Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Key not read from pem file #448

Closed
Tejpbit opened this issue Mar 23, 2023 · 0 comments
Closed

[Bug] Key not read from pem file #448

Tejpbit opened this issue Mar 23, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@Tejpbit
Copy link
Contributor

Tejpbit commented Mar 23, 2023
edited
Loading

Describe the bug

When configuring a client to use client_private_key when using mTLS it fails to read a key from the provided pem file.
I think I know how to solve it. But I'll start by describing the bug.
It's probably due to what formatting the pem file uses.
I noticed that using pkcs8_private_keys does manage to get the key while rsa_private_keys does not.

If i copy this piece o code from io/zenoh-links/zenoh-link-tls/src/unicast.rs TlsServerConfig new function

if keys.is_empty() {
    keys = rustls_pemfile::pkcs8_private_keys(&mut Cursor::new(&tls_server_private_key))
        .map_err(|e| zerror!(e))
        .map(|mut keys| keys.drain(..).map(PrivateKey).collect())?;
}

if keys.is_empty() {
    bail!("No private key found");
}

And add that to the TlsClientConfig new function right after keys are loaded

let mut keys: Vec<PrivateKey> =
                rustls_pemfile::rsa_private_keys(&mut Cursor::new(&tls_client_private_key))
                    .map_err(|e| zerror!(e))
                    .map(|mut keys| keys.drain(..).map(PrivateKey).collect())?;

// Paste here                    
if keys.is_empty() {
    keys = rustls_pemfile::pkcs8_private_keys(&mut Cursor::new(&tls_server_private_key))
        .map_err(|e| zerror!(e))
        .map(|mut keys| keys.drain(..).map(PrivateKey).collect())?;
}

if keys.is_empty() {
    bail!("No private key found");
}

The steps used to reproduce works as I'm expecting them to. The bug goes away.

To reproduce

Unzip the mTLS_zenoh_test.zip
cd into folder
Generate CA, peer and client certificates and sign peer and client with the CA certificate

  • ./generate_ca_root_certificate.sh
  • ./generate_client_cert.sh localhost
  • ./generate_client_cert.sh client1
  • ./sign_client_with_ca.sh localhost
  • ./sign_client_with_ca.sh client1

Start the peer
zenohd -c peer1.json5

Start the client
RUST_LOG=debug z_sub -e tls/localhost:7447 -m client -c client1.json5

Log output of z_sub ends with

[2023-03-23T16:52:53Z DEBUG zenoh_link_tls::unicast] Loading client authentication key and certificate...
thread 'main' panicked at 'removal index (is 0) should be < len (is 0)', io/zenoh-links/zenoh-link-tls/src/unicast.rs:627:47
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
[2023-03-23T16:52:53Z DEBUG zenoh::net::routing::router] Close Face{0, 20}

System info
@Tejpbit Tejpbit added the bug Something isn't working label Mar 23, 2023
Tejpbit pushed a commit to Tejpbit/zenoh that referenced this issue Mar 23, 2023
try pkcs8_private_keys if rsa_private_keys doesn't return any keys Re…
3371334 
…solves eclipse-zenoh#448
Tejpbit added a commit to Tejpbit/zenoh that referenced this issue Mar 23, 2023
@Tejpbit
try pkcs8_private_keys if rsa_private_keys doesn't return any keys Re…
e48eae5 
…solves eclipse-zenoh#448
Tejpbit added a commit to Tejpbit/zenoh that referenced this issue Mar 23, 2023
@Tejpbit
try pkcs8_private_keys if rsa_private_keys doesn't return any keys Re…
3a0e3c2 
…solves eclipse-zenoh#448

Signed-off-by: André Samuelsson <[email protected]>
@Tejpbit Tejpbit mentioned this issue Mar 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Tejpbit