OpenSSL::PKey::EC.new(nil).generate_key fails with OpenSSL::PKey::PKeyError
ys opened this issue · comments
I am upgrading a project using the r509
gem.
The gem uses generate_key
to get EC private keys.
But it looks like here we redirect that method to generate_key!
which throws the error.
Should we have a new generator for it? No idea what it would look like.
[5] pry(main)> OpenSSL::PKey::EC.new(nil).generate_key!
OpenSSL::PKey::PKeyError: pkeys are immutable on OpenSSL 3.0
from (pry):5:in `generate_key!'
[6] pry(main)> OpenSSL::PKey::EC.new(nil).generate_key
OpenSSL::PKey::PKeyError: pkeys are immutable on OpenSSL 3.0
from (pry):6:in `generate_key!'
openssl/ext/openssl/ossl_pkey_ec.c
Line 1642 in 27237de
Methods on OpenSSL::PKey::{RSA,DSA,DH,EC}
that modify the receiver object will not work if ruby/openssl is compiled against OpenSSL (the C library) 3.0 or later. This is a backwards-incompatible change introduced by OpenSSL 3.0 and there is nothing ruby/openssl can do.
Instead of OpenSSL::PKey::EC.new(group_name).generate_key!
, please use OpenSSL::PKey::EC.generate(group_name)
.
The library is actually using generate_key
and not generate_key!
the issue is that for this one it looks like generate_key
is aliased to generated_key!
for EC
Yes it is an alias. EC#generate_key
was renamed to EC#generate_key!
(in 2016, for parity with DH#generate_key!
) and the old name was kept as an alias. EC#generate_key
always modified the receiver.
Oh I see, I misread the error message I guess OpenSSL::PKey.generate_key
is the one to use not specific keys ones anymore. Is that correct?
Thanks a lot for your help and time on this :) This all makes sense. Will open a PR on that r509
gem to modify it's usage.
Yes, the following methods will continue to work and do the same thing:
OpenSSL::PKey.generate_key("EC", "ec_paramgen_curve" => "prime256v1")
(the manpageopenssl-genpkey(1)
documentsec_paramgen_curve
and other optional parameters)OpenSSL::PKey::EC.generate("prime256v1")