[fix] handle PKey::EC.new with encrypted PEM

kares · kares · commit 29abc4205f2d · 2026-03-06T14:16:43.000+01:00
diff --git a/src/main/java/org/jruby/ext/openssl/PKeyEC.java b/src/main/java/org/jruby/ext/openssl/PKeyEC.java
@@ -840,16 +840,23 @@ public RubyString to_pem(ThreadContext context, final IRubyObject[] args) {
             if ( args.length > 1 ) passwd = password(context, args[1], null);
         }
 
-        if (privateKey == null) {
-            return public_to_pem(context);
-        }
+        if (privateKey == null) return public_to_pem(context);
 
         try {
             final StringWriter writer = new StringWriter();
-            PEMInputOutput.writeECPrivateKey(writer, (ECPrivateKey) privateKey, spec, passwd);
+            // Include curve OID and public-key point so the PEM can be decoded
+            // stand-alone (SEC1 optional fields parameters[0] and publicKey[1]).
+            final ASN1ObjectIdentifier curveOID = getCurveOID(getCurveName()).orElse(null);
+            byte[] pubKeyBytes = null;
+            if (publicKey != null) {
+                pubKeyBytes = EC5Util.convertPoint(
+                        publicKey.getParams(), publicKey.getW()).getEncoded(false);
+            }
+            PEMInputOutput.writeECPrivateKey(writer, (ECPrivateKey) privateKey,
+                    curveOID, pubKeyBytes, spec, passwd);
             return RubyString.newString(context.runtime, writer.getBuffer());
         } catch (IOException ex) {
-            throw newECError(context.runtime, ex.getMessage());
+            throw newECError(context.runtime, ex.getMessage(), ex);
         }
     }
 
@@ -860,7 +867,7 @@ public RubyString public_to_pem(ThreadContext context) {
             PEMInputOutput.writeECPublicKey(writer, publicKey);
             return RubyString.newString(context.runtime, writer.getBuffer());
         } catch (IOException ex) {
-            throw newECError(context.runtime, ex.getMessage());
+            throw newECError(context.runtime, ex.getMessage(), ex);
         }
     }
 
diff --git a/src/main/java/org/jruby/ext/openssl/impl/PKey.java b/src/main/java/org/jruby/ext/openssl/impl/PKey.java
@@ -299,13 +299,17 @@ public static KeyPair readECPrivateKey(final KeyFactory keyFactory, final Privat
             if (algId == null) { // mockPrivateKeyInfo
                 algId = new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, key.getParameters());
             }
-            final SubjectPublicKeyInfo pubInfo = new SubjectPublicKeyInfo(algId, key.getPublicKey().getBytes());
             final PrivateKeyInfo privInfo = new PrivateKeyInfo(algId, key);
-
             ECPrivateKey privateKey = (ECPrivateKey) keyFactory.generatePrivate(new PKCS8EncodedKeySpec(privInfo.getEncoded()));
             if (algId.getParameters() instanceof ASN1ObjectIdentifier) {
                 privateKey = ECPrivateKeyWithName.wrap(privateKey, (ASN1ObjectIdentifier) algId.getParameters());
             }
+
+            // The publicKey field in ECPrivateKey DER is optional (RFC 5915).
+            // Keys written by older JRuby-OpenSSL may omit it; handle gracefully.
+            final org.bouncycastle.asn1.ASN1BitString pubKeyBits = key.getPublicKey();
+            if (pubKeyBits == null) return new KeyPair(null, privateKey);
+            final SubjectPublicKeyInfo pubInfo = new SubjectPublicKeyInfo(algId, pubKeyBits.getBytes());
             return new KeyPair(keyFactory.generatePublic(new X509EncodedKeySpec(pubInfo.getEncoded())), privateKey);
         }
         catch (ClassCastException ex) {
diff --git a/src/main/java/org/jruby/ext/openssl/x509store/PEMInputOutput.java b/src/main/java/org/jruby/ext/openssl/x509store/PEMInputOutput.java
@@ -93,6 +93,7 @@
 import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.DERUTF8String;
+import org.bouncycastle.asn1.DERBitString;
 import org.bouncycastle.asn1.DLSequence;
 import org.bouncycastle.asn1.DERTaggedObject;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
@@ -1089,11 +1090,32 @@ public static void writeRSAPrivateKey(Writer _out, RSAPrivateCrtKey obj, CipherS
     }
 
