Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-3016

Cannot use OpenSSL EC files in OpenSSL format

    XMLWordPrintable

    Details

    • Template:
      PUP Bug Template
    • Team:
      Froyo
    • Story Points:
      3
    • Sprint:
      Froyo - 6/30/2021
    • Method Found:
      Customer Feedback
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Puppet Server can now successfully load private key PEM files that include a separate blocks for EC parameters, like the ones output by OpenSSL's EC key gen commands.
    • QA Risk Assessment:
      Needs Assessment

      Description

      OpenSSL uses a legacy format that should be compatible with PKCS however the Bouncy Castle PEMParser class's implementation won't support it.

      Specifically the PKCS format should skip all content outside of approved "---BEGIN <APPROVED TYPES>---". However, PEMParser will read any value for "APPROVED TYPES" and return the first encoded object in a file. This is problematic because OpenSSL puts the ec param at the top of the file in its own BEGIN block. It is this value that is returned when parsing a key file in OpenSSL's format with the PEMParser.

      Since OpenSSL is the de facto standard for working with PKI from the command line we should filter BEGIN lines that do not include the word "KEY" (or more specifically "PRIVATE KEY" or "RSA PRIVATE KEY") from the content prior to giving it to the PEMParser.

       These updates should be made in https://github.com/puppetlabs/jvm-ssl-utils - there are various places this update could go, so think about that (e.g. pem->key, more-generic pem->obj, Java level, etc.).

      • Ensure that keys generated following the process below no longer crash the server.
      • Unit tests
      • Open a SERVER ticket with DOCS label that includes pre-docs for what needs to be updated.

      ----------------------------------------------------------------------------------------

       

      Original bug report:

      Puppet Server Version: 7.1.2
      OS Name/Version: Debian Unstable

      Disable the internal CA

      Generate an appropriate EC key and cert (also attached):

      1. openssl ecparam -name prime256v1 -genkey -out example.key
      2. openssl req -x509 -utf8 -subj "/CN=Example" -addext "subjectAltName=critical,DNS:example.com" -new -key example.key -out example.crt

      Configure the webserver:

      webserver: {
      	client-auth: want
       
      	ssl-ca-cert: example.crt
      	ssl-cert: example.crt
      	ssl-key: example.key
       
      	ssl-host: "[::]"
      	ssl-port: 8140
      	ssl-protocols: [TLSv1.2, TLSv1.3]
      }
      

      Desired Behavior:
      Puppet Server is able to use a EC NIST P-256 cert/key.

      Actual Behavior:
      Crashes on startup with "Expected a KeyPair or PrivateKey, got 1.2.840.10045.3.1.7". See log.txt for the backtrace.

      Remarks:
      Notably ED25519 does work, but is not usable because of ruby-openssl#443.
      Presumably regular EC keys have a different class or something as they need to include extra information about the curve for the key.

        Attachments

        1. ec_server.log
          15 kB
        2. example.crt
          0.6 kB
        3. example.key
          0.3 kB
        4. log.txt
          11 kB

          Issue Links

            Activity

              People

              Assignee:
              maggie Maggie Dreyer
              Reporter:
              tambre Raul Tambre
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support