You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request motivated by a concrete problem? Please describe.
Currently, Rocket fails to start with a SEC1 format private key. Error: binding failed: bad TLS private key: invalid key header; supported formats are: RSA, PKCS8
I'm not all that familiar with this standard, but I know that it is the default output of tailscale cert for instance, which is a relatively mainstream tool now.
Support within rustls was added back in Feb and has been out since 0.20.3: rustls/rustls#998
I see that the latest version of Rocket accepts any 0.20.* version of rustls, so I assume that some action is required to use this existing support.
Alternatives Considered
It is fairly trivial to convert SEC1 to PKCS8 manually, so this would merely be a quality-of-life feature. openssl pkcs8 -topk8 -nocrypt -in sec1.pem -out pkcs8.pem
The text was updated successfully, but these errors were encountered:
This is Rocket's fault. Your issue seems tangentially related to #2281 but can be solved completely independently without accounting for this issue (the work will have to get undone though).
The following piece of code rejects any key that doesn't start exactly with a specific line
And as you guess, elliptic curve keys have their own header (-----BEGIN EC PRIVATE KEY-----), so Rocket rejects them before even attempting to parse them with rustls which understands them.
It should be noted that rustls_pemfile has two specific functions for parsing RSA and PKSC8 (c.f. code above) but doesn't have one for EC keys. Supporting it might require a small refactor of this match expression (see rustls_pemfile::read_all for instance). I'm not specifically knowledgable in cryptography standards in general and there might be an actual reason why "sec1_private_keys" doesn't exist. Research should be done before attempting anything.
Is your feature request motivated by a concrete problem? Please describe.
Currently, Rocket fails to start with a SEC1 format private key.
Error: binding failed: bad TLS private key: invalid key header; supported formats are: RSA, PKCS8
I'm not all that familiar with this standard, but I know that it is the default output of
tailscale cert
for instance, which is a relatively mainstream tool now.Support within
rustls
was added back in Feb and has been out since 0.20.3: rustls/rustls#998I see that the latest version of Rocket accepts any 0.20.* version of
rustls
, so I assume that some action is required to use this existing support.Alternatives Considered
It is fairly trivial to convert SEC1 to PKCS8 manually, so this would merely be a quality-of-life feature.
openssl pkcs8 -topk8 -nocrypt -in sec1.pem -out pkcs8.pem
The text was updated successfully, but these errors were encountered: