New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement ecdsa keys parsing #409
Conversation
Unofficial review: the implementation looks good to me. I'm not sure the changes to the example code are warranted (which of PKCS8 vs EC we'd want to prioritize). Also, to get this accepted you should add some tests covering the new code. Can probably just add an example certificate and copy what tests exist for either of the existing parse functions. |
This isn't mergable as-is, because ring cannot presently load EC keys in this format. It seems preferable to me to run a trivial, single |
@ctz Hm I'm not sure I understand. I used this patch downstream and it seemed to work. But I'm also really ignorant in this topic, so that doesn't probably count. I would prefer to get this solved at the root since there is an increasing number of tooling that provisions EC keys. Patching that tooling is an option, but it also implies maintaining a patch. Running a "trivial" openssl command breaks atomicity and can result in race conditions where the bundle and key are rolled but the key is not getting transformed in time. In my concrete example, SPIFFE helper is process manager that sends a reaload signal to the managed process as soon as the certificates are rolled. Having them atomically transformed with openssl command is less than trivial. |
Why is that tooling using this weird file format? Why not send PRs to those patches upstream to switch to a standard format? It seems to me that the real bug is in the provisioning software for choosing a bad file format. |
@briansmith I'm transparently relaying your questions, which I didn't have asked myself, yet: spiffe/spiffe-helper#26 Thanks! Looks like we might find something out this way. |
@ctz Do you have any solution for this dead end in the back of your mind? I'm not a programmer, so forgive me if I'm not doing any more good than scratching the surface, here, while bluntly asking you for help or a solution. Can we do something about ring so that rustls can start to support ECDSA? |
You need to convert keys of the format https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations Then you can read the pkcs8 pem file with |
Not sure how to judge these suggestions. They seems elusive of parts of the problem. But I guess I'm not going anywhere here, a pitty. |
I would suggest to reopen this MR until support is added to ring. @briansmith I believe this format is not as unusual as that. It's the default output format of The current status makes any rustls-based app less usable than existing tools, such as cURL. Requiring the user to run an external command is not convenient, or even not possible in some cases (eg. |
@connesc I agree with you, but I don't want to get involved in any exhausting discussion about the presumed power relationship between libraries and consumers. I think you set the right tone transmitting the needs of consumers. |
Hi there, I'm coming to this PR via kube-rs/kube#542 (for linkerd/linkerd2#7011 (comment)). From reading through the issue/PR history, it's unclear to me if the takeaway is that this should not be supported at all, or that it should be supported--but in
I think the issue here--at least in the case we're running into this--is that Go-based tooling Just Works with these files. We've been bumping into this in the Kubernetes ecosystem where cluster configs may encode Are PEM-formatted EC private keys seriously aberrant? Or are they something that we should ultimately expect |
I think it would be a good start if someone wrote some code (let's say, in a separate crate for now) that can build a |
closing #332
cd rustls && cargo test --no-default-features --no-run
is green, so iscd rustls && cargo test --all-features
馃帀This is intended to be a hand over, since I'm really not capable of addressing anything that goes much further than what's already in the PR.