Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL 3.0 error - rsa#set_key= #138

Closed
frantisekrokusek opened this issue Jan 16, 2023 · 7 comments
Closed

OpenSSL 3.0 error - rsa#set_key= #138

frantisekrokusek opened this issue Jan 16, 2023 · 7 comments

Comments

@frantisekrokusek
Copy link
Contributor

frantisekrokusek commented Jan 16, 2023

Hi guys,

I was testing your library with the great https://iso20022test.credit-suisse.com/ testing accounts.

But I have got that error on client.HPB step:

OpenSSL::PKey::PKeyError: rsa#set_key= is incompatible with OpenSSL 3.0
from /Users/frokusek/.asdf/installs/ruby/3.1.3/lib/ruby/gems/3.1.0/gems/epics-2.0.0/lib/epics/client.rb:110:in `set_key'

Is that a known issue ?

Thanks for your help 🙏

ruby -> ruby 3.1.3p185 (2022-11-24 revision 1a6b16756e) [arm64-darwin21]
openssl-> LibreSSL 2.8.3
epics -> 2.0.0

@tobischo
Copy link
Collaborator

tobischo commented Jan 17, 2023

Interestingly, we are checking if set_key is supported before calling it for exactly that reason:

epics/lib/epics/client.rb

Lines 108 to 114 in 5e2e366

bank = OpenSSL::PKey::RSA.new
if bank.respond_to?(:set_key)
bank.set_key(OpenSSL::BN.new(modulus, 2), OpenSSL::BN.new(exponent, 2), nil)
else
bank.n = OpenSSL::BN.new(modulus, 2)
bank.e = OpenSSL::BN.new(exponent, 2)
end

So unfortunately, the openssl ruby wrapper does not appear to surface that information dynamically (anymore?)

General openssl3 support was added here: #129
In that issue, the heroku-22 stack was used, which requires at least ruby 3.1 and the issue was fixed. Not sure which exact version of openssl was used there, but I would guess that it might not have been LibreSSL

@tobischo
Copy link
Collaborator

tobischo commented Jan 17, 2023

Trying to run lines 108 and line 110 (with admittedly random input) on a Silicon Mac with LibreSSL 3.3.6 and ruby 3.1.3 also works.
OpenSSL::VERSION identifies itself as 3.0.1

Edit: I think I installed the ruby version with its own OpenSSL, which would result in Ruby not using libressl

With that it actually works correctly, so I am pretty confident that the issue is LibreSSL

@frantisekrokusek
Copy link
Contributor Author

frantisekrokusek commented Jan 31, 2023

Thanks a lot @tobischo
Even with your suggestions I can't make it work and OpenSSL ruby gem states clearly that set_key is not available.
(tried replacing LibreSSL with OpenSSL 3.0.7 1 Nov 2022)

  • Deprecate the ability to modify OpenSSL::PKey::PKey instances. OpenSSL 3.0
    made EVP_PKEY structure immutable, and hence the following methods are not
    available when Ruby/OpenSSL is linked against OpenSSL 3.0.
    [GitHub #480]
    - OpenSSL::PKey::RSA#set_key, #set_factors, #set_crt_params
    - OpenSSL::PKey::DSA#set_pqg, #set_key
    - OpenSSL::PKey::DH#set_pqg, #set_key, #generate_key!
    - OpenSSL::PKey::EC#private_key=, #public_key=, #group=, #generate_key!

The only way I was able to make it work is to replace the set_key with from_parameters implemented in a fork of @anakinj here

@tobischo
Copy link
Collaborator

So the method is technically there, which is why respond_to?(:set_key) is going to return true, however not usable.

That means we'd need a different way of differentiating this properly

@anakinj
Copy link

anakinj commented Jan 31, 2023

Hi thanks for the mention, interesting stuff going on here:)

This problem as you discovered was introduced via the major version upgrade of OpenSSL from 1.1 -> 3.0 making the PKey immutable.

The proposed solution I've been working on is visible on ruby/openssl#555 and will make it a little easier to create keys from raw parameters.

But until that is available a way to create these keys are by generating the DER representation of the parameters and creating the key based on that. An example on how ruby-jwt solved this issue

@tobischo
Copy link
Collaborator

tobischo commented Feb 7, 2023

@frantisekrokusek Please take a look at #140 and check if that would work for you

@anakinj your input would also be appreciated.

@tobischo
Copy link
Collaborator

tobischo commented Apr 15, 2023

Feedback on #140 was positive. Merged, tagged as 2.1.1. Will close the issue.

Unfortunately I still don't have permission to release to rubygems

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants