[openssl.org #3276] Possible Bug/Opportunity for Improvement when loading ECDSA Key/Cert (Feature Request?)

Wed, 05 Mar 2014 00:26:32 -0800 

Re: Server ECDSA certificate requirements for 1.0.1f?,
https://groups.google.com/forum/#!topic/mailing.openssl.users/iTID_Hpj6XQ.

A ECDSA key and certificate was generated for use on an OpenSSL
powered server. The key was saved with the following, and a certifcate
was subsequently generated from it:

  int nid = NID_secp256k1;
  EC_KEY* key = EC_KEY_new_by_curve_name(nid);
  int rc = EC_KEY_generate_key(key);

  EVP_PKEY * pkey = EVP_PKEY_new();
  rc = EVP_PKEY_assign_EC_KEY(pkey, key);

Later, when the certificate was used, it resulted in the error
0x1408a0c1 (no shared cipher):

Server (s_server):
140339533272744:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1353:

Client (s_client):
139925962778272:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139925962778272:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:

The issue was a missing call to EC_KEY_set_asn1_flag (thanks David,
Viktor and Dr. Henson):

  int nid = NID_secp256k1;
  EC_KEY* key = EC_KEY_new_by_curve_name(nid);
  EC_KEY_set_asn1_flag(key, OPENSSL_EC_NAMED_CURVE);
  ...

The following code loaded the key and cert at the server:

    static shared_ptr<SSL_CTX> ctx;
    ...

    string file1 = GetServerCertFile();
    rc = SSL_CTX_use_certificate_chain_file(ctx.get(), file1.c_str());
    err = ERR_get_error();
    ...

    string file2 = GetServerKeyFile();
    rc = SSL_CTX_use_PrivateKey_file(t.get(), file2.c_str(), SSL_FILETYPE_PEM);
    err = ERR_get_error();
    ...

    rc = SSL_CTX_check_private_key(ctx.get());
    err = ERR_get_error();
    ...

Full error checking was performed, and yet the key and certificate did
not fail any checks even though it resulted in 0x1408a0c1 (no shared
cipher) for any/all cipher suites (including the non-ECDSA).

On one hand, it could be a bug since I attempted to validate
everything. And it broke negotiation for all cipher suites (and not
just ECDHE-ECDSA-*), so I think that makes it a bug.

On the other hand, it might not be a bug if aNULL or an anonymous DH
is used (etc). In the case that its not a bug, its definitely an
opportunity for improvement in the validation.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to