Skip to content

Allow PKCS8 EC private keys to be loaded #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Allow PKCS8 EC private keys to be loaded #61

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
05eef1b
Added support for RFC5424 structured data (#67)
tsaarni Sep 8, 2023
ad39484
Added test for RSA and EC private key
tsaarni Sep 14, 2023
82419de
Restore invalid client cert test
tsaarni Mar 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
- Added support for RFC5424 structured data [#67](https://github.com/logstash-plugins/logstash-output-syslog/pull/67)
- The SNI (Server Name Indication) extension is now used when connecting to syslog server with TLS and `host` is set to FQDN (Fully Qualified Domain Name) [#66](https://github.com/logstash-plugins/logstash-output-syslog/pull/66)
- Add support for CRL to check for the server certificate is revocation status [#62](https://github.com/logstash-plugins/logstash-output-syslog/pull/62)
- Support loading of PKCS8 EC private keys [#61](https://github.com/logstash-plugins/logstash-output-syslog/pull/61)

## 3.0.5
- Docs: Set the default_codec doc attribute.
Expand Down
2 changes: 1 addition & 1 deletion lib/logstash/outputs/syslog.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,7 @@ def setup_ssl
require "openssl"
ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase)
ssl_context.key = OpenSSL::PKey::read(File.read(@ssl_key),@ssl_key_passphrase)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@given that you have added all the TLS test scaffolding in #62 do you think that, after the merge on main branch of that PR and rebase of this, could we add 2 tests here, one for RSA key and the other for Elliptic Cryptography here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes absolutely, let's do that.

Copy link
Contributor Author

@tsaarni tsaarni Sep 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The diff looks bit confusing, but this is what was done:

I added RSA and EC test but at the same time I needed to remove test for invalid client private key, which was previously added in TLS tests. I now realized that OpenSSL::PKey::read() does not raise error when given invalid PEM file, unlike OpenSSL::PKey::RSA.new did. Instead, it returns instance of OpenSSL::PKey::RSA even though invalid.pem clearly is not an RSA key.

When I fixed support for EC pkey to PKey::read() in jruby-openssl, I did not check this. Maybe it lacks negative checks.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that it worthwhile to open an issue in https://github.com/jruby/jruby-openssl repository, accepting silently an improper file is misleading.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe the difference is that the read method instantiate the RSA key
https://github.com/jruby/jruby-openssl/blob/19135259f121f9c9e95ee7f0b4c830f9267680e0/src/main/java/org/jruby/ext/openssl/PKey.java#L124

instead of the initiliaze method
https://github.com/jruby/jruby-openssl/blob/19135259f121f9c9e95ee7f0b4c830f9267680e0/src/main/java/org/jruby/ext/openssl/PKeyRSA.java#L223

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my test case I used input that does not even have valid PEM block inside, so I would have expected that even PEM block parsing should fail here https://github.com/jruby/jruby-openssl/blob/19135259f121f9c9e95ee7f0b4c830f9267680e0/src/main/java/org/jruby/ext/openssl/PKey.java#L117 ->
https://github.com/jruby/jruby-openssl/blob/19135259f121f9c9e95ee7f0b4c830f9267680e0/src/main/java/org/jruby/ext/openssl/x509store/PEMInputOutput.java#L317
Requires some additional debugging on jruby-openssl to find out what is going on there...

I've created new issue jruby/jruby-openssl#285. I added also the CA case which I noticed earlier.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oks, let's see what they answer and then I'll merge this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Jruby-openssl function PKey::read() was fixed in release https://github.com/jruby/jruby-openssl/releases/tag/v0.14.4 Apr 11, 2024. See jruby/jruby-openssl@ab355ca.

