-
Notifications
You must be signed in to change notification settings - Fork 446
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PEM support #587
base: develop
Are you sure you want to change the base?
Add PEM support #587
Conversation
28722e4
to
76f91c2
Compare
76f91c2
to
bcb5890
Compare
5e59a9d
to
3672210
Compare
f486b8c
to
abbeeaa
Compare
@karel-m do you maybe have time to review this? otherwise I'll merge it in the next days |
abbeeaa
to
928d673
Compare
In my perl module test suite I have these (the password is: secret)
Do we want to support them? |
I see these warnings
|
Yeah, something is lost somewhere ... currently looking into it. |
928d673
to
e1cf275
Compare
49ed020
to
4afb4dd
Compare
If we want to support even more ciphers here is how you can generate more test vectors via openssl
|
I've also added support for FYI |
hmm, I'll have a look |
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Valgrind 3.15.0 on Ubuntu 20.04 reports a false positive [0] ``` ==7922== Conditional jump or move depends on uninitialised value(s) ==7922== at 0x461F0C: s_decode_header (pem_ssh.c:316) [...] ``` Simply suppress this false positive. [0] https://github.com/libtom/libtomcrypt/actions/runs/6507805191/job/17676616149?pr=587 Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
The design before was not completely fine. The user had to allocate the buffer and passed ownership to the library. As of [0] this seems to be a problem in some environments. [0] #587 (comment) Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
d9230d5
to
1ca9a80
Compare
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
The design before was not completely fine. The user had to allocate the buffer and passed ownership to the library. As of [0] this seems to be a problem in some environments. [0] #587 (comment) Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
This reverts commit 3db6e798830ca51b179909e8c8cff7e77c2f494e.
The user can now pass a `free()` function pointer that will be used to free the memory that has been allocated by the `callback()`. If `free()` is NULL, the library will still call `XFREE()`. Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
1. ChaCha20, two-key 3DES and DES-X encrypted OpenSSL PEM files 2. AES-GCM and Chacha20+Poly1305 encrypted SSH keys * OpenSSH uses a slightly different algorithm for its `chacha20-poly1305@openssh.com` than defined in the RFC. Therefore add an `openssh_compat` flag to `chacha20poly1305_state`. * Add the option to give a 16byte IV and no counter, when calling `chacha20poly1305_memory()` * Add support for DES-X Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
101d8bb
to
f08118c
Compare
This also changes the requirements when calling `ecc_find_curve()` that the `cu` argument can be NULL. Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Fixup of 5ad1681 Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
f08118c
to
d1bfeef
Compare
@karel-m any chance you're gonna have time to finish the integration? I tried to fix CryptX but couldn't find where it goes wrong :( I updated the libtom parts via 0001-Provide-a-dummy-free-function-for-the-password-callb.patch.txt After that I'm stuck with |
Checklist
Summary
This adds support to decode most variations of PEM files.
Changes to existing public APIs
The following public APIs have been changed. None of those APIs have been officially released.
ed25519_import_pkcs8()
ecc_import_pkcs8()
rsa_import_pkcs8()
x25519_import_pkcs8()
New public APIs and structs
structs
typedef struct password_ctx
- astruct
containing a call-back function that will be called once a password is required and the according opaqueuserdata
pointer usually providedtypedef struct ltc_pka_key
- aunion
containing all supported PK keysPKCS#8 APIs
dh_import_pkcs8()
dsa_import_pkcs8()
PEM bytewise APIs
pem_decode()
pem_decode_pkcs()
pem_decode_openssh()
PEM
FILE
-based APIspem_decode_filehandle()
pem_decode_pkcs_filehandle()
pem_decode_openssh_filehandle()
New demos
openssh-privkey
- not really a usable demo, more like a historical artifact of what this started fromDetails
It brings support for:
authorized_keys
format not supported yet)All supported PK crypto algorithms can be decoded: