Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support importing RSA parameters manually for encryption with Pkcs1PublicEncryptingKey #581

Closed
Vadmeme opened this issue Nov 10, 2024 · 4 comments · Fixed by #582
Closed
Assignees
Labels
enhancement New feature or request v1.11.1

Comments

@Vadmeme
Copy link
Contributor

Vadmeme commented Nov 10, 2024

Security issue notifications

If you discover a potential security issue in AWS-LC for Rust we ask that you notify AWS Security via our
vulnerability reporting page. Please do not create a
public github issue, if in doubt contact AWS security first.

Problem:

At the moment it seems there is no way to get a Pkcs1PublicEncryptingKey with a custom n and e.
There already exists PublicKeyComponents::verify but this only handles signature verification, so having something for encryption does not seem out of scope.

Solution:

I think the simplest and ideal solution is to allow getting a PublicEncryptingKey from a PublicKeyComponents. This would best be done by adding a build_encrypting_key () helper. This should be trivial as all that would be required is to call build_rsa() and pass the resulting EVP_PKEY to PublicEncryptingKey::new.

  • Does this change any public APIs? Yes, would ideally allow converting a PublicKeyComponents to a PublicEncryptingKey
  • Which algorithm(s) will this impact? RSA

Requirements / Acceptance Criteria:

What must a solution address in order to solve the problem? How do we know the solution is complete?

  • RFC links: N/A
  • Related Issues: N/A
  • Will the Usage Guide or other documentation need to be updated? Yes
  • Testing: I am not sure about the testing requirements, from my eyes it seems trivial to implement.

Out of scope:

Enforcing the secure usage of these apis would likeley be out of scope, if the user wants to manually supply RSA parameters its likely for some more low-level operation.

@Vadmeme
Copy link
Contributor Author

Vadmeme commented Nov 10, 2024

Did a preliminary implementation in #582
Please let me know if any changes need to be made.

@justsmth
Copy link
Contributor

Thanks for the PR!

Your request and proposed change make sense to me. Before a PR for this can be merged, more testing for it will need to be added. We will also need to consider how the API change might fit in with some longer-term plans that we have.

@justsmth justsmth added the enhancement New feature or request label Nov 11, 2024
@Vadmeme
Copy link
Contributor Author

Vadmeme commented Nov 16, 2024

Thanks for your consideration, I went ahead an implemented a test near the test for RsaPublicKeyComponents (just checks if building the key succeeds + encrypting a test message). Also fixed import order.

@justsmth
Copy link
Contributor

justsmth commented Nov 22, 2024

We have now released aws-lc-rs v1.11.1 that addresses this issue. This issue has been closed. Feel free to reopen this issue or open a new issue if you have any problems after upgrading. Thanks again for your report about this and the PR. We appreciate your contribution to our project!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request v1.11.1
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants