I'd like to be able to load encrypted private keys using this module. I've implmented at least one way to do this, and the patch is attached. Is it possible for this to get into the released module?
From iroberts+perl@red-bean.com on 2009-11-01 18:23:24:
This looks like a go start, but it seems incomplete. If the module can
read encrypted passwords, it should also be able to write them; this
would also allow for adding unit test coverage of your new methods to
t/rsa.t. Finally, it would be good to add perldoc to RSA.pm.
Ian
From sog@msg.com.mx on 2011-04-13 22:21:25:
I just uploaded to CPAN a new Crypt::OpenSSL::Common module.
Among other things, it properly initializes the openssl libraries, that
results in that Crypt::OpenSSL::RSA can now load encrypted private keys
without any code modifications using openssl's default prompting.
Please give it a try, and report to me any success/failures.
Thanks.
Sortiz.
From daveh@hodgkinson.org on 2015-01-19 06:13:15:
Not relevant to this module.
From toddr@cpan.org on 2015-01-19 17:19:02:
Most recent comment in the ticket implies we uploaded a fix in 2011 with no reply.
From tlhackque@yahoo.com on 2016-01-02 19:23:02:
On Mon Jan 19 12:19:02 2015, TODDR wrote:
Most recent comment in the ticket implies we uploaded a fix in 2011
with no reply.
I'm not the original reporter, but I thought I'd reopen this bug rather than file a new one.
I agree that it would be useful to be able to read and write encrypted keys.
I disagree with the "implied fix" because the description of Crypt::OpenSSL::Common says:
"For example, the Crypt::OpenSSL::RSA's new_private_key class method now can handle encrypted private keys in the same way the C API does, ie. prompting the user for the pass phrase used to protect the private key"
Crypt::OpenSSL::RSA is useful in CGI scripts and other places where prompting is not possible. Well, I suppose one could redirect stdin & ignore the prompts -- but at that point, one might as well run an "openssl rsa" command in a subprocess.
A solution to the problem would be of the form:
new_private_key( $pem, [$password] ) and
get_private_key_string( $encryption_method, $password ) (e.g. DES-EDE3-CBC, or perhaps a friendly alias...)
Obviously, undef or omitted arguments should produce unencrypted keys as currently.
(Supplying an un-needed password when reading can be ignored.)
Crypt::OpenSSL::CA contains Crypt::OpenSSL::CA::PrivateKey, which knows how to read an encrypted PEM key. Unfortunately, it doesn't provide a means to export the key (encrypted or decrypted).
Migrated from rt.cpan.org#47447 (status was 'open')
Requestors:
Attachments:
From @hachi on 2009-06-29 22:37:22:
I'd like to be able to load encrypted private keys using this module. I've implmented at least one way to do this, and the patch is attached. Is it possible for this to get into the released module?
From iroberts+perl@red-bean.com on 2009-11-01 18:23:24:
This looks like a go start, but it seems incomplete. If the module can read encrypted passwords, it should also be able to write them; this would also allow for adding unit test coverage of your new methods to t/rsa.t. Finally, it would be good to add perldoc to RSA.pm.
From sog@msg.com.mx on 2011-04-13 22:21:25:
I just uploaded to CPAN a new Crypt::OpenSSL::Common module.
Among other things, it properly initializes the openssl libraries, that results in that Crypt::OpenSSL::RSA can now load encrypted private keys without any code modifications using openssl's default prompting.
Please give it a try, and report to me any success/failures.
Thanks.
Sortiz.
From daveh@hodgkinson.org on 2015-01-19 06:13:15:
Not relevant to this module.
From toddr@cpan.org on 2015-01-19 17:19:02:
Most recent comment in the ticket implies we uploaded a fix in 2011 with no reply.
From tlhackque@yahoo.com on 2016-01-02 19:23:02:
On Mon Jan 19 12:19:02 2015, TODDR wrote:
I'm not the original reporter, but I thought I'd reopen this bug rather than file a new one.
I agree that it would be useful to be able to read and write encrypted keys.
I disagree with the "implied fix" because the description of Crypt::OpenSSL::Common says:
"For example, the Crypt::OpenSSL::RSA's new_private_key class method now can handle encrypted private keys in the same way the C API does, ie. prompting the user for the pass phrase used to protect the private key"
Crypt::OpenSSL::RSA is useful in CGI scripts and other places where prompting is not possible. Well, I suppose one could redirect stdin & ignore the prompts -- but at that point, one might as well run an "openssl rsa" command in a subprocess.
A solution to the problem would be of the form:
new_private_key( $pem, [$password] ) and get_private_key_string( $encryption_method, $password ) (e.g. DES-EDE3-CBC, or perhaps a friendly alias...)
Obviously, undef or omitted arguments should produce unencrypted keys as currently. (Supplying an un-needed password when reading can be ignored.)
An encrypted private key file looks like:
I'm not an XS coder, but here are some pointers that ought to be useful:
https://www.openssl.org/docs/manmaster/crypto/pem.html describe the password callback routines.
Crypt::OpenSSL::CA contains Crypt::OpenSSL::CA::PrivateKey, which knows how to read an encrypted PEM key. Unfortunately, it doesn't provide a means to export the key (encrypted or decrypted).
Thanks for your (re-)consideration.