From: Martin Bosslet Date: 2011-06-23T20:36:05+09:00 Subject: [ruby-dev:43882] [Ruby 1.9 - Bug #4418] OpenSSL::PKey::DH#public_key Issue #4418 has been updated by Martin Bosslet. Hiroshi NAKAMURA wrote: > I agree with DH interface is confusing. Adding to the confusion is that DH implements the PKey interface in OpenSSL (OpenSSL itself, not Ruby's ext/openssl), but it conceptually is not really like the other PKey implementations. 1. PKey offers PKey#sign and PKey#verify as a common characteristic. DH responds to both in OpenSSL, but they ultimately lead to an error saying that signature/verification is not supported. 2. PKeys offer a public and a private "key", which at first glance is conceptually fine for DH, as there is also a public and a private part. But the analogy ends when it comes to en-/decoding their PEM/DER representation. The rest allows a "private" encoding as well as a X.509 "PUB_KEY" encoding, both of which DH does not support. As a consequence it also does not work with the new OpenSSL::PKey.read functionality. This and the matters already discussed lead me to the conclusion that it might be a good idea to separate DH from the PKey implementations in ext/openssl and set up a separate KeyExchange module featuring two implementations, DH and ECDH (and possibly more in the future). By this separation, we could also clean up the confusion with PKey::EC, as in its current form it's some sort of hybrid, featuring both PKey and DH functionality. The separation could also concentrate on Key Exchange/Agreement features better: We could add support for Key Derivation algorithms to simplify arbitrary-length symmetric key generation for Ciphers (a non-trivial task that needs to be taken care of manually right now), and it would be easier to design a nice API for supporting key agreement using static and ephemeral keys as outlined in NIST SP 800-56A. What do you think about this (post 1.9.3, of course :)? > We should have PKey::DH::Params class as same as PKey::EC::Point in the future though I don't know it's good to define it as a subclass of DH. Great idea, and we could even call it params instead of public_key if we went the "separate module approach", making it possible to rename priv_key and pub_key to private_key and public_key! Regards, Martin ---------------------------------------- Bug #4418: OpenSSL::PKey::DH#public_key http://redmine.ruby-lang.org/issues/4418 Author: Ippei Obayashi Status: Assigned Priority: Low Assignee: Hiroshi NAKAMURA Category: ext Target version: ruby -v: ruby 1.9.2p180 (2011-02-18 revision 30909) [x86_64-linux] =begin OpenSSL::PKey::DH#public_key がその名前に反して DH パラメータのみを複製して返しています。 require 'openssl' dh = OpenSSL::PKey::DH.generate(1024) # => パラメータと鍵の生成、時間がかかる p dh.pub_key # => 公開鍵の整数を表示 p dh.public_key.pub_key # => nil DH の場合、RSAなどのように「公開鍵とパラメータ」を取り出す需要はあまりない ように思われるので、名前を変える、もしくはメソッドを廃止するのが良いのではと思われます。 =end -- http://redmine.ruby-lang.org