JpwVjWEQ9AkeOU4N7OkawV+Rka
hYJZCkymmASjzBD6TU4NxIx+M+cII/fbItSHZIWLEzpgXqxLc+Ca9KhT0aDzbSbv
4F57yO2Rm/A4ymC7/vzo9tHUxs2OsgijrYDasoTaHqhsoVa1WQ/FHtymvT+sDrqB
0mB0R+jsO684pig87GhD/hrwoaY8GnaP+Utt7pqekhWd/ULyaYehNHqMhO1P+SRh
KB/xpPgfAgMBAAECggEBAK87GdYPCeXSiYQSYLrIrlHWufR10ttSbK3KUIvr2iND
IknxmJM0m6u+EYKF1H5pjSFCc9NfS0nzGAHTPbSlkDb7HE8O2EG+rgJSzlOkr2i4
Gew4ybyGSQ2q36ODI18nd1ihD4gZa+Ay281I+2aMTf8oQPbF2rByH4w7XmXojMdb
Gp/lQhOi124DXEO7J3JHFZC9Het6+XfJVKpVfhBDFmAKJj0CJMY8KHXkmTNwiv3z
Tf7OSFqVQnfB3Sw5jauilh3hK1qOp2jne8ukeuuGlqPurgDRtbWO81xxxZSLoRFS
IlBsmK92NNA1HHYsttz1K1hpxHiAx5dsMuz1Y4qfURECgYEA5Mbv744qRj2ejPyF
cSZjmzGV5uCmQbLbzFrdPegBRXBbXSRm3eHUpTXtmYcnoodAxDFFtXNZDgQUhuX/
yeRi/4IG/saAX7n/FOXMnpzYjy7vofw0X+PBZpowWJ9+98Tl/kJ9OBFa/WwKeA/z
A/iQekjkuOu2sdai5xiQ3xGzBEsCgYEAx5Mzi+uusYPhhmAbDqRp1HwFkYoZHphd
lmUagNLg+NFURPeODYJ+88OeZP+qcxmUKLIQfWth55GtxywRaa59fsdcsLxwnZmA
T0BO6si17YRPoVHZ5eYvn2iQlGta2EVmT8mOlRlLiD5Qcelh+KVWtY25wUDbdpva
+SBSrWO07v0CgYAe8GR8ci53Z1fs2y20uqtXzqHmIlV5pxWgkl0/RQP+/w3sD8M1
mJfoa92hGK0chswUfFFgE6Rkh9q6z5oDFLbqtQv7Ip8z0vSTP+ynOrDy1DcmIfR3
T1bVaF7HbXJ/UYqFEzrZ/Ubf5N+ZkxabX98yGm+MLpx7enp3ZFQbRsp99wKBgQC/
LSAUqbjXbUjNSyTAGvkRxZgj+ZDkgPothj4kJ13Am+1If4eBI39vDPWfNFXYGimV
7jTjn8jSZfd8spcfkDnBB0KgPnL2VUPXJvgx6gB0POl21AySMLVv01+j/U6xm5FN
XvuJkgiLw32WEQV7hQ6RrejB2dohPV0+hhsM41VAFQKBgCFZlWZaec0TBpAfV0CZ
+gj427qOTbz67ZjFM8+edbfeMF31gV9ruKkrV1hD+tYZGCtbK2mZr6m99cpc2BX8
F+0MBNYuYJ0XUTDThvUnIoTLfAdSgPUThOoWZeQWYcdfi3iLSHaW49sVCWtuRyTu
bYW+oSEH9nLG36a5ImFJ0DHF
-----END PRIVATE KEY-----
	";
	let der_1 = pem::parse(&pem_1).unwrap();
	RsaKeyPair::from_pkcs8(&der_1.contents).unwrap(); // works
	/*
	Generated by: openssl genpkey -algorithm rsa-pss \
	-pkeyopt rsa_keygen_bits:2048 \
	-pkeyopt rsa_keygen_pubexp:65537 | \
	openssl pkcs8 -topk8 -nocrypt -outform pem
	*/
	let pem_pss = "
-----BEGIN PRIVATE KEY-----
MIIEvAIBADALBgkqhkiG9w0BAQoEggSoMIIEpAIBAAKCAQEAoQV7lKOh/lOy2Xxo
/EDOnbS+/MMN6WN0gnBIggHhndaR5qNZPZOPolifO+CTJ2OfIJJjR3l/fjj7pUt4
8kxlPtUN8Z3r3sBmaL8XW/sICf9Ke3NjWXd3IkO50TK0xa8HRFGLRnjXQTG3PZr/
Py2MnQ21Ze+5LnB1lXOsSEgs0Z47LbppS7I4VY3WDhpx3ZVwSjXJmhhw6ag9r2Uo
TIoRPZXQkHJA34XUW/oZmddXBwJbycN5cWypWappBAGHWhUC5oPhX3yDRDTuKWav
Hh/LBOBS4ckkHt2AHAPei8J5NF/2ctlQoVjKafMOATmHOf2XBepp/iHddYaSz8I8
n3rw5QIDAQABAoIBABJ05m1rNC5Kub1kHUSMySIajam7UeTmmXw6EpWUUaAd8CtX
nesI9vXM4rOiUju5l4vMO8T9kDePoIiZ1gsv5osFMMv5JggqVZK8FJledNVwhcEQ
wNqIbwdma+4mucHPBi42iphRUZsPb8mH8qnzNqLp51j/2WIRUekHkT/XxgtgwSlV
t2OgTSmwMcfSSjz1kF6Jy4n0pvYpHKsiHJIxucArIwLoNcVt+SetepyhNQG0wJPW
lzMLwehDp/mKe+4rZsg4+xf5G4zvl+65MqpNFW+KxvR+BSnViravdHxzNWWbv2mm
dubIwUFGSwNfofyEeKamcUvG9/49frUrryguzgECgYEAz7CM1/D3ssasgZ8Xah/B
cU/Hegn6OqNV4eO6oqQ96tQo3Os/PXNnqzkZxogeNAvu/kIIerSW81ytJDtpnkjW
BYXJJkT4ONQGZMitqEOPzqphDGuuOiQt7QsR9CJ0EgTUNNJ1ix3hTuX1SILRMA88
/wZ1LPhbYipFTmebjGDM5pUCgYEAxnnx1ki+215xKRW5E8NJlz0mz5JK5GPDZ1++
+r3ksExcNoGlxIZvc+rCzWiP6ebXTw+HXUjduJPWRj4DaboG7ohE12y1PoJXQ+oX
CXX4aYVK+z2ARq22PDnEAXOtNyzH1imYXtNb8gpp3BC4T6ofkM2Y9G1dqbx7cQcD
XyRN3RECgYBKr1NGh/mayUTZa+tQl1DJvYWfBh18nqXQkELaH7PAUUDMiK/6Ghjq
gqMZOHOcBbqQphBEh9JMe0Qr5k2JxOlpnP2DjIOyc9REw8Fm47y/9Zbmj4ZclAwL
1NJE92rD3AavZAsu1rTh2WHGDHzLCn/FuX3DiR/bghXgJvPRnDGyrQKBgQC9FcgU
AdHyZBMitRNRhKdDcnrbHeBDnde3UDw93VNVsinXs8QdaoYbxPg5gPg6OjW9mGm5
sYWqJw3odYQC4btg3GnZYjN5jetdRFMWLFGxFc/Nc1YV/8Cxt8bIK1BGVF895PrI
vEvIV6tqgHNXUhgod/bURq0I3AwuLiREK+4SQQKBgQCmhMEoRKGKvr2hUjeqO64P
UTAUDKRcHwiB+5ckxxnlReEBWuPPXhHUCQf2jLA3wEJrbiMCMaFjtLJ1Xc7Lbj+0
h61oPBPfMNYitaaqEsO1MfbYimzEvLGa4fGnKtmLtL/2htR3e8OOvV4DoAJhLNsd
YgYBu3+tziXFye91JcKheg==
-----END PRIVATE KEY-----
	";
	let der_pss = pem::parse(&pem_pss).unwrap();
	RsaKeyPair::from_pkcs8(&der_pss.contents).unwrap(); // ERROR: WrongAlgorithm
}

See also this gist which creates an entire certificate that uses RSA-PSS.

est31 avatar Aug 16 '21 09:08 est31