Project

General

Profile

Actions

Bug #9920

closed

system_crlmanager.php: CRL export file is empty if CA key type is ECDSA

Added by Viktor Gurov over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
11/23/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

CRL export file is empty if CA key type is ECDSA
certs inside this CRL can be RSA or ECDSA

if CRL CA key type is RSA everything is ok -
certs inside this CRL can be RSA or ECDSA,
it creates correct X.509 CRL file

pfSense 2.5.0.a.20191122.1802

Actions #1

Updated by Viktor Gurov over 4 years ago

in case of ECDSA CA <text></text> field of <crl></crl> is always empty in config.xml

Actions #2

Updated by Jim Pingle over 4 years ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0
Actions #3

Updated by Viktor Gurov over 4 years ago

it looks like ukrbublik/openssl_x509_crl do not support ECDSA -

https://github.com/ukrbublik/openssl_x509_crl/blob/master/src/X509_CRL.php:

if($ca_pkey_type == OPENSSL_KEYTYPE_EC || $ca_pkey_type == -1)
            return false;

Actions #4

Updated by Jim Pingle over 4 years ago

I submitted a PR to their project to add support for ECDSA CAs, it didn't take much:

https://github.com/ukrbublik/openssl_x509_crl/pull/4

Actions #5

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Feedback

I added that patch to our port:

https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58dd3802abbd25acc5ff8da23336ad1a61

Once the new version is in a build, it can be tested.

Actions #6

Updated by Viktor Gurov over 4 years ago

Jim Pingle wrote:

I added that patch to our port:

https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58dd3802abbd25acc5ff8da23336ad1a61

Once the new version is in a build, it can be tested.

tested on pfSense 2.5.0.a.20191126.1832

CRL export file is ok now, Resolved

Actions #7

Updated by Jim Pingle over 4 years ago

  • Status changed from Feedback to Resolved

My PR was merged upstream and we're on the latest version as well now, without needing a patch. That was finished the same day, so it's all good and tested now.

Actions

Also available in: Atom PDF