Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PemUtils fails to parse PKCS#8 private keys when using PBES2 #78901

Closed
tvernum opened this issue Oct 11, 2021 · 3 comments · Fixed by #78904
Closed

PemUtils fails to parse PKCS#8 private keys when using PBES2 #78901

tvernum opened this issue Oct 11, 2021 · 3 comments · Fixed by #78904
Assignees
Labels
>bug :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team

Comments

@tvernum
Copy link
Contributor

tvernum commented Oct 11, 2021

PemUtils can parse PKCS#8 encrypted files, but only if the algorithm name in the PKCS8 info is a name supported by SecretKeyFactory

EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(keyBytes);
SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName());

This works when using PBES1 but not for PBES2.

See: https://discuss.elastic.co/t/elasticsearch-certutil-http/286230/2

@tvernum tvernum added >bug :Security/TLS SSL/TLS, Certificates labels Oct 11, 2021
@tvernum tvernum self-assigned this Oct 11, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Oct 11, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

tvernum added a commit to tvernum/elasticsearch that referenced this issue Oct 11, 2021
This commit adds support for decrypting PKCS#8 encoded private keys
that have been encrypted using a PBES2 based scheme.

Unfortunately `java.crypto.EncryptedPrivateKeyInfo` doesn't make this
easy as the underlying encryption algorithm is hidden within the
`AlgorithmParameters`, and can only be extracted by calling
`toString()` on the parameters object.

See: https://datatracker.ietf.org/doc/html/rfc8018#appendix-A.4
See: AlgorithmParameters#toString()
See: com.sun.crypto.provider.PBES2Parameters#toString()

Resolves: elastic#78901
@jkakavas
Copy link
Member

I guess this resolves #32021 too ?

@tvernum
Copy link
Contributor Author

tvernum commented Oct 12, 2021

Yes, it looks like it does. I didn't remember that issue existed.

tvernum added a commit that referenced this issue Oct 18, 2021
This commit adds support for decrypting PKCS#8 encoded private keys
that have been encrypted using a PBES2 based scheme (AES only).

Unfortunately `java.crypto.EncryptedPrivateKeyInfo` doesn't make this
easy as the underlying encryption algorithm is hidden within the
`AlgorithmParameters`, and can only be extracted by calling
`toString()` on the parameters object.

See: https://datatracker.ietf.org/doc/html/rfc8018#appendix-A.4
See: AlgorithmParameters#toString()
See: com.sun.crypto.provider.PBES2Parameters#toString()

Resolves: #78901, #32021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>bug :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants