Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use self-signed certificate generated with P-256 on Windows #233

Open
ZanderFick opened this issue Sep 15, 2022 · 2 comments
Open

Cannot use self-signed certificate generated with P-256 on Windows #233

ZanderFick opened this issue Sep 15, 2022 · 2 comments

Comments

@ZanderFick
Copy link

Originally from rustls/rcgen#91;

The issue is trying to use a P-256 self-signed certificate and key to create-and-use native_tls::Identity on Windows 11.

Example:

Create a P-256 key and certificate:

openssl ecparam -name prime256v1 -genkey -noout | openssl pkcs8 -topk8 -nocrypt -outform pem > private-key.pk8

openssl req -x509 -nodes -days 365 -key private-key.pk8 -inform pem -out selfsigned-x509.crt -outform pem

private-key.pk8

-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfaWB8eice9MLtw1y
WVy6hlCUvhDIiNd8iiRxxEsr8wuhRANCAARgoS2tqg7inL0V1G/QxUSWGutx4x7r
5vUyNFPNnJ5dn5TbOLk/XAyngKw/1UfLzW+hliHa/Iay8ap5LqGXNXex
-----END PRIVATE KEY-----

selfsigned-x509.crt

-----BEGIN CERTIFICATE-----
MIICBjCCAa2gAwIBAgIUEN5ugy4udCDU63hh/kPaEPCG910wCgYIKoZIzj0EAwIw
WTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIy
MDkxNTE3NDIxN1oXDTIzMDkxNTE3NDIxN1owWTELMAkGA1UEBhMCQVUxEzARBgNV
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
YKEtraoO4py9FdRv0MVElhrrceMe6+b1MjRTzZyeXZ+U2zi5P1wMp4CsP9VHy81v
oZYh2vyGsvGqeS6hlzV3saNTMFEwHQYDVR0OBBYEFOI0vFSNC2RtKeTNjCvk3odg
OWWVMB8GA1UdIwQYMBaAFOI0vFSNC2RtKeTNjCvk3odgOWWVMA8GA1UdEwEB/wQF
MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgOkQnY7WbDN2V1EofQ4FK8Apr6/pmwrod
rp2b82PEeqsCIHEHf7RyLZpJbKUkVQV3W/ABB2qV1dWhEaCANeXHdivw
-----END CERTIFICATE-----

Try to use the certificate and key to create a native_tls::Identity

use std::fs;
use std::io::Read;

fn main() {
    let mut pkey = vec![];
    let mut crt = vec![];

    fs::File::open("private-key.pk8").unwrap()
        .read_to_end(&mut pkey).unwrap();
    fs::File::open("selfsigned-x509.crt").unwrap()
        .read_to_end(&mut crt).unwrap();

    let identity = native_tls::Identity::from_pkcs8(&crt, &pkey).unwrap();
    /*
        Raises  Os { code: -2146881269, kind: Uncategorized, message: "ASN1 bad tag value met." }
        
        With the openssl p-256 key        
    */
}
# cargo.toml
# ...
[dependencies]
native-tls = "0.2.10"

Are there configuration settings to set in native_tls to support this key and certificate configuration?
@andyleiserson
Copy link

I was interested that Windows and Mac (#225) both have problems with these keys, but my guess at this point is the causes are unrelated.

I did notice that the schannel backend's implementation of from_pkcs8 references an RSA crypto provider. I don't know if that really means only RSA, or if it's just an old name that stuck around, but that might be a place to look.

@jfaust
Copy link

jfaust commented Jul 26, 2023

I think @andyleiserson is correct - it doesn't look like the Windows native crypto APIs (or at least, the ones in use here, not sure if there are others) support P-256: https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptographic-provider-types

@davepacheco davepacheco mentioned this issue Oct 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jfaust @ZanderFick @andyleiserson