Comments (11)
This is caused by briansmith/ring#220
from rustls.
Could you tell me what program generated this key originally? Was it openssl?
from rustls.
I actually don't know what originally generated this key, it was provided by a service to access a particular endpoint. I'll note that both curl
and kubectl
(go code) were happy to use the key.
I'll do a bit more reading, but from a quick scan of the linked bug, do you know if there's a way to 'normalize' the key so it'll work and ring will accept it?
from rustls.
I wrote a quick python script (using pyca/cryptography) which, applied to your key, makes it acceptable to ring.
import sys
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
if __name__ == '__main__':
_, infile, outfile = sys.argv
with open(infile) as f:
priv = serialization.load_pem_private_key(f.read(),
password = None,
backend = default_backend())
comp = priv.private_numbers()
if comp.p < comp.q:
p, q = comp.q, comp.p
assert p > q
iqmp = rsa.rsa_crt_iqmp(p, q)
dmp1 = rsa.rsa_crt_dmp1(comp.d, p)
dmq1 = rsa.rsa_crt_dmq1(comp.d, q)
new_comp = rsa.RSAPrivateNumbers(p, q, comp.d, dmp1, dmq1, iqmp, comp.public_numbers)
priv = new_comp.private_key(default_backend())
print 'fixed key such that p > q'
with open(outfile, 'w') as f:
pem = priv.private_bytes(
encoding = serialization.Encoding.PEM,
format = serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm = serialization.NoEncryption()
)
f.write(pem)
from rustls.
@ctz thanks so much, that's great! I may try and re-implement that in rust, I'll keep you posted if I do
from rustls.
I added some details in briansmith/ring#220 (comment).
Answering some questions above:
- the generator of those keys is some kubernetes deployment component, possibly written in golang, possibly using stdlib
crypto/rsa
primitives - manually swapping primes with the script above works and fixes the issue for my local setup, but won't scale for general public and client/library developers
from rustls.
The underlying ring issue is fixed. If people encounter similar issues with ring and Rustls being too strict w.r.t. the contents of RSA keys, please file new issues. (ring does some NIST/FIPS-mandated consistency checks for the components of RSA private keys that many other implementations don't do.)
from rustls.
Do we want to have a test case covering this for future regressions, or should the ticket just be closed?
from rustls.
@lucab We have a test case in ring already, but I think it would be great if you could submit a similar test case for Rustls too..
from rustls.
I've just realized that briansmith/ring#604 is not yet part of any ring release, so I'll hold this for a bit until a new ring is out and rustls is updated to it (yes, I've read about release plan/blocker, I'm not in a hurry).
from rustls.
This has been long-fixed upstream.
from rustls.
Related Issues (20)
- Cipher suites configured through WebPkiServerVerifier::builder_with_provider is not working. Client hello contains more cipher suites then it configured. HOT 6
- rand_core::RngCore & CryptoRng support for CryptoProvider HOT 7
- expose more information in ClientHello HOT 4
- No common ciphersuit when FFDHE and ECDHE ciphersuites are available on server and client using TLS 1.2 HOT 4
- US Export control information HOT 4
- doc: AcceptedAlert::write doesn't necessarily write all bytes HOT 7
- Support using rustls without using specific ring or aws-lc-rs apis HOT 2
- Feature request: a way to set/get default ticketer dynamically HOT 6
- Feature Request: Avoid panicking when ring and aws_lc_rs are both specified HOT 12
- Option to Relax SNI Host Name Validation for IP Addresses HOT 7
- unbuffered: B: `CapacityBuffer` for `output_tls.capacity()` HOT 9
- The support for "mipsel-unknown-linux-musl" has failed. HOT 2
- Io(Custom { kind: InvalidData, error: AlertReceived(HandshakeFailure) }) HOT 6
- Linux compilation is slow and seems unable to store compilation results HOT 3
- Incompatible License HOT 1
- unbuffered: After `Closed` no `WriteTraffic` state arrives HOT 4
- Side-Channel Attack Mitigations in Rustls HOT 2
- Suggest registering for OpenSSF Best Practices badge HOT 3
- Pass ClientHello by reference to ResolvesServerCert HOT 2
- GHSA-6g7w-8wpp-frhj and CVE-2024-32650 don't make it clear that async rustls servers aren't susceptible HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rustls.