8000 idblocks: support a few other PEM formats by rouming · Pull Request #305 · virtee/sev · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

idblocks: support a few other PEM formats #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 5, 2025
Merged

idblocks: support a few other PEM formats #305

merged 1 commit into from
May 5, 2025

Conversation

rouming
Copy link
Contributor
@rouming rouming commented May 5, 2025

It turns out that OpenSSL generates several types of PEM formats for private keys. The 'BEGIN PRIVATE KEY' is the PKCS8 format, but previously there was the EC 'legacy', which can still be used and generated successfully by OpenSSL. Among these, there are also encrypted PEM keys, which start with the 'BEGIN ENCRYPTED PRIVATE KEY' line and can also be used.

This patch extends support for PEM formats by adding two more: EC legacy ("BEGIN EC PRIVATE KEY") and PKCS8 encrypted ("BEGIN ENCRYPTED PRIVATE KEY").

Why bother? The following commands are all valid and generate three PEM keys:

openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -out id-block-key.pem
openssl ecparam -name secp384r1 -genkey -noout -out id-block-key.pem
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -aes256 -out id-block-key.pem

but only the first one is supported by the sev library. This commit fixes the issue without any cost.

@rouming
idblocks: support a few other PEM formats
ea4b25e 
It turns out that OpenSSL generates several types of PEM formats for
private keys. The 'BEGIN PRIVATE KEY' is the PKCS8 format, but
previously there was the EC 'legacy', which can still be used and
generated successfully by OpenSSL. Among these, there are also
encrypted PEM keys, which start with the 'BEGIN ENCRYPTED 
8000
PRIVATE KEY'
line and can also be used.

This patch extends support for PEM formats by adding two more: EC
legacy ("BEGIN EC PRIVATE KEY") and PKCS8 encrypted ("BEGIN ENCRYPTED
PRIVATE KEY").

Why bother? The following commands are all valid and generate three
PEM keys:

```bash
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -out id-block-key.pem
```

```bash
openssl ecparam -name secp384r1 -genkey -noout -out id-block-key.pem
```

```bash
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -aes256 -out id-block-key.pem
```

but only the first one is supported by the `sev` library. This commit
fixes the issue without any cost.

Signed-off-by: Roman Penyaev <r.peniaev@gmail.com>
larrydewey
larrydewey approved these changes May 5, 2025
View reviewed changes
Copy link
Contributor
@larrydewey larrydewey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks!

@tylerfanelli tylerfanelli merged commit cf3f5de into virtee:main May 5, 2025
123 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@larrydewey larrydewey larrydewey approved these changes

@tylerfanelli tylerfanelli tylerfanelli approved these changes

@DGonzalezVillal DGonzalezVillal Awaiting requested review from DGonzalezVillal DGonzalezVillal is a code owner

Assignees

@ryansavino ryansavino

@tylerfanelli tylerfanelli

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rouming @larrydewey @tylerfanelli @ryansavino
0