     public static void writeECPrivateKey(Writer _out, ECPrivateKey obj, CipherSpec cipher, char[] passwd) throws IOException {
+        writeECPrivateKey(_out, obj, null, null, cipher, passwd);
+    }
+
+    /**
+     * Writes an EC private key in SEC1 / "EC PRIVATE KEY" PEM format.
+     * When {@code curveOID} and {@code pubKeyBytes} are provided they are
+     * embedded as the optional {@code parameters[0]} and {@code publicKey[1]}
+     * fields so that the PEM can be decoded stand-alone (without external
+     * knowledge of the curve).
+     */
+    public static void writeECPrivateKey(Writer _out, ECPrivateKey obj,
+            ASN1ObjectIdentifier curveOID, byte[] pubKeyBytes,
+            CipherSpec cipher, char[] passwd) throws IOException {
         assert (obj != null);
         final String PEM_STRING_EC = "EC PRIVATE KEY";
         BufferedWriter out = makeBuffered(_out);
         final int bitLength = obj.getParams().getOrder().bitLength();
-        org.bouncycastle.asn1.sec.ECPrivateKey keyStruct = new org.bouncycastle.asn1.sec.ECPrivateKey(bitLength, obj.getS());
+        final org.bouncycastle.asn1.sec.ECPrivateKey keyStruct;
+        if (curveOID != null && pubKeyBytes != null) {
+            keyStruct = new org.bouncycastle.asn1.sec.ECPrivateKey(
+                    bitLength, obj.getS(),
+                    new DERBitString(pubKeyBytes),
+                    curveOID);
+        } else {
+            keyStruct = new org.bouncycastle.asn1.sec.ECPrivateKey(bitLength, obj.getS());
+        }
         if (cipher != null && passwd != null) {
             writePemEncrypted(out, PEM_STRING_EC, keyStruct.getEncoded(), cipher, passwd);
         } else {
diff --git a/src/test/ruby/ec/test_ec.rb b/src/test/ruby/ec/test_ec.rb
@@ -573,6 +573,35 @@ def test_sign_verify_raw
     assert_sign_verify_false_or_error { key.verify_raw(nil, malformed_sig, data1) }
   end
 
+  def test_ECPrivateKey_encrypted
+    p256 = Fixtures.pkey("p256")
+    # key = abcdef (hardcoded encrypted PEM from MRI test suite)
+    pem = <<~EOF
+    -----BEGIN EC PRIVATE KEY-----
+    Proc-Type: 4,ENCRYPTED
+    DEK-Info: AES-128-CBC,85743EB6FAC9EA76BF99D9328AFD1A66
+
+    nhsP1NHxb53aeZdzUe9umKKyr+OIwQq67eP0ONM6E1vFTIcjkDcFLR6PhPFufF4m
+    y7E2HF+9uT1KPQhlE+D63i1m1Mvez6PWfNM34iOQp2vEhaoHHKlR3c43lLyzaZDI
+    0/dGSU5SzFG+iT9iFXCwCvv+bxyegkBOyALFje1NAsM=
+    -----END EC PRIVATE KEY-----
+    EOF
+    key = OpenSSL::PKey::EC.new(pem, "abcdef")
+    assert_same_ec p256, key
+    key = OpenSSL::PKey::EC.new(pem) { "abcdef" }
+    assert_same_ec p256, key
+
+    # Round-trip: to_pem with encryption and read back
+    cipher = OpenSSL::Cipher.new("aes-128-cbc")
+    exported = p256.to_pem(cipher, "abcdef\0\1")
+    assert_same_ec p256, OpenSSL::PKey::EC.new(exported, "abcdef\0\1")
+    # MRI raises OpenSSL::PKey::PKeyError;
+    # TODO JRuby raises more specific ECError
+    assert_raise(OpenSSL::PKey::ECError) {
+      OpenSSL::PKey::EC.new(exported, "abcdef")
+    }
+  end
+
   def test_new_from_der
     priv_key_hex = '05768F097A19FFE5022D4A862CDBAE22019695D1C2F88FD41607417AD45E2F55'
     pub_key_hex = '04B827833DC1BC38CE0BBE36E0357B1D08AB0BFA05DBD211F0FC677FF9913FAF0EB3A3CC562EEAE8D841B112DBFDAD494E10CFBD4964DC2D175D06F17ACC5771CF'
