Bug #9745
closed
can't add ECDSA certificate key when signing CSR
Added by Viktor Gurov about 5 years ago.
Updated almost 5 years ago.
Affected Version:
2.4.4-p3
Description
If you try to sign CSR it not allow to add Key data with following errors:
The following input errors were detected:
This private does not appear to be valid.
Key data field should be blank, or a valid x509 private key
it is ok it you add only CSR, without ec key data.
it is ok if you import existing certificate and ec-key with "Import an existing Certificate"
key created with:
openssl ecparam -name brainpoolP160r1 -genkey -param_enc explicit -out ec-ovpns.pem
openssl req -key ec-ovpns.pem -new -out ec-ovpns.csr
Files
- Assignee set to Jim Pingle
- Target version set to 2.5.0
This is probably the check needing to recognize the EC key header text since it's different.
- Status changed from New to Pull Request Review
- Assignee deleted (
Jim Pingle)
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Renato Botelho wrote:
PR has been merged. Thanks!
Tested on 2.5.0.a.20191114.1802
CSR with key can be signed - OK
but on Certificates page "Elliptic curve name" field is empty:
Serial: 7
Signature Digest: RSA-SHA256
KU: Digital Signature, Non Repudiation, Key Encipherment
EKU: TLS Web Client Authentication
Key Type: ECDSA
Elliptic curve name:
DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Hash: 9da13359
Subject Key ID: B6:E2:85:D3:95:23:FA:14:80:BB:6E:97:36:47:4B:C7:7C:95:20:98
Authority Key ID: DirName:/CN=tkCA
serial:E8:C3:C7:2A:38:0E:66:86
Total Lifetime: 3650 days
Lifetime Remaining: 3649 days until expiration
Trust Store: Excluded
if key created without -param_enc explicit option, everything is ok:
$ openssl ecparam -name brainpoolP160r1 -genkey -out ecsig_expl.pem -param_enc explicit
$ openssl ecparam -in ecsig.pem -text -noout
ASN1 OID: brainpoolP160r1
if key created with -param_enc explicit option, openssl_pkey_get_details() shows empty curve_name and curve_oid
- Assignee changed from Renato Botelho to Jim Pingle
I made a couple changes that might help here, but I don't have a cert/key made that way to test. See 9dfd57c041
That said, if it still fails with the new changes, there probably isn't anything we can do. I'd say it's a limitation of the PHP OpenSSL library at that point. Attempting to renew the cert might fail, but otherwise it probably won't matter much.
It doesn't happen to keys created using the pfSense GUI, which further lessens the impact, so I'd say it's solved so long as my last commit didn't break anything.
Jim Pingle wrote:
I made a couple changes that might help here, but I don't have a cert/key made that way to test. See 9dfd57c041
You can create such keys with "openssl ecparam -in secp256k1.pem -text -param_enc explicit -noout" command for example.
See
https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations
That said, if it still fails with the new changes, there probably isn't anything we can do. I'd say it's a limitation of the PHP OpenSSL library at that point. Attempting to renew the cert might fail, but otherwise it probably won't matter much.
That's true, if you attempt to renew such cert:
PHP Warning: openssl_pkey_new(): Error loading extensions_section section usr_cert_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1659
PHP Warning: openssl_csr_new(): Error loading extensions_section section usr_cert_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1666
It doesn't happen to keys created using the pfSense GUI, which further lessens the impact, so I'd say it's solved so long as my last commit didn't break anything.
In fact, I don’t know yet which popular CAs or software create ECDSA certificates with this "explicit" option.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF