problem with AES-256-CBC private key

[daniel-deluca]

Hi there, I've found your very useful Elixir lib but I'm facing with an issue when I'm using AES-256-CBC private keys

Test case that fails: test/ex_public_key_test.exs insert at line : 32 "-aes256",

so instead of

# generate a passphrase protected RSA private key with openssl
    System.cmd("openssl", [
      "genrsa",
      "-out",
      rsa_secure_private_key_path,
      "-passout",
      "pass:#{rand_string}",
      "2048"
    ])

we have now

# generate a passphrase protected RSA private key with openssl
    System.cmd("openssl", [
      "genrsa",
      "-aes256",
      "-out",
      rsa_secure_private_key_path,
      "-passout",
      "pass:#{rand_string}",
      "2048"
    ])

and the test mix test test/ex_public_key_test.exs:79 fails

  1) test read secure RSA keys (ExPublicKeyTest)
     test/ex_public_key_test.exs:79
     ** (CaseClauseError) no case clause matching: {:error, %FunctionClauseError{args: nil, arity: 4, clauses: nil, function: :decode, kind: nil, module: :pubkey_pbe}, [{:pubkey_pbe, :decode, [<<43, 180, 39, 134, 179, 160, 115, 204, 207, 162, 100, 17, 226, 84, 197, 254, 3, 10, 68, 212, 144, 49, 120, 150, 239, 201, 223, 214, 213, 157, 39, 151, 17, 109, 42, 106, 193, 217, 176, 117, 244, 187, ...>>, 'KLvk', 'AES-256-CBC', <<246, 36, 62, 81, 225, 191, 64, 102, 55, 197, 38, 121, 69, 244, 140, 46>>], [file: 'pubkey_pbe.erl', line: 59]}, {:public_key, :do_pem_entry_decode, 2, [file: 'public_key.erl', line: 1103]}, {ExPublicKey, :load_pem_entry, 2, [file: 'lib/ex_public_key.ex', line: 128]}, {ExPublicKey, :load_pem_entry, 2, [file: 'lib/ex_public_key.ex', line: 122]}, {ExPublicKey, :loads, 2, [file: 'lib/ex_public_key.ex', line: 94]}, {ExPublicKey, :loads!, 2, [file: 'lib/ex_public_key.ex', line: 107]}, {ExPublicKeyTest, :"test read secure RSA keys", 1, [file: 'test/ex_public_key_test.exs', line: 81]}, {ExUnit.Runner, :exec_test, 1, [file: 'lib/ex_unit/runner.ex', line: 306]}, {:timer, :tc, 1, [file: 'timer.erl', line: 166]}, {ExUnit.Runner, :"-spawn_test/3-fun-1-", 4, [file: 'lib/ex_unit/runner.ex', line: 245]}]}
     code: secure_rsa_priv_key = ExPublicKey.loads!(secure_priv_key_string, context[:passphrase])
     stacktrace:
       (ex_crypto) lib/ex_public_key.ex:107: ExPublicKey.loads!/2
       test/ex_public_key_test.exs:81: (test)

if you replace "-aes256" with "-aes128" . test/ex_public_key_test.exs is OK

Any idea? Many thanks in advance Daniel

[ntrepid8]

Interesting, what versions of Elixir, Erlang, and OpenSSL are you using?

[daniel-deluca]

Erlang/OTP 20 [erts-9.2] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:10] [hipe] [kernel-poll:false] [dtrace]

Elixir 1.6.0 (compiled with OTP 20)

Erlang : 20.2.2

LibreSSL 2.2.7

[ntrepid8]

Does the openssl command run on your system with the same arguments and not produce the error?

[daniel-deluca]

