Uploaded image for project: 'Erlang/OTP'
  1. Erlang/OTP
  2. ERL-952

Erlang doesn't seem to support private key files encrypted with AES-128

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 21.0
    • Fix Version/s: 22.0.3, 21.3.8.2
    • Component/s: public_key, ssl
    • Labels:
      None

      Description

      Hi,

      We are using RabbitMQ with OTP 21 and trying to set up SSL with a certificate and a passphrase protected private key file.

      Although there looks like there's supposed to be AES-128 support for the private key in this version, we verified that while a DES3 protected private key works, AES-128 does not.

      We think we also found the issue in the Erlang code, but my knowledge of the language is very limited so I'm not sure I got the right idea. Please allow me to explain what I think I found:

      We can see that for example for the des-EDE3-CBC algorithm there exists the following lines in the pubkey_pbe.erl source:
      derived_key_length(Cipher,_) when (Cipher == ?'des-EDE3-CBC') or
      (Cipher == "DES-EDE3-CBC") ->
      24;
      cipher(#'PBES2-params_encryptionScheme'

      {algorithm = ?'des-EDE3-CBC'}

      ) ->
      "DES-EDE3-CBC";

      However for AES-128 we only see a corresponding line for the first of these two:
      derived_key_length(Cipher,_) when (Cipher == "AES-128-CBC") ->
      16;

      So it seems like the "cipher" entry is missing for this algorithm (incidentally, looking at the latest sources, it seems like the same problem exists for AES-256-CBC).

      Another thing that confirm this is the error we are getting when trying to manually load the private key via the werl.exe console:

        • exception error: no function clause matching pubkey_pbe:cipher({'PBES2-params_encryptionScheme', {2,16,840,1,101,3,4,1,2}

          ,
          {asn1_OPENTYPE,<<4,16,127,72,17,13,72,253,221,229,243,
          1,60,170,94,122,241,107>>}}) (pubkey_pbe.erl, line 272)
          in function pubkey_pbe:decrypt_parameters/2 (pubkey_pbe.erl, line 185)
          in call from pubkey_pem:decode_encrypted_private_keyinfo/1 (pubkey_pem.erl, line 146)
          in call from pubkey_pem:decode_pem_entries/2 (pubkey_pem.erl, line 121)

      As you can see, it seems like it doesn't find the right "cipher" function entry, which is what the omission from the source code that I pointed out also seems to show.

      Can you please confirm this is a bug and if so, I think the fix is quite straightforward

      Regards,
      Amit

        Attachments

          Activity

            People

            Assignee:
            otp_team_ps Team PS
            Reporter:
            klgamit Amit Kliger
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: