Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate parsing of unencrypted PKCS#8 private keys to Rust #12296

Open
wants to merge 22 commits into
base: main
Choose a base branch
from
Open

Migrate parsing of unencrypted PKCS#8 private keys to Rust #12296

wants to merge 22 commits into from

Conversation

alex
Copy link
Member

@alex alex commented Jan 16, 2025

No description provided.

@alex alex force-pushed the pkcs8-rust branch 3 times, most recently from 81ab411 to 66e7aec Compare January 16, 2025 20:01
@alex
Copy link
Member Author

alex commented Jan 16, 2025

paramiko failures are due to paramiko/paramiko#2490 (probably)

@alex
Copy link
Member Author

alex commented Jan 16, 2025
edited
Loading

test cases needed to coverage:

  • pkcs8 envelope with invalid version
  • pkcs8 envelope with unknown OID
  • pkcs8 envelope with EC key where the inner params don't match the outer params
  • PKCS#1 EC key with missing params
  • EC key (either format) where public key isn't serialization
  • PKCS#1 DSA key with invalid version
  • PKCS#1 RSA key with invalid version
  • PKSC#1 RSA key that's multi-prime
  • EC key (with version) with invalid version
  • EC key with inner and outer params that do match

@alex alex force-pushed the pkcs8-rust branch 5 times, most recently from 73d5f37 to c0091ec Compare January 22, 2025 00:22
Tarnum-tst
Tarnum-tst reviewed Jan 23, 2025
View reviewed changes
src/rust/src/backend/keys.rs
};
let Some((cipher_algorithm, iv)) = dek_info.split_once(',') else {
todo!()
};
Copy link

@Tarnum-tst Tarnum-tst Jan 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alex , could You please make this code (81-86) compatible with Rust 1.63? let...else is unstable in 1.63... :-(

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've had an MSRV of 1.65 since cryptography 43.0.0 in July of last year, we're not going to revert that absent exceptional circumstances

@alex
Copy link
Member Author

alex commented Jan 23, 2025
edited
Loading

Test cases we need:

  • Encrypted PKCS#8, PBES2 with 3DES-CBC
  • Encrypted PKCS#8, PBES2 with unknown encryption algorithm
  • Encrypted PKCS#8, PBES2 PBKDF2 with unknown PRF algorithm
  • Encrypted PKCS#8, PBES2 with unknown KDF
  • Encrypted PEM with no DEK-Info
  • Encrypted PEM with DEK-Info that doesn't have two, comma separated components
  • Encrypted PEM with DEK-Info where the IV isn't valid hex
  • Unit tests for hex_decode
  • PKCS#12 EC key with explicit curve
  • PKCS#12 EC key with unsupported curve

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tarnum-tst Tarnum-tst Tarnum-tst left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alex @Tarnum-tst