openssl genrsa -aes256 -out rsa_secure_private.pem -passout pass:123456 2048 openssl rsa -in rsa_secure_private.pem Enter pass phrase for rsa_secure_private.pem: writing RSA key -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEA0HZ70HME/G38kS9axeSqlSk3V9EnJHCbN/f0PLLR1wrjKmtr 7+C1odMb2MuuiF4IKn9mHwH6PvDRNZHtMlbeqKSo/bLlWPySlj7arZHIEA00BFi8 lRr2APn8JRgF39WFr1xxudpCrNP0TtlJAKESAusXum9IUCYGbmuPiatx2SezaOMX Uag/ESZabs0yZWSWaBZWbABfBprkMGaOYpFLbLKioESXt+utcAkuzPTdJ9CuajgX q5bYV2gL2+fsu+G6a65hpafRRLWjkjCpQZBPUCf6xoRtdUCBoy3ecT7zkYmn7b3u HNtpSpBFCwMLruwrXoPj0d0NBilKoIsctsBquQIDAQABAoIBABIj7VxTVgC9dXgQ 3d5QqsN2Jbm/mp9iKS+ypQ9PJFGJQgFj/a2PKV8eptKzzslRHXbNRU63dlZZ0GrP +wshYhjc01PYaHrY58ypRZBLGlTDQV6LdkWnZfbpyhZUQ9aZlxuOeNsKcjjl7OGb qO2kFpQobxUrL+jBllevhnsdbzfNQ2WGTEn+Va1woX+cFyZD5Fw6PtPlKBZF7HMv DK6Lvbx30QOv3w6bgwQtVpqSt9i9B1Vy2vVc+FgJbCKnRMiryz0n9/BBK2xomSp3 k0um/hSRtYIq1GDiYQjipp9wl2TGG0reAAOAvatPhze8APZX1+fJ0OZVOoMeqYt/ XHTMkv0CgYEA70CGc17CLmnGNDxliqZVkSGLPTJ4beFbZuOZXS8VZCEFvps0ztnW QKiSf/KOxmi/R4dR3DrasIX5QaVH+TkEJ/5ga4wg076dLj1rmuz5QfqGc31bAo9L RyRBRSWD7Ti8eEXDd41NOeI4Du6pA5fZPU1qV0LGDROKEUxY9kevx5MCgYEA3w40 m60dHQIgaPr8Yda2j9dqr7rmnOpDireGOrDWylVBuEaPMKxpSzdmZfU6TbbnYgRV OTskIX0NdqwUjWRnsss/R0sUW/GO2UuURc12VxsyBYSrQYYWLi83UMvsRm511HGP aLZlJjP+2/ZpLDW92tN67TKRjYLL5zhp/mLPHAMCgYAr+NL9L0RHHX+lKBiNhAaj 9uNNaxJBN7MB1QDh5H5s+bjBkGsDPXwoRBMw2tas1qGZNuCvtk1tNiJak1MIFheS dikoewepgxYGYpl9TuJ84tuFLFvmu4ldWOd6GuwFVHEnNcM4HMs9wTsGW4zKsUTn BGxv/0DBNH8isMKE+SXwawKBgDGcBzdYmVEKWAsBR4C7MH9tedz7xK7Bq6P+jWwg SKVXsPY7Oz2oGwMPn0at8/m05GF4dTv1W2PXXFc4jpmj6yxo5/oDSNPqNcs+dAvS Vq+o7Mctaql4GRbMiZD+yd4gUzSczTiM2JJWniht9ZZPnZo9zulShezjWlZixbA+ abHhAoGAWIf74mddVbgMhZC6Cql6dGu71NBnM4JpbLmRVUqa38iYCu5tiSdhib1r 7uIlKYNeTpZipr7tzROIxGrNtx4ggY6UeYoo5UOmL68fHK9j4f7oWK8KlgsCmbFE 6BtZJcltYUcP3A6fb1F9rpjsyPOfYEukT74iXm/EU9HWQPR4dvc= -----END RSA PRIVATE KEY-----

[ntrepid8]

I have an idea what might be going on, I'll check and see, then post back here.

[ntrepid8]

I think this may be a limitation of the underlying public_key Erlang library. We use this function to decode the PEM entry for the encrypted private key:

• http://erlang.org/doc/man/public_key.html#pem_entry_decode-2

I don't see a way to pass it any options to let it know the pem_entry argument is encrypted using AES256. If we wanted to support that option we might need to write a step to decrypt the key first and then pass it in the clear to :public_key.pem_entry_decode/1.

Is that something you would want to take a crack at in a pull-request? If not I might have some time to tackle it in the next week or so.

[daniel-deluca]

I'm not an Erlang specialist and this is not blocking me at the moment, so I can wait.

[bdusauso]

It seems that Erlang implements PKCS#5 v2.0 against RFC-2898. Support for AES-256-CBC was added later in RFC-8018 v2.1.

I don't know exactly at what points they differ but I'm quite sure the Erlang team will take some time to implement it.

So, at this point, I think there's nothing we can do.