-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support elliptic-curve keys #100
Comments
Thank you for the report.
I understand you don't just want to decode PEM's content, but also use the elliptic-curve keys for actual signatures, so I changed issue's title and assigned Elliptic curves are on my wish list, but I currently don't have the bandwidth to work on that. Of course, PRs are welcome until I find the time ( Have a good day! |
@CBenoit I will do it in my spare time |
Thank you! |
The sentence |
#132 added support for ECDSA p256 and p384 |
Hey :) |
It seems like let algo = &ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING;
let rng = ring::rand::SystemRandom::new();
let pkcs8_bytes = ring::signature::EcdsaKeyPair::generate_pkcs8(&algo, &rng).unwrap();
let leaf_key = PrivateKey::from_pkcs8(&pkcs8_bytes).unwrap();
let csr = Csr::generate(
DirectoryName::new_common_name(namespace.as_str()),
&leaf_key,
SignatureAlgorithm::Ecdsa(HashAlgorithm::SHA2_256),
)
.unwrap();
|
Just for the record I was able to repro this and find a reason for it. Find the attached code snippet @flavio any specific reason for this? |
This seems to fix it: |
I did some additional testing and it seems like openssl is unable to recognize the public key in the signed leaf certificate due to:
this is unrelated to the merge request above as it happens also in 7.0.0-rc.2, keys generated via openssl and ring both present the same problem. |
For any leaf certificate you built with picky (and ring for generating the key pair), you get this issue? The openssl error is not entirely clear to me, but I would guess the EC public key encoding might be wrong somewhere |
yes, i tried to use keys generated by openssl too and the outcome was the same
You can simulate correct ec based cert generation with the following bash scripts if you need a working reference:
#!/bin/bash
set -e
openssl ecparam -name prime256v1 -genkey -noout -out root_ca.key
openssl req -new -x509 -key root_ca.key -out root_ca.crt -days 10958 -config <(
cat <<-EOF
[req]
distinguished_name = req_distinguished_name
default_md = sha256
req_extensions = v3_req
prompt = no
[req_distinguished_name]
O = foobar
CN = foobar
[v3_req]
subjectKeyIdentifier=hash
basicConstraints=critical,CA:TRUE
keyUsage=critical,keyCertSign,cRLSign
EOF
) -extensions v3_req
#!/bin/bash
set -e
openssl ecparam -name prime256v1 -genkey -noout -out leaf.key
openssl req -new -key leaf.key -out leaf.csr -config <(
cat <<-EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
O = foobar
CN = Dummy leaf
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
EOF
)
openssl x509 -req -in leaf.csr -CA root_ca.crt -CAkey root_ca.key -out leaf.crt -days 1 -sha256 -CAcreateserial -extensions v3_req -extfile <(
cat <<-EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
O = foobar
CN = Dummy leaf
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
EOF
) Just run: ./generate_root_ca.sh
./generate_leaf_cert.sh
openssl x509 -in leaf.crt -text -noout PS: just for the record prime256v1 and SECP256R1 are the same thing |
Thank you for the detailed steps, this helps 👍 |
Hello @CBenoit , currently picky-rs/picky/src/jose/jws.rs Lines 122 to 137 in 39e2d82
|
It would be great to have support for
-----BEGIN EC PRIVATE KEY-----
keys.They currently do not work.
The text was updated successfully, but these errors were encountered: