Fix parsing EC private keys with EC parameters

[dbussink]

The logic used with OpenSSL 1.1.1 allows for parsing private keys with EC parameters in the PEM format. The OpenSSL 3.0 logic doesn't allow for this and breaks loading these types of private keys.

The parsing loop here is changed to continue parsing PEM blocks also if it succeeds to parse a PEM block, like for EC parameters. We want to ensure that all valid PEM blocks are loaded, not only the first one.

Combined with it also trying to parse non valid PEM bits, it means we always want to continue parsing until we hit EOF on the BIO, or if we no longer see progress. These two checks were already implemented, so all that's needed is to unconditionally try to grab all PEM blocks.

[dbussink]

I realized there's also another bug. If the data is only the EC parameters, we don't trigger a parser error since the private key will be a partial filed structure with the type setup correctly, but no public nor private key data is then present. So it returns an unusable OpenSSL::PKey object.

I think ossl_pkey_read_generic also needs to do some basic validations in the OpenSSL 3.0 path to check if the key is a valid key then.

[dbussink]

I think ossl_pkey_read_generic also needs to do some basic validations in the OpenSSL 3.0 path to check if the key is a valid key then.

I've looked more at this and it only seems possible with EC keys, so I added a validation check. But not sure if that's desired, so also fine to drop that if that's better then.

[dbussink]

Looks like #527 is somewhat related, as that would provide easier ways of checking if it's a valid public or private key compared to what is done here.

[rhenium]

Interesting. Is it a commonly used format? I didn't think of a case where the input contains two decodable PEM blocks into OpenSSL::PKey::PKey.

(Note that in the example input, EC PARAMETERS/ECParameters structure is actually redundant because the following EC PRIVATE KEY/ECPrivateKey structure repeats the same ECParameters structure in it. [To be exact, the ECParameters portion within an ECPrivateKey is optional according to the original specification SECG SEC 1, but it is required by OpenSSL's API and later IETF RFCs.])

Technically speaking, the result of decoding EC PARAMETERS is a proper OpenSSL::PKey::EC object, equivalent of OpenSSL::PKey::EC.new("prime256v1") or OpenSSL::PKey::EC.new(OpenSSL::PKey::EC::Group.new("prime256v1")).

It is expected itself that ruby/openssl now decodes EC PARAMETERS PEM block. (cf. 867e5c0, DHParameters and ECParameters fall into the same category.)

[rhenium]

The current change in #527 appears to revert the behavior, as it will scan input string repeatedly attempting to decode it as private key -> public key -> parameters, in order, but this is more of a side-effect. I had no choice due to the lack of openssl/openssl#9467 in OpenSSL 3.0.

[dbussink]

Interesting. Is it a commonly used format? I didn't think of a case where the input contains two decodable PEM blocks into OpenSSL::PKey::PKey.

I think it's fairly standard, the simplest openssl invocation it does it by default:

$ openssl ecparam  -name prime256v1 -genkey
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIMUoBGN1tPaCCRHL8wCQeaitV/p5rnMJqP7e0Gk7qVqPoAoGCCqGSM49
AwEHoUQDQgAEJxUvwDPujh79kRFlyOENwgYvV1N+/DFO8Ofxun4grp31MIWjwmv1
9JvKtO0+K4HYKjNgiCrF38005Ta7918ebA==
-----END EC PRIVATE KEY-----

I imagine people do regularly put that in a file then and expect it to work when it's being loaded. It also does work with the OpenSSL 1.1.1 implementation. Our problem is that we deal with user provided keys in this situation so handling different formats including a format with EC parameters makes things more robust.

Otherwise we'd have to filter out EC parameters manually before we pass it to Ruby OpenSSL for systems on OpenSSL 3.0.

[dbussink]

The current change in #527 appears to revert the behavior, as it will scan input string repeatedly attempting to decode it as private key -> public key -> parameters, in order, but this is more of a side-effect. I had no choice due to the lack of openssl/openssl#9467 in OpenSSL 3.0.

Ah, if that also (somewhat accidentally) fixes the behavior, I'm all for that fix. Probably still good to add a test for this to avoid a future regression then?

[rhenium]

I think it's fairly standard, the simplest openssl invocation it does it by default:

$ openssl ecparam  -name prime256v1 -genkey
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIMUoBGN1tPaCCRHL8wCQeaitV/p5rnMJqP7e0Gk7qVqPoAoGCCqGSM49
AwEHoUQDQgAEJxUvwDPujh79kRFlyOENwgYvV1N+/DFO8Ofxun4grp31MIWjwmv1
9JvKtO0+K4HYKjNgiCrF38005Ta7918ebA==
-----END EC PRIVATE KEY-----

Hmm. I didn't know about this behavior. This seems odd to me and it is even inconsistent with the DSA counterpart openssl dsaparam, which won't print a DSA parameters PEM block if -genkey is specified... But I can see this command would be widely used compared to other command, openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1.

I agree the format should work as it did in previous versions of ruby/openssl.

[rhenium]

I created an alternative PR for this at #540. It doesn't actively reject "EC PARAMETERS" PEM but looks for the private key PEM block first, like OpenSSL <= 1.1 code (or #527 accidentally) did.

[dbussink]

Closing in favor of #540