Skip to content

pkcs5 encryption + pkcs8 decryption #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 23, 2021
Merged

pkcs5 encryption + pkcs8 decryption #293

merged 4 commits into from
Feb 23, 2021

Conversation

tarcieri
Copy link
Member

@tarcieri tarcieri commented Feb 21, 2021
edited
Loading

Implements PKCS#5 encryption support, presently targeting only support for PBES2 with PBKDF2-SHA-256 and AES-CBC (with 128 or 256-bit key size).

Note that these algorithm choices are presently the best options supported by PKCS#5 v2.1.

Closes #263

@tarcieri tarcieri requested a review from newpavlov February 21, 2021 16:18
@tarcieri
Copy link
Member Author

Note: this initial draft is encryption only, but it manages to pass OpenSSL-generated test vectors! 🎉

The aes and block-modes crates are the latest as sourced from git (and in that regard, it looks like this feature will require an MSRV bump, which is presently causing the tests to fail).

I'd like to wait until we release cipher v0.3 along with accompanying releases of aes (and whatever will happen to block-modes, i.e. rolled into cipher?)

All that said, I can probably finish out adding things like encryption support as well as integrating this functionality with the pkcs8 crate in this PR as well in the intervening time.

@tarcieri tarcieri mentioned this pull request Feb 21, 2021
Closed
@tarcieri tarcieri force-pushed the pkcs5/encryption branch 6 times, most recently from aa8c99b to 2f4f74f Compare February 22, 2021 15:57
@tarcieri
[WIP] pkcs5: encryption
5d35335 
Implements PKCS#5 encryption support, presently targeting only support
for PBES2 with PBKDF2-SHA-256 and AES-CBC (with 128 or 256-bit key size)

Note that these are presently the best options supported by PKCS#5 v2.1.

Support for legacy algorithms like DES, 3DES, MD2, and SHA-1 is
deliberately ommitted. We can revisit potentially adding these upon
request if there is demand, however since these algorithms are insecure
we don't support them in this initial implementation.
@tarcieri
pkcs5: use released aes and block-modes crates
ff44ba6 
An MSRV change is breaking anyway, so we can use the latest released
crates for now, and then bump them after the next release along with
MSRV.
@tarcieri
Copy link
Member Author

Due to the MSRV bump, I backpedaled on using the latest prerelease aes and block-modes crates in ff44ba6.

The upgrade is simple and I'd like to cut another breaking der release anyway which will also necessitate a minor version bump.

I'm pretty close to finishing this out and can cut an initial release with support, then we can circle back on the MSRV bump and crate upgrades.

@tarcieri tarcieri changed the title [WIP] pkcs5: encryption pkcs5: encryption Feb 23, 2021
@tarcieri tarcieri marked this pull request as ready for review February 23, 2021 16:03
@tarcieri tarcieri merged commit c10dbef into master Feb 23, 2021
@tarcieri tarcieri deleted the pkcs5/encryption branch February 23, 2021 16:08
@tarcieri tarcieri changed the title pkcs5: encryption pkcs5 encryption + pkcs8 decryption Feb 23, 2021
tarcieri added a commit that referenced this pull request Feb 23, 2021
@tarcieri
pkcs8: encryption support
ddd449a 
Following up on #293 which added PKCS#8 decryption support, this
adds the corresponding support for encrypting `PrivateKeyInfo` as
`EncryptedPrivateKeyInfo`.

It provides a simple API which generates a random salt and IV using a
provided `CryptoRng`, then uses PBES2 with PBKDF2-SHA256 and
AES-256-CBC.

It also provides a paramaterized `encrypt_with_params` which allows for
supplying a `pbes2::Parameters` structure.
@tarcieri tarcieri mentioned this pull request Feb 23, 2021
Merged
tarcieri added a commit that referenced this pull request Feb 23, 2021
@tarcieri
pkcs8: encryption support
0b8f792 
Following up on #293 which added PKCS#8 decryption support, this
adds the corresponding support for encrypting `PrivateKeyInfo` as
`EncryptedPrivateKeyInfo`.

It provides a simple API which generates a random salt and IV using a
provided `CryptoRng`, then uses PBES2 with PBKDF2-SHA256 and
AES-256-CBC.

It also provides a paramaterized `encrypt_with_params` which allows for
supplying a `pbes2::Parameters` structure.
tarcieri added a commit that referenced this pull request Feb 23, 2021
@tarcieri
pkcs8: encryption support (#302)
69afde7 
Following up on #293 which added PKCS#8 decryption support, this
adds the corresponding support for encrypting `PrivateKeyInfo` as
`EncryptedPrivateKeyInfo`.

It provides a simple API which generates a random salt and IV using a
provided `CryptoRng`, then uses PBES2 with PBKDF2-SHA256 and
AES-256-CBC.

It also provides a paramaterized `encrypt_with_params` which allows for
supplying a `pbes2::Parameters` structure.
This was referenced Feb 23, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@newpavlov newpavlov Awaiting requested review from newpavlov

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

pkcs8: decryption/encryption support for EncryptedPrivateKeyInfo
1 participant
@tarcieri