It now returns error when reading invalid key file so I've restored the test case "invalid client certificate".

if @ssl_verify
cert_store = OpenSSL::X509::Store.new
# Load the system default certificate path to the store
Expand Down
7 changes: 7 additions & 0 deletions spec/fixtures/certs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,11 @@ sans:
subject: cn=client
issuer: cn=ca
key_type: RSA
not_before: 1970-01-01T00:00:00Z
not_after: 2100-01-01T00:00:00Z
---
subject: cn=client-ec
issuer: cn=ca
key_type: EC
not_before: 1970-01-01T00:00:00Z
not_after: 2100-01-01T00:00:00Z
5 changes: 5 additions & 0 deletions spec/fixtures/client-ec-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6P7i1NqXVKChh8dR
pqHcCSwlxDjKoaDBGiYzWHgy5vqhRANCAAQSX1YGFCuXL7f5Utp5X45+h7ixghyQ
vhYfT4gY6M31DAUaf59DENYUZ36k4IYrWP6lU/ChBH0Mlntjb1TCD+Tw
-----END PRIVATE KEY-----
13 changes: 13 additions & 0 deletions spec/fixtures/client-ec.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIICCjCB86ADAgECAggXhLgPAPW4dzANBgkqhkiG9w0BAQsFADANMQswCQYDVQQD
EwJjYTAeFw0yMzA5MTQwODU1MzRaFw0yNDA5MTMwODU1MzRaMBQxEjAQBgNVBAMT
CWNsaWVudC1lYzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBJfVgYUK5cvt/lS
2nlfjn6HuLGCHJC+Fh9PiBjozfUMBRp/n0MQ1hRnfqTghitY/qVT8KEEfQyWe2Nv
VMIP5PCjMzAxMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSMEGDAWgBRNukfgtxJMkwu7
XMvQ8ETWqi5BVTANBgkqhkiG9w0BAQsFAAOCAQEAP+HsEKYA2d6kCAH/JJSpxMnP
gwMfjDkmV1bMguYSoOv8fbD17WqpyRojhi+THInP6ggXhJW0Zbz6UNy2GHXtO4+o
OGLKI2FMUnaLRDMF4NL//FcC1unRQxyw8HQ2oMPNtWVEoo8KURLe0IW2q9/afT89
59RAZYxizFKSWcoIQGeCoyWzVIa/E+MB4cFKgpTF3zkxr6uWJvXYYwkVtzknsGvW
v0c2h2Ck//kuQatJSZQpbMaYMEE2480VnwskiOTu1ltxrmcQxz5P0g1zcjEnKQAm
kB3ENdewzHIq8yaybbf+a/WCsNyyEjKPOsSWeElk77v719B24x1HqkV8FW/eRA==
-----END CERTIFICATE-----
52 changes: 26 additions & 26 deletions spec/fixtures/client-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCnPqjlJMF4uvsN
t1kdrVP/Zi3KS3dvCg2Dpg1BAyo0nhe8vKHAAK0TE9//peTOqt5P+hps7fw4SG3N
ZNmmkOk8u6B0I15FLHywTsMPU9H+gLrte8Y/yZC4AbdmVrYFml83Q41wGj8UM05t
pslVMfkveNkG/LBzKrPENo2Wb2+2/Um/BzNsaX0bhg7MGesD8TjhMFmh+kvChUMp
jFK4dKDOlXFMBLd43wtNVeWDz7duNx/oz6LyQ5JsAmVCHCMxlgc4GQEeUJ2lEnkI
Jw+lwDCKutwIQ4lm6pWAm4KU/BTcA7h6PWM0ku6XnfW7/xbT0FdeKnga8uTO8+vM
7/GqawGLAgMBAAECggEAdJl38QG2LTDXNVHdvJYKGOapB/+jTfQJRf5wASJuu255
CCnO72jJQaK6qaaEJh30jnfFEqq9DJRakTc9kyY2phP9otrBr6J7cAQJdFcw8anY
KRgBOJmT3uW7cosDrlZZCdN7+WsjDTdT95ivh0km/JTZYkir0C82U5bhEb+xeDZv
f/76b1gDYz3ZrvQMnb4x+60vb9U7iVrnXNEVxle/FhpLNbA9tsFLoSsm/6SbEnju
cyimwmkMnQhPdiN5wmdTzXaTTsM3Ayomtj2bZZMTM9VSrFYAFPYAh2GwX7xn1hmo
gacYqZcXgqu+uIE812hbWEAFmaS3vrxNVAXwa7IjkQKBgQDeR9EdabphDryvgjgA
MUm5TxKKp5Wm9Cz+FiEUASFxoduuCdSb4vq2YGL5PL22MNxmMtYq2oc/dZOMtr45
hruq0IZmVBNlViqjjcY1J3zvBRWSn93JdSY32o3g3rpgx6/6AZvUzfJmbwVcZBZR
VimCf6oknoNt3lADEJXaVtYBAwKBgQDAnYyGPrufS52dRinnuFVImKX/FvbFDYJI
F31cfi2y4y+g0tFFh0vjG0qVkxkBII5Cy5y1brLYColVWd8gWKibQMJ0TVZfV1ez
gAkR69XIdMLlHl5oXzwyaMYLnsx6MYgzPRHB2ojhtGiEym0dUUrzovl4zB9+LpRd
z6hpMoti2QKBgQDPWo9osMh84hKCZyd2hoQPqgPR9KNWK1INdPdGggeAyUz0/Zao
FQVsPF4XwuH2o332mFXRhCnGuRf7nD23zEglAIFf0+6ECe2cxRSxYTTahBOrxBZR
aEdOs0LHEv8qaR1wSy/jRHtrswV9OqDXH1l5sz41CunwBAL/2Ojx1S+toQKBgQCB
iPK6TXIMXOPwowEHjtX77nykIqNuPfmB1ho+m7TL+zFKrLyET8rfPrlYAgbs1SIX
Faub8Ihh9iQJvFjr/fPWBSVA5cnScIDQfKic3sd0+eEgCN5gvrtTA1c89Vx6SNlZ
7BYHEpq/f35S33emIceQNegkLtJ3H4gz1rVhmdZXcQKBgQCl1OvIJI7FmBzG1XPz
VNkE1nCPhXZEnrR3csZsiJiHCkI+t7izoIwFZZnEaW/+rqrZAWjMdFu11hy0Fz1n
y74CmHrlupOoSbNZlB7w7MfqZydqXT6XXgjHdlnR9+celzkS7HnZ/jxwJChCnznm
JR8q9KOY82PMpTHNnlEoUDqCJA==
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDHLmhX4dMBPgXc
MoBHVH1IRnjAy3uLIQrCNE1HneZPTvLPAcLw1A6PTg3gLnREqz6o4prlGrcnt0OZ
unqqn3c6lTwG+kNweSip7dDjDNb5aS6Owp6EAmXfkIq7XTb6tAt+au57PnKJQpGV
vEIMoK4gb/USFm+BrOoHkxLfVCQNlLViQ9DF9o0r9VdJJanJWmPrHKsOuvra1ZZk
/9nYAO4KhAraeWXhZyWywXpfhxVjh+rk4ucQIVVSeFtcMHbOpfqSPmb3cKY5Er16
SQiNTlBquHzF7sz3fIw39rDdaF8G5bieI9VK/5FElavjrGuAo6ST+m9vGqyl01gC
Dx6YYblFAgMBAAECggEAIs4dNZ4kfQcVhxDcEZrV+Zc26pmkEP/JHX5+MpGI+TrW
ew3XvrWPhcMh8ZasgoNaA7D1WCt+7dW8XlSTstUCxJ3nS2DYAANr86W25rYLqrGS
jSe9A1xX6OUdGPiE7vIfQAv3eFnFMe8L+ZpYAFTjmI93x51cBtDsZD5zAct2MVkI
CRB0AdWlvdY4j/FGmDJiDpgFTvBrYDh+fbckFll72Etxt1U7Ssfzw9UTvJWPH1XE
Pr9Ax/kxCwUy3D/h8dQv5q2jz1lGXCHoo7wq7D0vNRn2i/aA8tPHBdplvf2hN77+
oUnLGTr+kxI42EkTdG+t/IrPslyG0pFz87TIE8DRAQKBgQDsWJr4dBVdWUUjERN/
PkpcGHtzu6okxGnXmEcInesKo+E24BdEdrR0+XPtw+JDYhpuWRp4Dta1N2/7Btkk
MgL3Me3yuz366Q8GIOZqM0+9Sj8qXleb0R66ozIQJECIVEBUYZQN2JyM/wO8hgfL
oV2S64/fRlAdbqZnjCAFc7yAMQKBgQDXvqDGBxcdU0U1PmDitWydqc8tsNNEDklw
JyzXAXMZ0OEEYTxta7LP72GWleRm9CyUUcNCC7WLiPcTq77oWLjKzQKx//8JnZ9I
tDbsfh3LI9h4GG7vIW6tVLbG/CSMRbtVvqdJewNvQeLb6ARlRTpkAXUb5DQiU4O0
4hydvHR5VQKBgQDazEBTKCwrKhx+FS3mi0UNs0B+aMpflVGi3H9OM9vHEuXJBnWj
1PzEmba/86rA1M5BP83oPVx5kSPi0XkuL/pc2+U75CnB4gYdl1GYGX6Fb3nAgGw8
fMEk6TXMibMQQmb3dwo4M0LiqKbN3YrT8cQN4nNjsNU0Gh6FF80BHx7v0QKBgQDH
b7IhvZYxhrOYh6R6jqnsiXg6zZZO+EINCjnaO73SJJSOPvDkWcW/kJOO59tvDNNU
/MxadoaJicCVj5N4J+QTnTabo4F4uxvu0qFfNyqFigpm4ndSWX59fq1D/vwuK5wE
pKzyMWQ4ahiznqTJlRhoMCy47tj+zmMXSFqZugeVzQKBgAcGan9v9Lb7fOVwqcGm
HBFxzFMljr3NNXUwjAfY64NT8jDLoDj7fHgn+kf779CmHam1vqTRgxWouSlrw1DJ
qE7qwd6LsOL+WW0XXCWad5NtgFmoMLaCj2u+Fz9xmZX2QmdaZYo3xtlpDK0i2NzK
SSS5SK+adI5UqxmI0wLlDS4a
-----END PRIVATE KEY-----
32 changes: 16 additions & 16 deletions spec/fixtures/client.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC0zCCAbugAwIBAgIIF4RwxFvwiMEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UE
AxMCY2EwHhcNMjMwOTEzMTEwOTA4WhcNMjQwOTEyMTEwOTA4WjARMQ8wDQYDVQQD
EwZjbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnPqjlJMF4
uvsNt1kdrVP/Zi3KS3dvCg2Dpg1BAyo0nhe8vKHAAK0TE9//peTOqt5P+hps7fw4
SG3NZNmmkOk8u6B0I15FLHywTsMPU9H+gLrte8Y/yZC4AbdmVrYFml83Q41wGj8U
M05tpslVMfkveNkG/LBzKrPENo2Wb2+2/Um/BzNsaX0bhg7MGesD8TjhMFmh+kvC
hUMpjFK4dKDOlXFMBLd43wtNVeWDz7duNx/oz6LyQ5JsAmVCHCMxlgc4GQEeUJ2l
EnkIJw+lwDCKutwIQ4lm6pWAm4KU/BTcA7h6PWM0ku6XnfW7/xbT0FdeKnga8uTO
8+vM7/GqawGLAgMBAAGjMzAxMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSMEGDAWgBRN
ukfgtxJMkwu7XMvQ8ETWqi5BVTANBgkqhkiG9w0BAQsFAAOCAQEAkyK273ywVTm8
SFssX0igt/sGDD/PMy9D9X5ovg7083g6FFYqdP9bWrkIasXzVb5s0feeV/tAV+DO
sDjHcR7K5SwBjsNdYA+wie5WC1XaKAxSVNfe+VnwbZcgXaHcKPeqG7S3ZHJ3riRh
GTPMArnb/w9+RqWTTSsxEvzw1lPVVbqFDiAPHsg6FTKetNEr83xbOzk4EOAnD2Hq
CgKstcxl+lm8kaIhz1Jd5wVZ68i/+wDLRtk16inkoKIQYFvksdoMjNQLfhc5Cx+h
4+3gOylszUF92SSbipFmEBs5LJ88G3U35xHS/imI9OdsMNdj4HE9Tk7TiuYH3Kt7
DUOgg4S+0w==
MIIC1TCCAb2gAwIBAgIIGCmaVaybuVEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UE
AxMCY2EwIBcNNzAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBExDzANBgNV
BAMTBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcuaFfh
0wE+BdwygEdUfUhGeMDLe4shCsI0TUed5k9O8s8BwvDUDo9ODeAudESrPqjimuUa
tye3Q5m6eqqfdzqVPAb6Q3B5KKnt0OMM1vlpLo7CnoQCZd+QirtdNvq0C35q7ns+
colCkZW8QgygriBv9RIWb4Gs6geTEt9UJA2UtWJD0MX2jSv1V0klqclaY+scqw66
+trVlmT/2dgA7gqECtp5ZeFnJbLBel+HFWOH6uTi5xAhVVJ4W1wwds6l+pI+Zvdw
pjkSvXpJCI1OUGq4fMXuzPd8jDf2sN1oXwbluJ4j1Ur/kUSVq+Osa4CjpJP6b28a
rKXTWAIPHphhuUUCAwEAAaMzMDEwDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQYMBaA
FE26R+C3EkyTC7tcy9DwRNaqLkFVMA0GCSqGSIb3DQEBCwUAA4IBAQCqtyU6GOZX
7uoDQti9KhqNtvQIR2GueBN7A9h+E6xchIReWgWEId5PXzfmwxhlbGeRuB+fxrQ0
KAsCRP5LxGz4oEU7gsnb6Gffez2urtHwd7Jhf/0pcsVzRdEQ1ZnwGlvc9WjkW37I
HdT9HVsWSotlnq66VPZLbXtnPN5QMmepuheCNl+I1uWEdtI7i+oF/18cFN1Qq8Q8
N45qS6svlMTJ/Wt4IQR8gEaQgTGPr31UPF31bPik7H9NUDJvmeiJdE1ZGbzcR/X/
1vCR71eHMXtYUOEb8G1sytiMhb4hZGbY00bmUX5UQjZY5XxJExpKtgxSN1/rSXpl
GXkJ7redVKpS
-----END CERTIFICATE-----
28 changes: 27 additions & 1 deletion spec/outputs/syslog_tls_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,32 @@
context "read PEM" do
let(:options) { { "host" => "localhost", "port" => port, "protocol" => "ssl-tcp", "ssl_verify" => true } }

