Comments (9)
yichengq
commented on August 26, 2024
empty passphrase is still a valid passphrase.
If you wanna export the unencrpted key file, you can use export --insecure
from etcd-ca.
abourget
commented on August 26, 2024
the message shown says Enter passphrase (empty for no passphrase):.. I'd expect no passphrase to mean there is no passphrase, like not encrypted.. that's what openssl would do.
In this case, when you hit enter for an empty passphrase, the key still gets encrypted. With what passphrase ? I don't know, but I know you can't decrypt it with openssl, because it will ask for a minimum of 4 characters. I don't know if it's a constraint by the encryption scheme or only by the openssl UI, but it makes the generated certificates useless in this case.
from etcd-ca.
abourget
commented on August 26, 2024
Here's a small patch that implements what I mean:
diff --git a/cmd/new_cert.go b/cmd/new_cert.go
index 125458b..eacaeca 100644
--- a/cmd/new_cert.go
+++ b/cmd/new_cert.go
@@ -70,7 +70,13 @@ func newCertAction(c *cli.Context) {
if err = depot.PutCertificateSigningRequest(d, name, csr); err != nil {
fmt.Fprintln(os.Stderr, "Save certificate request error:", err)
}
- if err = depot.PutEncryptedPrivateKeyHost(d, name, key, passphrase); err != nil {
- fmt.Fprintln(os.Stderr, "Save key error:", err)
+ if len(passphrase) == 0 {
+ if err = depot.PutPrivateKeyHost(d, name, key); err != nil {
+ fmt.Fprintln(os.Stderr, "Save key error:", err)
+ }
+ } else {
+ if err = depot.PutEncryptedPrivateKeyHost(d, name, key, passphrase); err != nil {
+ fmt.Fprintln(os.Stderr, "Save key error:", err)
+ }
}
}
Would that be useful ?
from etcd-ca.
yichengq
commented on August 26, 2024
@abourget It can be encrypted with empty passphrase. I would prefer to fix the print message.
You can still export unencrypted key easily using export --insecure
from etcd-ca.
abourget
commented on August 26, 2024
ok. I see I can export with export --insecure, which outputs a .tar file.. that's a first inconvenience for me.. as I wouldn't want to deal with the .tar .. only picking up a .key file.
For consistency with openssl, I would have liked to have the same behavior here too.. I was surprised (in a bad way) when I saw the key was encrypted with a blank passphrase. Why create bad surprises ?
Anyway, I've made my points. I'll close this issue until someone wants to pick it up. Thanks
from etcd-ca.
yichengq
commented on August 26, 2024
After rethinking about it, i think it should keep the same convention as openssh one. I will improve it later.
from etcd-ca.
abourget
commented on August 26, 2024
what about my patch up here ? I stumbled upon this one once again :)
from etcd-ca.
abourget
commented on August 26, 2024
I can make it a PR if you want.
from etcd-ca.
bkleef
commented on August 26, 2024
Can we please merge this. This would be very useful because Alpine Linux 3.2 x64 doesn't get the tar -e option and IMHO it's just useless to tar something to extract it directly afterwards.
from etcd-ca.
Related Issues (20)
- add notes for installing curl from brew on OSX HOT 4
- Add more info to output of `chain` HOT 4
- fails to be build because undefined: elliptic.P224 HOT 4
- Windows build: undefined terminal.ReadPassword HOT 4
- Exits with "success" status on unknown argument HOT 1
- test failed on both Go 1.2.x and Go 1.3.1 on mac OSX 10.9.4 HOT 4
- Support IP SANs in CSRs HOT 6
- Document Required Go Version
- set DNSNames in SubjectAlternativeNames HOT 2
- add document about how to integrate with etcd
- accept hostname as validation in cert HOT 1
- Improvements: managing dependencies with godep HOT 1
- bug-report: etcd-ca status doesn't show unsigned certificate
- Build Fails: undefined: x509.CertificateRequest HOT 1
- Missing dependency HOT 9
- Can't Sign Generated Cert Using etcd-ca HOT 6
- Document Certificate Requirements
- Add ability to revoke certificates
- ecdsa
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from etcd-ca.