Issue #10257 has been updated by Todd Knarr.


As a developer trying to use `OpenSSL::PKey::EC`, I don't see a problem with breaking the `#private_key` and `#public_key` interfaces by changing the type of the return value. The values they return currently aren't usable as-is for anything but reimplementing the functionality `OpenSSL::PKey::EC`'s supposed to provide, any code depending on them's probably broken already. My research also turned up almost no instances of anyone using these functions directly, everyone appears to use the `openssl` command itself to generate certificates and leaves verifying certificates and generating keys for connections up to the SSL library itself, which likely explains why there's so few complaints about this bug. I used the workaround described above and keys and certificates pass all the tests I can run after that.

The 'no shared cipher' bug is a separate issue involving the EC certificate not having the named-curve extension set. You can see it in the `openssl x509` output for the certificate, without the extension the "Field Type" will be just "prime-field" (which allows for any curve, but OpenSSL itself can't handle arbitrary curves for SSL connections hence the error) while with the extension it'll be the name of the curve from `#builtin_curves` used to generate the original key. I'm working on what needs done to get that extension set using the existing Ruby API.

----------------------------------------
Bug #10257: Generate X.509 certificate/request/CRL with elliptic curve keys
https://bugs.ruby-lang.org/issues/10257#change-57666

* Author: John Downey
* Status: Open
* Priority: Normal
* Assignee: openssl
* ruby -v: ruby 2.2.0dev (2014-09-18 trunk 47624) [x86_64-darwin13]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
Elliptic curve keys (`OpenSSL::PKey::EC`) cannot currently be used with the X.509 classes in Ruby OpenSSL. This is due to a few slight incompatibilities between the way RSA/DSA are implemented and the way EC is implemented.

* `OpenSSL::PKey::EC` does not respond to `#private?` which is used by the `#sign` method on `OpenSSL::X509::Certificate`, `OpenSSL::X509::Request`, and `OpenSSL::X509::CRL`
* The `#public_key` method on `OpenSSL::PKey::EC` returns a `OpenSSL::PKey::EC::Point` instead of a `OpenSSL::PKey::EC` object with just public key fields

This patch adds an alias for `#public?` and `#private?` to `OpenSSL::PKey::EC` that correspond to `#public_key?` and `#private_key?`. This brings it in line with the same interface on `OpenSSL::PKey::RSA` and `OpenSSL::PKey::DSA`. This also allows the key to be used with the X.509 classes I mentioned.

The second issue is unfortunately more complex as it does not look like it is possible to fix without either breaking backwards compatibility or putting some branching deeper in `OpenSSL::X509::Certificate`, `OpenSSL::X509::Request`, and `OpenSSL::X509::CRL`. The good news is you can pass the private `OpenSSL::PKey::EC` key to `#public_key=` and it still does the right thing.

---Files--------------------------------
ec_x509.patch (8.06 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>