Bug #9920
closed
system_crlmanager.php: CRL export file is empty if CA key type is ECDSA
0%
Description
CRL export file is empty if CA key type is ECDSA
certs inside this CRL can be RSA or ECDSA
if CRL CA key type is RSA everything is ok -
certs inside this CRL can be RSA or ECDSA,
it creates correct X.509 CRL file
pfSense 2.5.0.a.20191122.1802
Updated by Viktor Gurov about 5 years ago
in case of ECDSA CA <text></text> field of <crl></crl> is always empty in config.xml
Updated by Jim Pingle about 5 years ago
- Assignee set to Jim Pingle
- Target version set to 2.5.0
Updated by Viktor Gurov about 5 years ago
it looks like ukrbublik/openssl_x509_crl do not support ECDSA -
https://github.com/ukrbublik/openssl_x509_crl/blob/master/src/X509_CRL.php:
if($ca_pkey_type == OPENSSL_KEYTYPE_EC || $ca_pkey_type == -1)
return false;
Updated by Jim Pingle about 5 years ago
I submitted a PR to their project to add support for ECDSA CAs, it didn't take much:
Updated by Jim Pingle about 5 years ago
- Status changed from New to Feedback
I added that patch to our port:
https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58dd3802abbd25acc5ff8da23336ad1a61
Once the new version is in a build, it can be tested.
Updated by Viktor Gurov about 5 years ago
Jim Pingle wrote:
I added that patch to our port:
https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58dd3802abbd25acc5ff8da23336ad1a61
Once the new version is in a build, it can be tested.
tested on pfSense 2.5.0.a.20191126.1832
CRL export file is ok now, Resolved
Updated by Jim Pingle about 5 years ago
- Status changed from Feedback to Resolved
My PR was merged upstream and we're on the latest version as well now, without needing a patch. That was finished the same day, so it's all good and tested now.