Bug #9745
closedcan't add ECDSA certificate key when signing CSR
100%
Description
If you try to sign CSR it not allow to add Key data with following errors:
The following input errors were detected: This private does not appear to be valid. Key data field should be blank, or a valid x509 private key
it is ok it you add only CSR, without ec key data.
it is ok if you import existing certificate and ec-key with "Import an existing Certificate"
key created with:
openssl ecparam -name brainpoolP160r1 -genkey -param_enc explicit -out ec-ovpns.pem
openssl req -key ec-ovpns.pem -new -out ec-ovpns.csr
Files
Updated by Jim Pingle over 5 years ago
- Assignee set to Jim Pingle
- Target version set to 2.5.0
This is probably the check needing to recognize the EC key header text since it's different.
Updated by Viktor Gurov about 5 years ago
Updated by Jim Pingle about 5 years ago
- Status changed from New to Pull Request Review
- Assignee deleted (
Jim Pingle)
Updated by Renato Botelho about 5 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Viktor Gurov about 5 years ago
Renato Botelho wrote:
PR has been merged. Thanks!
Tested on 2.5.0.a.20191114.1802
CSR with key can be signed - OK
but on Certificates page "Elliptic curve name" field is empty:
Serial: 7 Signature Digest: RSA-SHA256 KU: Digital Signature, Non Repudiation, Key Encipherment EKU: TLS Web Client Authentication Key Type: ECDSA Elliptic curve name: DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd Hash: 9da13359 Subject Key ID: B6:E2:85:D3:95:23:FA:14:80:BB:6E:97:36:47:4B:C7:7C:95:20:98 Authority Key ID: DirName:/CN=tkCA serial:E8:C3:C7:2A:38:0E:66:86 Total Lifetime: 3650 days Lifetime Remaining: 3649 days until expiration Trust Store: Excluded
Updated by Viktor Gurov about 5 years ago
if key created without -param_enc explicit option, everything is ok:
$ openssl ecparam -name brainpoolP160r1 -genkey -out ecsig_expl.pem -param_enc explicit $ openssl ecparam -in ecsig.pem -text -noout ASN1 OID: brainpoolP160r1
if key created with -param_enc explicit option, openssl_pkey_get_details() shows empty curve_name and curve_oid
Updated by Jim Pingle about 5 years ago
- Assignee changed from Renato Botelho to Jim Pingle
I made a couple changes that might help here, but I don't have a cert/key made that way to test. See 9dfd57c041
That said, if it still fails with the new changes, there probably isn't anything we can do. I'd say it's a limitation of the PHP OpenSSL library at that point. Attempting to renew the cert might fail, but otherwise it probably won't matter much.
It doesn't happen to keys created using the pfSense GUI, which further lessens the impact, so I'd say it's solved so long as my last commit didn't break anything.
Updated by Viktor Gurov about 5 years ago
Jim Pingle wrote:
You can create such keys with "openssl ecparam -in secp256k1.pem -text -param_enc explicit -noout" command for example.I made a couple changes that might help here, but I don't have a cert/key made that way to test. See 9dfd57c041
See https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations
That said, if it still fails with the new changes, there probably isn't anything we can do. I'd say it's a limitation of the PHP OpenSSL library at that point. Attempting to renew the cert might fail, but otherwise it probably won't matter much.
That's true, if you attempt to renew such cert:
PHP Warning: openssl_pkey_new(): Error loading extensions_section section usr_cert_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1659 PHP Warning: openssl_csr_new(): Error loading extensions_section section usr_cert_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1666
It doesn't happen to keys created using the pfSense GUI, which further lessens the impact, so I'd say it's solved so long as my last commit didn't break anything.
In fact, I don’t know yet which popular CAs or software create ECDSA certificates with this "explicit" option.
Updated by Jim Pingle almost 5 years ago
- Status changed from Feedback to Resolved