Use generate to construct key instead of mutating the PKEY instance for OpenSSL 3.0 compatibility

2023-01-05 16:16:04 -05:00 · 2023-01-05 16:16:04 -05:00 · bed8c96486
--- a/lib/ssh_data/private_key/ecdsa.rb
+++ b/lib/ssh_data/private_key/ecdsa.rb
@ -13,7 +13,7 @@ module SSHData
        openssl_curve = PublicKey::ECDSA::OPENSSL_CURVE_NAME_FOR_CURVE[curve]
        raise AlgorithmError, "unknown curve: #{curve}" if openssl_curve.nil?

-        openssl_key = OpenSSL::PKey::EC.new(openssl_curve).tap(&:generate_key)
+        openssl_key = OpenSSL::PKey::EC.generate(openssl_curve)
        from_openssl(openssl_key)
      end

--- a/spec/private_key/ecdsa_spec.rb
+++ b/spec/private_key/ecdsa_spec.rb
@ -21,8 +21,8 @@ describe SSHData::PrivateKey::ECDSA do
    describe openssl_curve do
      let(:algo) { "ecdsa-sha2-#{ssh_curve}" }

-      let(:private_key) { OpenSSL::PKey::EC.new(openssl_curve).tap(&:generate_key) }
-      let(:public_key)  { OpenSSL::PKey::EC.new(private_key.to_der).tap { |k| k.private_key = nil } }
+      let(:private_key) { OpenSSL::PKey::EC.generate(openssl_curve) }
+      let(:public_key)  { ec_private_to_public(private_key) }
      let(:comment)     { "asdf" }
      let(:message)     { "hello, world!" }

--- a/spec/public_key/ecdsa_spec.rb
+++ b/spec/public_key/ecdsa_spec.rb
@ -37,8 +37,8 @@ describe SSHData::PublicKey::ECDSA do
    describe openssl_curve do
      let(:algo) { "ecdsa-sha2-#{ssh_curve}" }

-      let(:private_key) { OpenSSL::PKey::EC.new(openssl_curve).tap(&:generate_key) }
-      let(:public_key)  { OpenSSL::PKey::EC.new(private_key.to_der).tap { |k| k.private_key = nil } }
+      let(:private_key) { OpenSSL::PKey::EC.generate(openssl_curve) }
+      let(:public_key)  { ec_private_to_public(private_key) }

      let(:msg)         { "hello, world!" }
      let(:digest)      { described_class::DIGEST_FOR_CURVE[ssh_curve].new }
@ -63,7 +63,7 @@ describe SSHData::PublicKey::ECDSA do
      end

      it "isnt equal to keys with different params" do
-        other_key = OpenSSL::PKey::EC.new(openssl_curve).tap(&:generate_key)
+        other_key = OpenSSL::PKey::EC.generate(openssl_curve)

        expect(subject).not_to eq(described_class.new(
          algo: algo,
--- a/spec/public_key/skecdsa_spec.rb
+++ b/spec/public_key/skecdsa_spec.rb
@ -2,11 +2,7 @@ require_relative "../spec_helper"

 describe SSHData::PublicKey::SKECDSA do
  let(:openssh_key) { SSHData::PublicKey.parse_openssh(fixture("skecdsa_leaf_for_rsa_ca.pub")) }
-  let(:ec_p384_publickey) { OpenSSL::PKey::EC.new('secp384r1').tap { |k|
-    k.generate_key
-    k.private_key = nil
-    }
-  }
+  let(:ec_p384_publickey) { ec_private_to_public(OpenSSL::PKey::EC.generate('secp384r1')) }

  it "can parse openssh-generate keys" do
    expect { openssh_key }.not_to raise_error
@ -48,8 +44,8 @@ describe SSHData::PublicKey::SKECDSA do
    describe openssl_curve do
      let(:algo) { "sk-ecdsa-sha2-#{ssh_curve}@openssh.com" }

-      let(:private_key) { OpenSSL::PKey::EC.new(openssl_curve).tap(&:generate_key) }
-      let(:public_key)  { OpenSSL::PKey::EC.new(private_key.to_der).tap { |k| k.private_key = nil } }
+      let(:private_key) { OpenSSL::PKey::EC.generate(openssl_curve) }
+      let(:public_key)  { ec_private_to_public(private_key) }

      let(:msg)         { "hello, world!" }
      let(:digest)      { described_class::DIGEST_FOR_CURVE[ssh_curve].new }
@ -77,7 +73,7 @@ describe SSHData::PublicKey::SKECDSA do
      end

      it "isnt equal to keys with different params" do
-        other_key = OpenSSL::PKey::EC.new(openssl_curve).tap(&:generate_key)
+        other_key = OpenSSL::PKey::EC.generate(openssl_curve)

        expect(subject).not_to eq(described_class.new(
          algo: algo,
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -24,3 +24,14 @@ def ssh_keygen_fingerprint(name, algo, priv: false)
  out = `ssh-keygen #{"-e" if priv} -E #{algo} -l -f #{File.join(FIXTURE_PATH, name)}`
  out.split(":", 2).last.split(" ").first
 end
+
+def ec_private_to_public(private_key)
+  algorithm_identifier = OpenSSL::ASN1::Sequence.new([
+    OpenSSL::ASN1::ObjectId.new("id-ecPublicKey"),
+    OpenSSL::ASN1::ObjectId.new(private_key.group.curve_name)
+  ])
+
+  subject_public_key = OpenSSL::ASN1::BitString.new(private_key.public_key.to_bn.to_s(2))
+  spki = OpenSSL::ASN1::Sequence.new([algorithm_identifier, subject_public_key])
+  OpenSSL::PKey::EC.new(spki.to_der)
+end