Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle extra headers in PEM encoded private key files #33168

Closed
jkakavas opened this issue Aug 27, 2018 · 2 comments
Closed

Handle extra headers in PEM encoded private key files #33168

jkakavas opened this issue Aug 27, 2018 · 2 comments
Assignees
@jkakavas
Labels
>bug :Security/TLS SSL/TLS, Certificates v6.4.1 v6.5.0 v7.0.0-beta1

Comments

@jkakavas
Copy link
Member

jkakavas commented Aug 27, 2018
edited
Loading

Openssl adds some extra headers ( Bag Attributes and Key Attributes ) to keys that it exports from PKCS#12 containers, i.e

Bag Attributes
    friendlyName: mykey
    localKeyID: 54 69 6D 65 20 31 35 33 30 30 32 31 38 30 36 37 31 30 
Key Attributes: <No Attributes>

This information is redundant as the notion of Bags is relevant only for PKCS#12 and can be disregarded, so we should ensure that PemUtils can read private key files even when this is present in a PEM key file.
@jkakavas jkakavas self-assigned this Aug 27, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@jkakavas
Copy link
Member Author

jkakavas commented Aug 27, 2018
edited
Loading

Bags and attributes are discussed in https://tools.ietf.org/html/rfc7292 . Openssl seems to support adding the Bag Attributes and Key Attributes from the safe bug and the cert bag:

https://github.com/openssl/openssl/blob/7d38ca3f8bca58bf7b69e78c1f1ab69e5f429dff/apps/pkcs12.c#L670

but there seems to be no specification that explicitly defines how these attributes are to be presented in a key/cert file.
RFC7468 allows only whitespace before the header (and that only in Lax mode ), but both Openssl and BouncyCastle allow arbitrary content before the header of PEM files.

I suggest we, too, err a little on the side of interoperability and backwards compatibility with pre-6.4 configurations in the expense of strict conformance to the RFC by allowing and disregarding extra content before the header

jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Aug 27, 2018
@jkakavas
Parse PEM Keys leniantly
47f72db 
Allow for extra non-whitespace before the Header of PEM encoded
key files.

Resolves elastic#33168
@jkakavas jkakavas mentioned this issue Aug 27, 2018
Merged
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Aug 27, 2018
@jkakavas
Add known issue for 6.4
ee12e13 
Regarding the inability to use PEM keys exported from PKCS#12
containers as discussed in elastic#33168
@jkakavas jkakavas mentioned this issue Aug 27, 2018
Merged
jkakavas added a commit that referenced this issue Aug 28, 2018
@jkakavas
Add known issue for 6.4 (#33174)
32532b5 
Regarding the inability to use PEM keys exported from PKCS#12
containers as discussed in #33168
jkakavas added a commit that referenced this issue Aug 29, 2018
@jkakavas
Parse PEM Key files leniantly (#33173)
8c57d4a 
Allow for extra non-whitespace before the Header of PEM encoded
key files.

Resolves #33168
jkakavas added a commit that referenced this issue Aug 29, 2018
@jkakavas
Parse PEM Key files leniantly (#33173)
a74288f 
Allow for extra non-whitespace before the Header of PEM encoded
key files.

Resolves #33168
jkakavas added a commit that referenced this issue Aug 29, 2018
@jkakavas
Parse PEM Key files leniantly (#33173)
3462e65 
Allow for extra non-whitespace before the Header of PEM encoded
key files.

Resolves #33168
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkakavas jkakavas

Labels
>bug :Security/TLS SSL/TLS, Certificates v6.4.1 v6.5.0 v7.0.0-beta1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@colings86 @jkakavas @elasticmachine