Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate parsing of unencrypted PKCS#8 private keys to Rust #12296

Draft
wants to merge 29 commits into
base: main
Choose a base branch
from
Draft

Migrate parsing of unencrypted PKCS#8 private keys to Rust #12296

wants to merge 29 commits into from
+584 −222

Conversation

alex
Copy link
Member

@alex alex commented Jan 16, 2025

No description provided.

@alex alex force-pushed the pkcs8-rust branch 3 times, most recently from 81ab411 to 66e7aec Compare January 16, 2025 20:01
@alex
Copy link
Member Author

alex commented Jan 16, 2025

paramiko failures are due to paramiko/paramiko#2490 (probably)

@alex
Copy link
Member Author

alex commented Jan 16, 2025
edited
Loading

test cases needed to coverage:

  • pkcs8 envelope with invalid version
  • pkcs8 envelope with unknown OID
  • pkcs8 envelope with EC key where the inner params don't match the outer params
  • PKCS#1 EC key with missing params
  • EC key (either format) where public key isn't serialization
  • PKCS#1 DSA key with invalid version
  • PKCS#1 RSA key with invalid version
  • PKSC#1 RSA key that's multi-prime
  • EC key (with version) with invalid version
  • EC key with inner and outer params that do match

@alex alex force-pushed the pkcs8-rust branch 6 times, most recently from daeef67 to 3250d10 Compare January 23, 2025 01:47
Tarnum-tst
Tarnum-tst reviewed Jan 23, 2025
View reviewed changes
src/rust/src/backend/keys.rs
};
let Some((cipher_algorithm, iv)) = dek_info.split_once(',') else {
todo!()
};
Copy link

@Tarnum-tst Tarnum-tst Jan 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alex , could You please make this code (81-86) compatible with Rust 1.63? let...else is unstable in 1.63... :-(

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've had an MSRV of 1.65 since cryptography 43.0.0 in July of last year, we're not going to revert that absent exceptional circumstances

Copy link

@Tarnum-tst Tarnum-tst Jan 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alex , I still maintain my custom build based on Rust 1.63 w/o GATs, maturin & workspace deps. It works fast on my retro systems (Win'7 and earlier) and very stable, too. :-)
Replacement:

            let dek_info = match p.headers().get("DEK-Info") {
                Some(dek_info) => dek_info,
                None => {
                    todo!()
                },
            };
            let (cipher_algorithm, iv) = match dek_info.split_once(',') {
                Some((cipher_algorithm, iv)) => (cipher_algorithm, iv),
                None => {
                    todo!()
                },
            };

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're not going out of our way to to support things that we don't support.

@alex
Copy link
Member Author

alex commented Jan 23, 2025
edited
Loading

Test cases we need:

  • Encrypted PKCS#8, PBES2 with 3DES-CBC
  • Encrypted PKCS#8, PBES2 with unknown encryption algorithm
  • Encrypted PKCS#8, PBES2 PBKDF2 with unknown PRF algorithm
  • Encrypted PKCS#8, PBES2 with unknown KDF
  • Encrypted PEM with no DEK-Info
  • Encrypted PEM with DEK-Info that doesn't have two, comma separated components
  • Encrypted PEM with DEK-Info where the IV isn't valid hex
  • Unit tests for hex_decode

@alex alex force-pushed the pkcs8-rust branch 2 times, most recently from 5fd4c86 to b72b393 Compare January 25, 2025 00:16
@alex alex marked this pull request as draft January 26, 2025 05:39
alex added a commit to alex/cryptography that referenced this pull request Jan 27, 2025
@alex
Extract ec_params_to_group from SPKI parsing
850dded 
To be used in pyca#12296
@alex alex mentioned this pull request Jan 27, 2025
Merged
reaperhulk pushed a commit that referenced this pull request Jan 27, 2025
@alex
Extract ec_params_to_group from SPKI parsing (#12348)
535f134 
To be used in #12296
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tarnum-tst Tarnum-tst Tarnum-tst left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alex @Tarnum-tst