context "RSA certificate and private key" do
let(:options ) { super().merge(
"ssl_cert" => File.join(FIXTURES_PATH, "client.pem"),
"ssl_key" => File.join(FIXTURES_PATH, "client-key.pem"),
"ssl_cacert" => File.join(FIXTURES_PATH, "ca.pem"),
"ssl_crl" => File.join(FIXTURES_PATH, "ca-crl.pem")
) }

it "register succeeds" do
expect { subject.register }.not_to raise_error
end
end

context "EC certificate and private key" do
let(:options ) { super().merge(
"ssl_cert" => File.join(FIXTURES_PATH, "client-ec.pem"),
"ssl_key" => File.join(FIXTURES_PATH, "client-ec-key.pem"),
"ssl_cacert" => File.join(FIXTURES_PATH, "ca.pem"),
"ssl_crl" => File.join(FIXTURES_PATH, "ca-crl.pem")
) }

it "register succeeds" do
expect { subject.register }.not_to raise_error
end
end

context "invalid client certificate" do
let(:options ) { super().merge(
"ssl_cert" => File.join(FIXTURES_PATH, "invalid.pem"),
Expand All @@ -131,7 +157,7 @@
) }

it "register raises error" do
expect { subject.register }.to raise_error(OpenSSL::PKey::RSAError, /Neither PUB key nor PRIV key/)
expect { subject.register }.to raise_error(OpenSSL::PKey::PKeyError, /Could not parse PKey/)
end
end

Expand Down
Loading