search

notaryproject / notary

Notary is a project that allows anyone to have trust over arbitrary collections of data
Apache License 2.0
3.22k stars 507 forks source link

Problems importing EC key for delegated role #1206

Open gtaban opened 7 years ago

gtaban commented 7 years ago

I have setup notary client and server and am trying to import keys for my delegated roles. I am using OpenSSL (1.0.2g)

If I create RSA keys, import works OK.

// create RSA key/cert
$ openssl req -x509 -newkey rsa:2048 -keyout test_private.pem -out test_cert.pem -days 365 -nodes -sha256

If I create EC keys, import FAILS:

// create EC private key 
$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -outform PEM  -out key.pem

// create EC certificate
$ openssl req -new -x509 -key key.pem -out cert.pem -days 730

When we import without -D, it doesn't produce any errors although the key is not listed as being imported. With -D, import fails:

$ notary -s https://notary-server:4443 -d ~/.index/trust key import ~/.index/keys/delegated_keys/recently_released_private.pem  --role targets/recently_released -D

DEBU[0000] Using the following trust directory: ~/.index/trust 
INFO[0000] failed to import key to store: Invalid key generated, key may be encrypted and does not contain path header

I am attaching the EC keys here if that is helpful. Archive.zip

Any help would be much appreciated.

riyazdf commented 7 years ago

@gtaban: What is the header on the RSA private key?

For the EC key, could you try changing the header to BEGIN EC PRIVATE KEY? It seems that notary 0.4.3 doesn't recognize the current header

gtaban commented 7 years ago

Hi @riyazdf

Header on RSA private key is: -----BEGIN RSA PRIVATE KEY-----

I made the change to EC key and it didn't work. Does it work for you?

$ more /Users/gtaban/.index/keys/delegated_keys/recently_released_private.pem 

-----BEGIN EC PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQghH5BjQzfUWthBU2f
EHA9wDZTM2uD0W8UHxsjaIcIkp2hRANCAASwRdqC046A0uPgaI9WA+E90fiNpW19
QOnGrnlkmqkcz819yrCca66E50Mv9A3q48XSvjwozSp17Iq6451tIhRy
-----END EC PRIVATE KEY-----

$ notary -s https://notary-server:4443 -d ~/.index/trust key import /Users/gtaban/.index/keys/delegated_keys/recently_released_private.pem  --role targets/recently_released -D

DEBU[0000] Using the following trust directory: /Users/gtaban/.index/trust 
INFO[0000] failed to import key to store: Invalid key generated, key may be encrypted and does not contain path header
gtaban commented 7 years ago

ok so it seems the problem is the default format of the keys which was changed in OpenSSL 1.0. From OpenSSL 1.0 change log:

Make PKCS#8 the default write format for private keys, replacing the traditional format. This form is standardised, more secure and doesn't include an implicit MD5 dependency. [Steve Henson]

So all keys (RSA, EC, etc) that are generated using the newer OpenSSL will fail with the current Notary.

I ran the following commands to convert both an RSA key as well as EC key format from PKCS#8 to PKCS#1 and import works for both of them:

openssl ec -in ec_key.pkcs8.pem -out ec_key.pkcs1.pem
openssl rsa -in rsa_key.pkcs8.pem -out rsa_key.pkcs1.pem

I guess Notary needs to figure out what format the key is in and process differently.

gtaban commented 7 years ago

Also, given that High Sierra has gone from OpenSSL 0.9.8zh to LibreSSL 2.2.7, the new key format will likely be more common than the traditional. Transition will take a while though...!

riyazdf commented 7 years ago

@gtaban – ah, thanks for digging into this!

We've recently merged PKCS8 support into master, if you wanted to try that :) Note: the layout of keys on disk will change, so once you upgrade to a newer version, the client will perform migrations and older versions of Notary may not be forwards-compatible.

gtaban commented 7 years ago

No worries, it was fun :-) I'll definitely give master branch a go -- once I solve my other issues!!