Project

General

Profile

Actions

Bug #9745

closed

can't add ECDSA certificate key when signing CSR

Added by Viktor Gurov over 5 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
09/11/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4-p3
Affected Architecture:

Description

If you try to sign CSR it not allow to add Key data with following errors:

The following input errors were detected:

This private does not appear to be valid.
Key data field should be blank, or a valid x509 private key

it is ok it you add only CSR, without ec key data.
it is ok if you import existing certificate and ec-key with "Import an existing Certificate"

key created with:
openssl ecparam -name brainpoolP160r1 -genkey -param_enc explicit -out ec-ovpns.pem
openssl req -key ec-ovpns.pem -new -out ec-ovpns.csr


Files

ec-ovpns.pem (647 Bytes) ec-ovpns.pem test ECDSA key Viktor Gurov, 09/11/2019 09:42 AM
ec-ovpns.csr (562 Bytes) ec-ovpns.csr test CSR Viktor Gurov, 09/11/2019 09:42 AM
Screenshot from 2019-09-11 17-37-23.png (103 KB) Screenshot from 2019-09-11 17-37-23.png Viktor Gurov, 09/11/2019 09:43 AM
Actions #1

Updated by Jim Pingle over 5 years ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

This is probably the check needing to recognize the EC key header text since it's different.

Actions #3

Updated by Jim Pingle about 5 years ago

  • Status changed from New to Pull Request Review
  • Assignee deleted (Jim Pingle)
Actions #4

Updated by Renato Botelho about 5 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #5

Updated by Viktor Gurov about 5 years ago

Renato Botelho wrote:

PR has been merged. Thanks!

Tested on 2.5.0.a.20191114.1802
CSR with key can be signed - OK

but on Certificates page "Elliptic curve name" field is empty:

Serial: 7
Signature Digest: RSA-SHA256
KU: Digital Signature, Non Repudiation, Key Encipherment
EKU: TLS Web Client Authentication
Key Type: ECDSA
Elliptic curve name:
DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Hash: 9da13359
Subject Key ID: B6:E2:85:D3:95:23:FA:14:80:BB:6E:97:36:47:4B:C7:7C:95:20:98
Authority Key ID: DirName:/CN=tkCA
serial:E8:C3:C7:2A:38:0E:66:86

Total Lifetime: 3650 days
Lifetime Remaining: 3649 days until expiration
Trust Store: Excluded

Actions #6

Updated by Viktor Gurov about 5 years ago

if key created without -param_enc explicit option, everything is ok:

$ openssl ecparam -name brainpoolP160r1 -genkey -out ecsig_expl.pem -param_enc explicit
$ openssl ecparam -in ecsig.pem -text -noout
ASN1 OID: brainpoolP160r1

if key created with -param_enc explicit option, openssl_pkey_get_details() shows empty curve_name and curve_oid

Actions #7

Updated by Jim Pingle about 5 years ago

  • Assignee changed from Renato Botelho to Jim Pingle

I made a couple changes that might help here, but I don't have a cert/key made that way to test. See 9dfd57c041

That said, if it still fails with the new changes, there probably isn't anything we can do. I'd say it's a limitation of the PHP OpenSSL library at that point. Attempting to renew the cert might fail, but otherwise it probably won't matter much.

It doesn't happen to keys created using the pfSense GUI, which further lessens the impact, so I'd say it's solved so long as my last commit didn't break anything.

Actions #8

Updated by Viktor Gurov about 5 years ago

Jim Pingle wrote:

I made a couple changes that might help here, but I don't have a cert/key made that way to test. See 9dfd57c041

You can create such keys with "openssl ecparam -in secp256k1.pem -text -param_enc explicit -noout" command for example.
See https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations

That said, if it still fails with the new changes, there probably isn't anything we can do. I'd say it's a limitation of the PHP OpenSSL library at that point. Attempting to renew the cert might fail, but otherwise it probably won't matter much.

That's true, if you attempt to renew such cert:

PHP Warning: openssl_pkey_new(): Error loading extensions_section section usr_cert_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1659
PHP Warning: openssl_csr_new(): Error loading extensions_section section usr_cert_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1666

It doesn't happen to keys created using the pfSense GUI, which further lessens the impact, so I'd say it's solved so long as my last commit didn't break anything.

In fact, I don’t know yet which popular CAs or software create ECDSA certificates with this "explicit" option.

Actions #9

Updated by Jim Pingle almost 5 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF