luaossl icon indicating copy to clipboard operation
luaossl copied to clipboard

Published 20 hours ago verified publisher icon wahern

support for encrypted PEM keys

Open kunkku opened this issue 7 years ago • 6 comments

kunkku avatar May 03 '18 17:05 kunkku

Please let me know if further changes are required to this patch set.

kunkku avatar Jul 02 '18 19:07 kunkku

So this PR works, but I've found it very odd to use.

e.g. here is a valid invocation:

pk=require "openssl.pkey"
a=pk.new()
k=a:getPrivateKey("aes-256-cbc", "bar")
b = pk.new(k, "PEM", "private", "bar")

But the following invocations fail (with mostly hard to understand/debug error messages)

Passing "public" rather than "private":

$ lua -e 'pk=require "openssl.pkey";  a=pk.new(); k=a:getPrivateKey("aes-256-cbc", "bar") pk.new(k, "PEM", "public", "bar")'
lua: pkey.new: pem_lib.c:691:error:0906D06C:PEM routines:PEM_read_bio:no start line
stack traceback:
	[C]: in function 'openssl.pkey.new'
	(command line):1: in main chunk
	[C]: in ?

Passing wrong password (this is probably fine):

$ lua -e 'pk=require "openssl.pkey";  a=pk.new(); k=a:getPrivateKey("aes-256-cbc", "bar") pk.new(k, "PEM", "private", "foo")'
lua: pkey.new: evp_enc.c:536:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
stack traceback:
	[C]: in function 'openssl.pkey.new'
	(command line):1: in main chunk
	[C]: in ?

Passing wrong password and also no public vs private:

$ lua -e 'pk=require "openssl.pkey";  a=pk.new(); k=a:getPrivateKey("aes-256-cbc", "bar") pk.new(k, "PEM", nil, "foo")'
lua: pkey.new: pem_lib.c:691:error:0906D06C:PEM routines:PEM_read_bio:no start line
stack traceback:
	[C]: in function 'openssl.pkey.new'
	(command line):1: in main chunk
	[C]: in ?

Passing wrong password and no "PEM" choice:

$ lua -e 'pk=require "openssl.pkey";  a=pk.new(); k=a:getPrivateKey("aes-256-cbc", "bar") pk.new(k, nil, "private", "foo")'
lua: pkey.new: tasn_dec.c:1129:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
stack traceback:
	[C]: in function 'openssl.pkey.new'
	(command line):1: in main chunk
	[C]: in ?

Otherwise, I found it troublesome that not passing a cipher would result in no password being used. Perhaps throw an error if a password is specified and a cipher isn't?

daurnimator avatar Aug 13 '18 02:08 daurnimator

I was thinking if the API could be something like this:

pk = require "openssl.pkey"
a = pk.new()
k = a:toPEM{type="private", cipher="aes-256-cbc", password="bar"}
b = pk.new(k, {format="PEM", type="private", password="bar"})

This would make the code more readable and there would be no need for a separate getPrivateKey method.

kunkku avatar Sep 02 '18 09:09 kunkku

The new patch set implements passing options via a table as suggested above, avoiding the need for a new getPrivateKey method.

kunkku avatar Sep 29 '18 14:09 kunkku

@kunkku - Is this patch safe to use ? are there any further changes expected ?

vinayakhulawale avatar Dec 26 '19 22:12 vinayakhulawale

Honestly, I do not know. I would like to get feedback from the maintainers.

kunkku avatar Dec 27 '19 00:12 kunkku