-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KeyPair::from_pem detects incorrect algorithm? #193
Comments
Hmmm that's interesting. SHA-512 is supposed to be supported. |
Could this be coming from https://github.com/rustls/rcgen/blob/main/rcgen/src/key_pair.rs#L163? if let Ok(rsakp) = RsaKeyPair::from_pkcs8(pkcs8) {
(KeyPairKind::Rsa(rsakp, &signature::RSA_PKCS1_SHA256), &PKCS_RSA_SHA256)
} I do not know the code-base well enough, but I read this as if |
mhh yeah good point, you have to use |
Wouldn't it be possible to auto-detect this?
…On Mon, Dec 4, 2023, 21:41 est31 ***@***.***> wrote:
mhh yeah good point, you have to use from_der_and_sign_algo instead in
this instance.
—
Reply to this email directly, view it on GitHub
<#193 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABIM6PKWDRBTIZWJBESE5DYHY7QZAVCNFSM6AAAAABAGGJSXWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZZGUZDKNRTHA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
My current work-around is: use std::fs::read_to_string;
fn main() {
let cert = read_to_string("rootCA.crt").unwrap();
let private_key_s = read_to_string("rootCA.key").unwrap();
let private_key = rcgen::KeyPair::from_pem(&private_key_s).unwrap();
println!("KeyPair alg: {:?}", private_key.algorithm());
let params = rcgen::CertificateParams::from_ca_cert_pem(&cert, private_key).unwrap();
println!("Params alg: {:?}", params.alg);
let private_key = rcgen::KeyPair::from_pem_and_sign_algo(&private_key_s, params.alg).unwrap();
println!("KeyPair alg: {:?}", private_key.algorithm());
let params = rcgen::CertificateParams::from_ca_cert_pem(&cert, private_key).unwrap();
println!("Params alg: {:?}", params.alg);
if let Err(e) = rcgen::Certificate::from_params(params) {
println!("Error: {}", e);
} else {
println!("All good :-)")
};
} This outputs:
Hopefully the automatic algorithm detection can be fixed. |
That's also a nice approach... I'm not sure ring's APIs allow auto-detection like the one we need, outside of starting trial encryptions/decryptions, which are time-intensive. |
How to reproduce
Test certificates
Working certificates (-sha256 option)
Failing certificates (-sha512 option)
Code
Test results
If using the
-sha256
certificate files, the output is:If using the
-sha512
certificate files, the output is:Is this expected?
The text was updated successfully, but these errors were encountered: