[
https://issues.apache.org/jira/browse/KUDU-3207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17298362#comment-17298362
]
ASF subversion and git services commented on KUDU-3207:
-------------------------------------------------------
Commit 29f294c3d6f998830b12fe675af70dba610ce34d in kudu's branch
refs/heads/master from Attila Bukor
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=29f294c ]
KUDU-3207 Switch RSA private key format to PKCS#8
When Kudu writes a private key in PEM format, it uses RSAPrivateKey
family, which doesn't specify the output format, meaning it's up to
OpenSSL to decide the format it uses. There are several private keys in
the tests stored in PKCS#1 format which are string matched against. If
OpenSSL uses PKCS#8, such as in case of the FIPS-approved environment I
used, these assertions fail.
This commit changes the private key format to PKCS#8, re-enables the
test that was skipped in FIPS-approved mode as a workaround, and changes
all test private keys that were stored in PKCS#1 to PKCS#8. The actual
keys weren't changed, only the storage format.
I ran all tests manually in a non-FIPS environment (CentOS 7.9.2009 with
OpenSSL 1.0.2k-fips, fips mode off) and a FIPS environment (CentOS
7.8.2003 with OpenSSL 1.0.2v-fips, fips mode on).
Change-Id: Ie46fd4f0b8bafcbe606a444e31c9af9e09291e64
Reviewed-on: http://gerrit.cloudera.org:8080/17163
Reviewed-by: Alexey Serbin <aser...@cloudera.com>
Reviewed-by: Grant Henke <granthe...@apache.org>
Tested-by: Attila Bukor <abu...@apache.org>
> Standardize RSA private key format
> ----------------------------------
>
> Key: KUDU-3207
> URL: https://issues.apache.org/jira/browse/KUDU-3207
> Project: Kudu
> Issue Type: Improvement
> Reporter: Attila Bukor
> Assignee: Attila Bukor
> Priority: Minor
> Labels: OpenSSL, security
>
> Currently, Kudu stores RSA private keys in PEM format using
> PEM_write_bio_RSAPrivateKey(), which doesn't specify the format in which the
> key is stored. It expects it to be PKCS #1 (BEGIN/END RSA PRIVATE KEY), but
> it seems there are some OpenSSL versions (CryptoComply) that use PKCS #8
> instead (BEGIN/END PRIVATE KEY). {{CryptoTest.RsaPrivateKeyInputOutputPEM}}
> fails due to this, as it compares the private key to an expected string,
> which is in PKCS #1 format. The read functions are explicitly said to handle
> any known format, so this shouldn't cause any issues, but it would still be
> nice to standardize on a single format (probably PKCS #8).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
