Project

General

Profile

Bug #9920

system_crlmanager.php: CRL export file is empty if CA key type is ECDSA

Added by Viktor Gurov 3 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
11/23/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:

Description

CRL export file is empty if CA key type is ECDSA
certs inside this CRL can be RSA or ECDSA

if CRL CA key type is RSA everything is ok -
certs inside this CRL can be RSA or ECDSA,
it creates correct X.509 CRL file

pfSense 2.5.0.a.20191122.1802

History

#1 Updated by Viktor Gurov 3 months ago

in case of ECDSA CA <text></text> field of <crl></crl> is always empty in config.xml

#2 Updated by Jim Pingle 3 months ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

#3 Updated by Viktor Gurov 3 months ago

it looks like ukrbublik/openssl_x509_crl do not support ECDSA -

https://github.com/ukrbublik/openssl_x509_crl/blob/master/src/X509_CRL.php:

if($ca_pkey_type == OPENSSL_KEYTYPE_EC || $ca_pkey_type == -1)
            return false;

#4 Updated by Jim Pingle 3 months ago

I submitted a PR to their project to add support for ECDSA CAs, it didn't take much:

https://github.com/ukrbublik/openssl_x509_crl/pull/4

#5 Updated by Jim Pingle 3 months ago

  • Status changed from New to Feedback

I added that patch to our port:

https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58dd3802abbd25acc5ff8da23336ad1a61

Once the new version is in a build, it can be tested.

#6 Updated by Viktor Gurov 3 months ago

Jim Pingle wrote:

I added that patch to our port:

https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58dd3802abbd25acc5ff8da23336ad1a61

Once the new version is in a build, it can be tested.

tested on pfSense 2.5.0.a.20191126.1832

CRL export file is ok now, Resolved

#7 Updated by Jim Pingle 3 months ago

  • Status changed from Feedback to Resolved

My PR was merged upstream and we're on the latest version as well now, without needing a patch. That was finished the same day, so it's all good and tested now.

Also available in: Atom PDF