Implement pkcs8 cli #2342
Merged
Implement pkcs8 cli #2342
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add the pkcs8 command to the AWS-LC OpenSSL-compatible CLI tools. This implementation includes support for the following options: - [-in filename] [-out filename] - [-inform format] [-outform format] - [-topk8] [-nocrypt] - [-v2 alg] [-v2prf alg] - [-passin arg] [-passout arg] The implementation ensures identical output to OpenSSL 1.1.1 and includes appropriate test files. This functionality allows users to convert between traditional key formats and PKCS#8 with options for encryption, format control, and password handling.
This fix addresses three main issues in the PKCS8 CLI tool: 1) Properly handle PRF parameters with AWS-LC's implementation 2) Support all key types by using d2i_AutoPrivateKey instead of RSA-specific function 3) Add more descriptive error messages for better troubleshooting
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2342 +/- ##
==========================================
- Coverage 78.88% 78.74% -0.14%
==========================================
Files 640 642 +2
Lines 109766 110241 +475
Branches 15526 15580 +54
==========================================
+ Hits 86590 86811 +221
- Misses 22479 22732 +253
- Partials 697 698 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
kingstjo
force-pushed
the
implement-pkcs8-cli
branch
from
1d59317 to
fe370f1
Compare
kingstjo
force-pushed
the
implement-pkcs8-cli
branch
from
ab578cf to
fe370f1
Compare
- Updated the implementation to only accept hmacWithSHA1 as a valid PRF algorithm - Added explicit error messages when users specify unsupported PRF algorithms - Updated comments to clearly indicate that only hmacWithSHA1 is supported - Updated tests to use hmacWithSHA1 and added test for unsupported PRF rejection
Added OpenSSLPointer template in internal.h to handle memory allocated with OPENSSL functions. Updated pkcs8.cc to use smart pointers for better resource management and to eliminate manual cleanup. This improves code safety, simplifies error paths, and aligns with patterns used in the rest of the codebase.
When -v2 option is specified without a value in OpenSSL 1.1.1, it defaults to using aes-256-cbc. This commit ensures AWS-LC maintains the same behavior for compatibility. Added tests to verify this behavior.
- Added cross-compatibility tests to verify AWS-LC and OpenSSL can decrypt each other's outputs - Added tests for custom PRF algorithm and default cipher interoperability - Moved helper functions to test_util.h for better code organization - Enhanced test validation to verify decrypted keys match original keys - Maintained backward compatibility with existing tests
added 7 commits
April 25, 2025 23:27
…ded prompts for pass similar to OpenSSL
samuel40791765
previously approved these changes
May 16, 2025
Contributor
samuel40791765
left a comment
samuel40791765
left a comment
There was a problem hiding this comment.
Awesome tests and the code is much more concise with only what's needed! There are still some examples of "over-documentation" and a few nits here and there. Preferably would like the comments and additional test debugging error messages cut down a bit before merging, but I don't see any major blockers.
smittals2
reviewed
May 16, 2025
…s8.cc This commit replaces the goto error handling pattern with modern C++ RAII techniques by introducing a SensitiveString class that automatically clears sensitive data on destruction. The implementation: 1. Adds a SensitiveString wrapper class that securely handles sensitive data 2. Refactors pkcs8Tool to use early returns instead of goto statements 3. Removes the now-obsolete secure_clear function 4. Maintains all existing functionality while improving code clarity
- Removed std::cout statements that duplicated information already provided by the test framework - Eliminated content dumps that add visual noise without providing additional test value - Removed redundant section comments and normalized whitespace - Preserved all test logic and functionality while making the code cleaner - Maintained descriptive assertion messages that explain failure scenarios
… implement-pkcs8-cli Pulling down changes from main
smittals2
previously approved these changes
Jun 18, 2025
- Replace custom SensitiveString class with bssl::UniquePtr<std::string> - Use BORINGSSL_MAKE_DELETER with custom SensitiveStringDeleter function - Maintain same security by calling OPENSSL_cleanse before deletion - Update all function calls to use pointer semantics (.get(), *, ->) - Improve code consistency with existing bssl::UniquePtr usage in file - All PKCS#8 tests continue to pass This addresses team feedback to leverage existing BoringSSL deleter infrastructure instead of custom RAII implementation.
Resolved unresolved merge conflict markers that were causing compilation failures. The conflict was between different include statements that needed to be merged properly.
smittals2
approved these changes
Jun 25, 2025
samuel40791765
approved these changes
Jun 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
Addresses CryptoAlg-3073
Addresses CryptoAlg-3074
Addresses CryptoAlg-3075
Description of changes:
This PR implements the PKCS8 CLI command wrapper for AWS-LC, providing OpenSSL-compatible command-line interface to the existing PKCS8 functionality. The CLI tool adds support for:
Call-outs:
PRF Parameter Compatibility: The implementation accepts the
-v2prfparameter for OpenSSL command-line compatibility and validates supported values (hmacWithSHA1, hmacWithSHA256, hmacWithSHA512). However, AWS-LC's underlying PKCS#8 implementation always uses its default PRF implementation (-1) in the PKCS8_encrypt function, regardless of the specified-v2prfvalue.Comprehensive Key Type Support: The CLI implementation uses d2i_AutoPrivateKey to provide support for all private key types that AWS-LC can handle. This allows users to process various key formats through the pkcs8 command without type restrictions.
User-Friendly Error Handling: The implementation provides context-rich error messages that guide users through troubleshooting common issues including:
Testing:
The CLI wrapper is validated through two testing approaches:
Unit tests (
PKCS8Testclass) verify:PKCS8ToolBasicTest)-informand-outformoptions (PKCS8ToolFormatTest)-v2 aes-256-cbcoptions (PKCS8ToolEncryptionTest)-v2prf(PKCS8ToolPRFTest)PKCS8OptionUsageErrorsTest)Comparison tests (
PKCS8ComparisonTestclass) directly compare AWS-LC's output with OpenSSL's:PKCS8ToolCompareUnencryptedOpenSSL)PKCS8ToolCompareEncryptedOpenSSL)PKCS8ToolCompareDERFormatOpenSSL)PKCS8ToolCompareV2prfOpenSSL)These tests ensure that the AWS-LC CLI tool produces output files with the correct PKCS#8 boundaries and format compatibility with OpenSSL's pkcs8 command.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.