jruby icon indicating copy to clipboard operation
jruby copied to clipboard

Published 20 hours ago verified publisher icon jruby

OpenSSL::PKey::RSA.new without password results in terminal input failure

Open djberg96 opened this issue 6 years ago • 2 comments

Environment

JRuby 9.2.5.0 on a Mac via rbenv:

jruby 9.2.5.0 (2.5.0) 2018-12-06 6d5a228 Java HotSpot(TM) 64-Bit Server VM 9.0.4+11 on 9.0.4+11 +jit [darwin-x86_64]

Darwin Daniels-iMac.attlocal.net 18.2.0 Darwin Kernel Version 18.2.0: Mon Nov 12 20:24:46 PST 2018; root:xnu-4903.231.4~2/RELEASE_X86_64 x86_64

I've also seen the same behavior on Linux, and with previous versions of JRuby.

Expected Behavior

When providing a key without a password, it should prompt the user to enter one with "Enter PEM pass phrase". This it does. The user should then be able to type in a password without characters appearing on the screen, and be accepted once the user presses the Enter key.

Actual Behavior

It has two problems. First, when typing, the text is visible. Second, it doesn't appear to accept an "Enter" key, instead I see "^M" characters.

You can reproduce this like so:

require 'openssl'
key = File.join(Dir.home, '.ssh', 'gem-private_key.pem')
OpenSSL::PKey::RSA.new(File.read(key))

At that point you'll be prompted to enter your password and you will see the behavior.

djberg96 avatar Feb 01 '19 13:02 djberg96

@headius Any thoughts on this?

djberg96 avatar Jul 01 '20 19:07 djberg96

Still happening as of ~~9.2.12.0~~ 9.3.4.0

djberg96 avatar Aug 06 '20 18:08 djberg96

Still happening as of 9.3.8.0.

djberg96 avatar Oct 14 '22 10:10 djberg96

Poking at this a bit today. Not sure where this prompt is coming from but it's not in any of the JRuby or related library sources.

headius avatar Oct 17 '22 17:10 headius

Oops found it!

https://github.com/jruby/jruby-openssl/blob/a7994b3ba17db9a49f0ef4b64bfc8df2a88e7bc9/src/main/java/org/jruby/ext/openssl/PKey.java#L404-L406

My guess is that this is not using the right kind of logic to receive the password, being that it is quite old. Digging further.

headius avatar Oct 17 '22 17:10 headius

Ok, so the C extension uses OpenSSL's EVP_read_pw_string_min function to prompt for the password:

https://man.openbsd.org/EVP_read_pw_string_min.3

We can use something similar via io/console getpass, but that would introduce a dependency from jruby-openssl to io-console:

https://www.devdungeon.com/content/get-password-console-ruby

And we have our logic implemented in Java, so this would additionally require a call-out to Ruby. I'm looking for a JDK-only solution

headius avatar Oct 17 '22 17:10 headius

I pushed jruby/jruby-openssl#270 to use java.io.Console to prompt for password. Seems to work locally, doing a mvn package in jruby-openssl and then installing pkg/jruby-openssl-xxxxx.gem and running your script.

cc @kares

headius avatar Oct 17 '22 17:10 headius

Thanks!

djberg96 avatar Oct 18 '22 12:10 djberg96

re-targeting as this isn't part of 9.3.9. the fix will be part of the next jruby-openssl release and jruby can then update the included version.

kares avatar Oct 25 '22 06:10 kares