Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read pkcs#8 private keys encrypted using FIPS-compliant openssl #4

Open
ycombinator opened this issue Dec 30, 2020 · 7 comments
Open

Read pkcs#8 private keys encrypted using FIPS-compliant openssl #4

ycombinator opened this issue Dec 30, 2020 · 7 comments
Labels
enhancement New feature or request

Comments

@ycombinator
Copy link

Describe the enhancement:

Currently, the tlscommon.ReadPEMFile function is able to read encrypted PKCS#8 private keys created using a non-FIPS-compliant openssl. Such keys look like this:

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,065B7536137462AFB30E8508CAA2EE88

BASE64 ENCODED DATA
-----END EC PRIVATE KEY-----

However, if the private key is encrypted using a FIPS-compliant openssl, the tlscommon.ReadPEMFile function is unable to parse it. Such keys look like this:

-----BEGIN ENCRYPTED PRIVATE KEY-----
BASE64 ENCODED DATA
-----END ENCRYPTED PRIVATE KEY-----

Describe a specific use case for the enhancement or feature:

To allow FIPS-compliant openssl created PKCS#8 private keys to be used with Beats.
@ycombinator ycombinator added the enhancement New feature or request label Dec 30, 2020
@elasticmachine
Copy link

Pinging @elastic/integrations-services (Team:Services)

@ycombinator
Copy link
Author

Some notes from @urso:

Unfortunately the go crypto libraries do not support encrypted pkcs#8: golang/go#8860

PKCS#8 itself is just a container format. There is a lib trying to implement decryption (https://github.com/youmark/pkcs8), but not all ciphers might be supported as it is based on dependencies for PKCS#5.

We need to test with certificates and actually figure out which ciphers are supported + documentation.

@ycombinator ycombinator changed the title Implement tlscommon function to read encrypted pkcs#8 private keys encrypted using FIPS-compliant openssl Read pkcs#8 private keys encrypted using FIPS-compliant openssl Dec 30, 2020
@botelastic
Copy link

botelastic bot commented Jan 27, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@jlind23
Copy link

jlind23 commented Mar 31, 2022

Backlog grooming: Closing it until further needs.

@jlind23 jlind23 closed this as not planned Won't fix, can't repro, duplicate, stale Mar 31, 2022
@elasticmachine
Copy link

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@michel-laterman
Copy link

@ycombinator, we may want to re-open this as part of elastic-agent fips work, however it should probably be moved to our fork: https://github.com/elastic/pkcs8/

cc @cmacknz

@michel-laterman michel-laterman transferred this issue from elastic/beats Dec 30, 2024
@michel-laterman
Copy link

After a conversation with @cmacknz, this issue should be reopened but we do not expect it to be in scope for our current efforts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ycombinator @elasticmachine @jlind23 @michel-laterman