Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

serve: add support for ECC certificates #7768

Merged
merged 2 commits into from Aug 22, 2019
Merged

serve: add support for ECC certificates #7768

merged 2 commits into from Aug 22, 2019

Conversation

vszakats
Copy link
Contributor

@vszakats vszakats commented Aug 3, 2019
edited

This is either a 🐛 bug fix or an 🙋 enhancement.

Summary

Jekyll, currently does not accept an ECC (Elliptic-Curve) private key via its --ssl-key option when running the serve command, because the key loading code only assumes an RSA key with no other key types considered. Even though, even the older OpenSSL 1.0.2 supports EC keys. It means that Jekyll will fail to start with this error when an EC key is provided:

jekyll 3.8.5 | Error:  Neither PUB key nor PRIV key: nested asn1 error

This patch will try to load the provided key file as an ECC key if loading it as an RSA key failed. It also checks if the ECC key load method exists, as some Ruby variants (JRuby?) may not have it.

[ My Ruby is very rudimentary, so any suggestion for improvement is welcome. ]

Context

Jekyll server.

Test files

Script to generate a self-signed ECC certificate, mk-ec-test.sh:

#!/bin/sh

# OpenSSL 1.0.2 or newer required.
# (the one shipping with macOS won't work, use the Homebrew one.)

case "$(uname)" in
  *Darwin*) alias openssl=/usr/local/opt/openssl/bin/openssl
esac

name='test-ec'

cat << EOF > ${name}.csr.config
[req]
encrypt_key = no
prompt = no
distinguished_name = dn
req_extensions = v3_req

[dn]
O = ${name}

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF

openssl genpkey -algorithm EC \
  -pkeyopt ec_paramgen_curve:P-256 \
  -pkeyopt ec_param_enc:named_curve \
  -out ${name}-private.pem
openssl req -batch -new -sha256 \
  -config ${name}.csr.config \
  -key ${name}-private.pem -out ${name}.csr
openssl req -batch -x509 -sha256 -days 90 \
  -config ${name}.csr.config -extensions v3_req \
  -in ${name}.csr -key ${name}-private.pem -out ${name}.crt

Certificate, test-ec.crt:

-----BEGIN CERTIFICATE-----
MIIBNzCB36ADAgECAgkA2xqOONFPqpMwCgYIKoZIzj0EAwIwEjEQMA4GA1UECgwH
dGVzdC1lYzAeFw0xOTA4MDMxNjE3NTJaFw0yMjA4MDIxNjE3NTJaMBIxEDAOBgNV
BAoMB3Rlc3QtZWMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQPgZsj6HESaGGc
k2Mb+sFU9v5ztsK3MkFziou0TaTA0qmDRqe9G5Ik8/riz6gs/t3rplQzj18qRLKF
pmJFaGyQox4wHDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0E
AwIDRwAwRAIgUdlIpX+GlwuobrSOfUYEnlgcSkq34jDu6/gm0cj9T5ACIBkmdWlz
7hehEEkxQ+6nBObgFNhZ3QnszkiHWNt8B1ke
-----END CERTIFICATE-----

Private key, test-ec-private.pem:

-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgVNt4PoQFTZfMZwlN
whUFa6MyHx7OmsbtMdYkmDbOa4qhRANCAAQPgZsj6HESaGGck2Mb+sFU9v5ztsK3
MkFziou0TaTA0qmDRqe9G5Ik8/riz6gs/t3rplQzj18qRLKFpmJFaGyQ
-----END PRIVATE KEY-----

Test command:

jekyll serve --ssl-key test-ec-private.pem --ssl-cert test-ec.crt

@DirtyF DirtyF requested a review from a team August 3, 2019 17:37
DirtyF
DirtyF reviewed Aug 3, 2019
View reviewed changes
lib/jekyll/commands/serve.rb Outdated Show resolved Hide resolved
@mattr-
Copy link
Member

mattr- commented Aug 4, 2019

@vszakats Could you update to the latest master on your branch please? That should allow CI to start passing. Thanks!

vszakats and others added 2 commits August 4, 2019 21:48
@vszakats
serve: add support for ECC certificates
21a64e5
@vszakats @DirtyF
Update lib/jekyll/commands/serve.rb
001ac18 
Co-Authored-By: Frank Taillandier <frank.taillandier@gmail.com>
@vszakats
Copy link
Contributor Author

vszakats commented Aug 4, 2019

@mattr- Okay, done that!

mattr-
mattr- approved these changes Aug 5, 2019
View reviewed changes
Copy link
Member

@mattr- mattr- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great! Thanks for doing this! ❤ I'm going to save this for Jekyll 4.1 since Jekyll 4.0 is nearing its final release.

@mattr- mattr- added this to In progress in Jekyll 4.1 via automation Aug 5, 2019
@mattr- mattr- added this to the 4.1 milestone Aug 5, 2019
@DirtyF DirtyF added this to Ideas/Unconfirmed in Jekyll 4.1 Aug 14, 2019
@DirtyF DirtyF moved this from Ideas/Unconfirmed to Reviewable in Jekyll 4.1 Aug 14, 2019
@DirtyF
Copy link
Member

DirtyF commented Aug 22, 2019

@jekyllbot: merge +minor

@jekyllbot jekyllbot merged commit 650dcc6 into jekyll:master Aug 22, 2019
Jekyll 4.1 automation moved this from Reviewable to Done Aug 22, 2019
jekyllbot added a commit that referenced this pull request Aug 22, 2019
@jekyllbot
Update history to reflect merge of #7768 [ci skip]
b66daba
@DirtyF DirtyF moved this from In progress to Done in Jekyll 4.1 Aug 22, 2019
@vszakats vszakats deleted the patch-1 branch September 16, 2019 12:30
@jekyll jekyll locked and limited conversation to collaborators Sep 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@DirtyF DirtyF DirtyF left review comments

@mattr- mattr- mattr- approved these changes

Assignees
No one assigned
Labels
enhancement frozen-due-to-age
Projects
No open projects
Jekyll 4.1
  
Done
Jekyll 4.1
  
Done
Milestone
4.1
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@vszakats @mattr- @DirtyF @jekyllbot