pfSense

https://github.com/pfsense/pfsense/pull/4103

Renato Botelho wrote:

PR has been merged. Thanks!

Tested on 2.5.0.a.20191114.1802
CSR with key can be signed - OK

but on Certificates page "Elliptic curve name" field is empty:

Serial: 7
Signature Digest: RSA-SHA256
KU: Digital Signature, Non Repudiation, Key Encipherment
EKU: TLS Web Client Authentication
Key Type: ECDSA
Elliptic curve name:
DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Hash: 9da13359
Subject Key ID: B6:E2:85:D3:95:23:FA:14:80:BB:6E:97:36:47:4B:C7:7C:95:20:98
Authority Key ID: DirName:/CN=tkCA
serial:E8:C3:C7:2A:38:0E:66:86

Total Lifetime: 3650 days
Lifetime Remaining: 3649 days until expiration
Trust Store: Excluded

if key created without -param_enc explicit option, everything is ok:

$ openssl ecparam -name brainpoolP160r1 -genkey -out ecsig_expl.pem -param_enc explicit
$ openssl ecparam -in ecsig.pem -text -noout
ASN1 OID: brainpoolP160r1

if key created with -param_enc explicit option, openssl_pkey_get_details() shows empty curve_name and curve_oid

Jim Pingle wrote:

I made a couple changes that might help here, but I don't have a cert/key made that way to test. See 9dfd57c041

That said, if it still fails with the new changes, there probably isn't anything we can do. I'd say it's a limitation of the PHP OpenSSL library at that point. Attempting to renew the cert might fail, but otherwise it probably won't matter much.

That's true, if you attempt to renew such cert:

PHP Warning: openssl_pkey_new(): Error loading extensions_section section usr_cert_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1659
PHP Warning: openssl_csr_new(): Error loading extensions_section section usr_cert_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1666

It doesn't happen to keys created using the pfSense GUI, which further lessens the impact, so I'd say it's solved so long as my last commit didn't break anything.

In fact, I don’t know yet which popular CAs or software create ECDSA certificates with this "explicit" option.