https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162019-09-11T09:58:50ZpfSense bugtrackerpfSense - Bug #9745: can't add ECDSA certificate key when signing CSRhttps://redmine.pfsense.org/issues/9745?journal_id=422942019-09-11T09:58:50ZJim Pingle
<ul><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Target version</strong> set to <i>2.5.0</i></li></ul><p>This is probably the check needing to recognize the EC key header text since it's different.</p> pfSense - Bug #9745: can't add ECDSA certificate key when signing CSRhttps://redmine.pfsense.org/issues/9745?journal_id=426412019-10-19T08:00:41ZViktor Gurov
<ul></ul><p><a class="external" href="https://github.com/pfsense/pfsense/pull/4103">https://github.com/pfsense/pfsense/pull/4103</a></p> pfSense - Bug #9745: can't add ECDSA certificate key when signing CSRhttps://redmine.pfsense.org/issues/9745?journal_id=426552019-10-21T08:00:37ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Pull Request Review</i></li><li><strong>Assignee</strong> deleted (<del><i>Jim Pingle</i></del>)</li></ul> pfSense - Bug #9745: can't add ECDSA certificate key when signing CSRhttps://redmine.pfsense.org/issues/9745?journal_id=426852019-10-23T09:47:44ZRenato Botelhorenato@netgate.com
<ul><li><strong>Status</strong> changed from <i>Pull Request Review</i> to <i>Feedback</i></li><li><strong>Assignee</strong> set to <i>Renato Botelho</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>PR has been merged. Thanks!</p> pfSense - Bug #9745: can't add ECDSA certificate key when signing CSRhttps://redmine.pfsense.org/issues/9745?journal_id=429092019-11-15T08:24:31ZViktor Gurov
<ul></ul><p>Renato Botelho wrote:</p>
<blockquote>
<p>PR has been merged. Thanks!</p>
</blockquote>
<p>Tested on 2.5.0.a.20191114.1802<br />CSR with key can be signed - OK</p>
<p>but on Certificates page "Elliptic curve name" field is empty:<br /><pre>
Serial: 7
Signature Digest: RSA-SHA256
KU: Digital Signature, Non Repudiation, Key Encipherment
EKU: TLS Web Client Authentication
Key Type: ECDSA
Elliptic curve name:
DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Hash: 9da13359
Subject Key ID: B6:E2:85:D3:95:23:FA:14:80:BB:6E:97:36:47:4B:C7:7C:95:20:98
Authority Key ID: DirName:/CN=tkCA
serial:E8:C3:C7:2A:38:0E:66:86
Total Lifetime: 3650 days
Lifetime Remaining: 3649 days until expiration
Trust Store: Excluded
</pre></p> pfSense - Bug #9745: can't add ECDSA certificate key when signing CSRhttps://redmine.pfsense.org/issues/9745?journal_id=429102019-11-15T09:29:09ZViktor Gurov
<ul></ul><p>if key created without <em>-param_enc explicit</em> option, everything is ok:<br /><pre>
$ openssl ecparam -name brainpoolP160r1 -genkey -out ecsig_expl.pem -param_enc explicit
$ openssl ecparam -in ecsig.pem -text -noout
ASN1 OID: brainpoolP160r1
</pre></p>
<p>if key created with <em>-param_enc explicit</em> option, openssl_pkey_get_details() shows empty curve_name and curve_oid</p> pfSense - Bug #9745: can't add ECDSA certificate key when signing CSRhttps://redmine.pfsense.org/issues/9745?journal_id=429122019-11-15T10:04:42ZJim Pingle
<ul><li><strong>Assignee</strong> changed from <i>Renato Botelho</i> to <i>Jim Pingle</i></li></ul><p>I made a couple changes that might help here, but I don't have a cert/key made that way to test. See <a class="changeset" title="Attempt to fetch EC curve OID if name is blank. Issue #9745" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/9dfd57c0411b7c94749fa7c596f4ff2f264dd38c">9dfd57c041</a></p>
<p>That said, if it still fails with the new changes, there probably isn't anything we can do. I'd say it's a limitation of the PHP OpenSSL library at that point. Attempting to renew the cert might fail, but otherwise it probably won't matter much.</p>
<p>It doesn't happen to keys created using the pfSense GUI, which further lessens the impact, so I'd say it's solved so long as my last commit didn't break anything.</p> pfSense - Bug #9745: can't add ECDSA certificate key when signing CSRhttps://redmine.pfsense.org/issues/9745?journal_id=429212019-11-16T07:38:28ZViktor Gurov
<ul></ul><p>Jim Pingle wrote:</p>
<blockquote>
<p>I made a couple changes that might help here, but I don't have a cert/key made that way to test. See <a class="changeset" title="Attempt to fetch EC curve OID if name is blank. Issue #9745" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/9dfd57c0411b7c94749fa7c596f4ff2f264dd38c">9dfd57c041</a></p>
</blockquote>
You can create such keys with "openssl ecparam -in secp256k1.pem -text -param_enc explicit -noout" command for example.<br /> See <a class="external" href="https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations">https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations</a>
<blockquote>
<p>That said, if it still fails with the new changes, there probably isn't anything we can do. I'd say it's a limitation of the PHP OpenSSL library at that point. Attempting to renew the cert might fail, but otherwise it probably won't matter much.</p>
</blockquote>
<p>That's true, if you attempt to renew such cert:<br /><pre>
PHP Warning: openssl_pkey_new(): Error loading extensions_section section usr_cert_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1659
PHP Warning: openssl_csr_new(): Error loading extensions_section section usr_cert_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1666
</pre></p>
<blockquote>
<p>It doesn't happen to keys created using the pfSense GUI, which further lessens the impact, so I'd say it's solved so long as my last commit didn't break anything.</p>
</blockquote>
<p>In fact, I don’t know yet which popular CAs or software create ECDSA certificates with this "explicit" option.</p> pfSense - Bug #9745: can't add ECDSA certificate key when signing CSRhttps://redmine.pfsense.org/issues/9745?journal_id=440922020-01-08T09:48:31ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul>