From b633a357c70cd085e67ef633c41a33c01d74a53a Mon Sep 17 00:00:00 2001 From: "Greg T. Wallace" Date: Sun, 4 Feb 2024 10:59:58 -0500 Subject: [PATCH] add rsa 1024 support (not recommended though) --- README.md | 8 ++++---- pkg/app/config.go | 8 ++++---- pkg/app/file_header.go | 4 ++-- pkg/pkcs15/pem_decode.go | 8 ++++---- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index b0ef38d..10ea261 100644 --- a/README.md +++ b/README.md @@ -7,10 +7,10 @@ proprietary tools (such as cryptlib). This tool's create functionality is modeled from the APC NMCSecurityWizardCLI aka `NMC Security Wizard CLI Utility`. The files it generates should be -comaptible with any UPS that accepts p15 files from that tool, though -currently my tool only supports RSA 2,048 bit keys. This was done since -1,024 is generally not considered secure any more and most (all?) public -ACME services won't accept keys of this size. +comaptible with any UPS that accepts p15 files from that tool. Only RSA 1,024 +and 2,048 bit keys are accepted. 1,024 bit RSA is no longer considered +completely secure; avoid keys of this size if possible. Most (all?) public +ACME services won't accept keys of this size anyway. The install functionality is a custom creation of mine so it may or may not work depending on your exact setup. My setup (and therefore the testing diff --git a/pkg/app/config.go b/pkg/app/config.go index 05564cf..5be5bd7 100644 --- a/pkg/app/config.go +++ b/pkg/app/config.go @@ -65,9 +65,9 @@ func (app *app) getConfig(args []string) error { // create -- subcommand createFlags := ff.NewFlagSet("create").SetParent(rootFlags) - cfg.create.keyPemFilePath = createFlags.StringLong("keyfile", "", "path and filename of the rsa-2048 key in pem format") + cfg.create.keyPemFilePath = createFlags.StringLong("keyfile", "", "path and filename of the rsa-1024 or rsa-2048 key in pem format") cfg.create.certPemFilePath = createFlags.StringLong("certfile", "", "path and filename of the certificate in pem format") - cfg.create.keyPem = createFlags.StringLong("keypem", "", "string of the rsa-2048 key in pem format") + cfg.create.keyPem = createFlags.StringLong("keypem", "", "string of the rsa-1024 or rsa-2048 key in pem format") cfg.create.certPem = createFlags.StringLong("certpem", "", "string of the certificate in pem format") cfg.create.outFilePath = createFlags.StringLong("outfile", createDefaultOutFilePath, "path and filename to write the p15 file to") @@ -84,9 +84,9 @@ func (app *app) getConfig(args []string) error { // install -- subcommand installFlags := ff.NewFlagSet("install").SetParent(rootFlags) - cfg.install.keyPemFilePath = installFlags.StringLong("keyfile", "", "path and filename of the rsa-2048 key in pem format") + cfg.install.keyPemFilePath = installFlags.StringLong("keyfile", "", "path and filename of the rsa-1024 or rsa-2048 key in pem format") cfg.install.certPemFilePath = installFlags.StringLong("certfile", "", "path and filename of the certificate in pem format") - cfg.install.keyPem = installFlags.StringLong("keypem", "", "string of the rsa-2048 key in pem format") + cfg.install.keyPem = installFlags.StringLong("keypem", "", "string of the rsa-1024 or rsa-2048 key in pem format") cfg.install.certPem = installFlags.StringLong("certpem", "", "string of the certificate in pem format") cfg.install.hostAndPort = installFlags.StringLong("apchost", "", "hostname:port of the apc ups to install the certificate on") cfg.install.fingerprint = installFlags.StringLong("fingerprint", "", "the SHA256 fingerprint value of the ups' ssh server") diff --git a/pkg/app/file_header.go b/pkg/app/file_header.go index 0a40e15..b803d68 100644 --- a/pkg/app/file_header.go +++ b/pkg/app/file_header.go @@ -8,8 +8,8 @@ import ( ) // makeFileHeader generates the 228 byte header to prepend to the .p15 -// as required by APC UPS NMC. Only 2,048 bit RSA keys are supported -// so the header will always be written with that key size assumption +// as required by APC UPS NMC. Contrary to the apc_tools repo, it does +// mot appear the header changes based on key size. func makeFileHeader(p15File []byte) ([]byte, error) { // original reference code from: https://github.com/bbczeuz/apc_tools // // add APC header diff --git a/pkg/pkcs15/pem_decode.go b/pkg/pkcs15/pem_decode.go index 7fa4a6b..d4b8764 100644 --- a/pkg/pkcs15/pem_decode.go +++ b/pkg/pkcs15/pem_decode.go @@ -13,7 +13,7 @@ var ( errPemKeyBadBlock = errors.New("pkcs15: pem key: failed to decode pem block") errPemKeyFailedToParse = errors.New("pkcs15: pem key: failed to parse key") errPemKeyWrongBlockType = errors.New("pkcs15: pem key: unsupported pem block type (only pkcs1 and pkcs8 supported)") - errPemKeyWrongType = errors.New("pkcs15: pem key: unsupported key type (only rsa 2,048 supported)") + errPemKeyWrongType = errors.New("pkcs15: pem key: unsupported key type (only rsa 1,024 or 2,048 supported)") errPemCertBadBlock = errors.New("pkcs15: pem cert: failed to decode pem block") errPemCertFailedToParse = errors.New("pkcs15: pem cert: failed to parse cert") @@ -21,7 +21,7 @@ var ( // pemKeyDecode attempts to decode a pem encoded byte slice and then attempts // to parse an RSA private key from the decoded pem block. an error is returned -// if any of these steps fail OR if the rsa key is not of bitlen 2,048 +// if any of these steps fail OR if the key is not RSA and of bitlen 1,024 or 2,048 func pemKeyDecode(keyPem []byte) (*rsa.PrivateKey, error) { // decode pemBlock, _ := pem.Decode([]byte(keyPem)) @@ -48,7 +48,7 @@ func pemKeyDecode(keyPem []byte) (*rsa.PrivateKey, error) { } // verify proper bitlen - if rsaKey.N.BitLen() != 2048 { + if rsaKey.N.BitLen() != 1024 && rsaKey.N.BitLen() != 2048 { return nil, errPemKeyWrongType } @@ -71,7 +71,7 @@ func pemKeyDecode(keyPem []byte) (*rsa.PrivateKey, error) { } // verify proper bitlen - if rsaKey.N.BitLen() != 2048 { + if rsaKey.N.BitLen() != 1024 && rsaKey.N.BitLen() != 2048 { return nil, errPemKeyWrongType }