Show Posts
1
General Discussion / [Problem solved, feature request] EC private key should include curve params
« on: April 09, 2023, 04:25:03 am »
PKI works flawlessly everywhere.
Environment
Repro
Expected outcome
Actual outcome
Root cause
Remediation
Prepend one of the following implicit "named" curves to the beginning of the pk
prime256v1 (NIST P-256)
secp384r1
secp521r1
Also worth mentioning https://safecurves.cr.yp.to
Requested long-term solution
Prepend the BEGIN EC PARAMETERS section to the download pk.
If a user doesn't want it, they can remove it.
It's far more difficult to find them (it took me extra time to find these and verify them) than it is to remove them.
Environment
- Deciso 740 OPNsense OpenSSL Business 22.10.2 1abb59250
Repro
- System > Trust > Certificates
- Method: Create an internal certificate
- Certificate authority: (previously created intermediate cert)
- Key type: Elliptic Curve
- Private key location: Download and do not save
- Common name: (anything or appropriate FQDN hostname)
- Save
Expected outcome
- Cert and private key (pk) should be turnkey usable
Actual outcome
- Target system refuses pk
Root cause
- Pk is missing EC parameters
Remediation
Prepend one of the following implicit "named" curves to the beginning of the pk
prime256v1 (NIST P-256)
Code: [Select]
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----secp384r1
Code: [Select]
-----BEGIN EC PARAMETERS-----
BgUrgQQAIg==
-----END EC PARAMETERS-----secp521r1
Code: [Select]
-----BEGIN EC PARAMETERS-----
BgUrgQQAIw==
-----END EC PARAMETERS-----Also worth mentioning https://safecurves.cr.yp.to
Requested long-term solution
Prepend the BEGIN EC PARAMETERS section to the download pk.
If a user doesn't want it, they can remove it.
It's far more difficult to find them (it took me extra time to find these and verify them) than it is to remove them.