extend certificate results in errormessage in 2.5.0

[matthiasradde]

I've updated XCA from 2.4.0 to 2.5.0 and opened the xca-database-file. Tried to extend an existing certificate (by one year) which will expire within a few days. Resulted in following errormessage

Der folgende Fehler ist aufgetreten:
(8pki_x509[]:corei5-10_4)
error:0300009C:digital envelope routines::unsupported algorithm
error:068C0100:asn1 encoding routines::malloc failure
error:068C0100:asn1 encoding routines::malloc failure

(C:\Users\chris\build\xca-2.5.0\lib\pki_x509.cpp:582)

Uninstalled 2.5.0 and installed 2.4.0. Now extending the same certificate was successful.

Certificate to be extended was signed with sha512WithRSAEncryption (OID 1.2.840.113549.1.1.13) and used with its 4096-bit-key.

What did I do wrong? Or what additional information is needed to reproduce this issue?

[chris2511]

I could not reproduce here on Windows 10 with xca-2.5.0 and sha512WithRSAEncryption with 4096bit RSA key Do you use the installed version or the portable? What library versions does the "About" dialog show?

[lwt-pressy]

similar problem here with generating a crl. Also with sha512WithRSAEncryption and 4096-bit-key

(7pki_crl[]:TERTA-Zertifizierungs CA 2015) error:0300009C:digital envelope routines::unsupported algorithm error:068C0100:asn1 encoding routines::malloc failure error:068C0100:asn1 encoding routines::malloc failure

(C:\Users\chris\build\xca-2.5.0\lib\pki_crl.cpp:250)

working Version:

---

Version: 2.4.0 ECC With RFC 5639 Brainpool curves OpenSSL 1.1.1k 25 Mar 2021 QT version: 5.12.0

not working:

Copyright 2001 - 2023 by Christian Hohnstädt Version: 2.5.0 OpenSSL 3.1.2 1 Aug 2023 QT version: 6.5.2

I'm not sure if it is relevant, but I select always typical install.

[matthiasradde]

re-checked the issue - always used full installation on Windows 10 - not the portable version

XCA - working

Copyright 2001 - 2021 by Christian Hohnstädt Version: 2.4.0 ECC With RFC 5639 Brainpool curves OpenSSL 1.1.1k 25 Mar 2021 QT version: 5.12.0 https://hohnstaedt.de/xca Entropy strength: 110

Installation path: C:\Program Files\xca User settings path: C:\Users\Matthias\AppData\Roaming\xca Working directory: C:\Users\Matthias\Desktop\

XCA - non working

Copyright 2001 - 2023 by Christian Hohnstädt Version: 2.5.0 OpenSSL 3.1.2 1 Aug 2023 QT version: 6.5.2 https://hohnstaedt.de/xca Entropy strength: 40

Installation path: C:\Users\Matthias\AppData\Roaming\xca User settings path: C:\Users\Matthias\AppData\Roaming\xca Working directory: C:\Users\Matthias\Desktop\

checked (re-)creating a CRL

Der folgende Fehler ist aufgetreten: (7pki_crl[]:radde-ca-server) error:0300009C:digital envelope routines::unsupported algorithm error:068C0100:asn1 encoding routines::malloc failure error:068C0100:asn1 encoding routines::malloc failure

(C:\Users\chris\build\xca-2.5.0\lib\pki_crl.cpp:250)

extend a certificate

Der folgende Fehler ist aufgetreten: (8pki_x509[]:corei5-10_4) error:0300009C:digital envelope routines::unsupported algorithm error:068C0100:asn1 encoding routines::malloc failure error:068C0100:asn1 encoding routines::malloc failure

(C:\Users\chris\build\xca-2.5.0\lib\pki_x509.cpp:582)

[chris2511]

According to #461 and #410 this issue does not depend on the operating system ....

[SemoTech]

Hi @chris2511 thats very strange as 2.4.0 works fine to create. I wonder if there is something specific about my setup or that of @matthiasradde Interestingly it is failing on Windows for him and on Mac OS 12.7 for me... The failure occurs both when extending as well as creating new certs with v2.5.0

[SemoTech]

@chris2511 can you maybe add a detailed debugging option into a beta build, link it here, and then we can both submit the logs to you?

[amette]

I have the same error on 2.4.0 when trying to create a new certificate. Key generation seems to have been successful.

[chris2511]

I have the same error on 2.4.0 when trying to create a new certificate. Key generation seems to have been successful.

You mean 2.5.0 ? (Just to be sure, because all other observations say: works in 2.4.0, fails in 2.5.0)

[chris2511]

There is a solution (I think): The common cause is the age. Your database was created before 2.0.0 and I dropped support for the old database password encryption with XCA 2.5.0. However, the keys were not re-encrypted with the new PKCS#8 format during upgrade to the SQL database scheme, which did not matter, because XCA until 2.4.0 was still able to read them.

The malfunctioning key should say "Legacy database" in the "Context-menu"-> Properties->Source. The encryption scheme needs an update. XCA-2.4.0 can do this:

• Select "Change database Password" with XCA 2.4.0
• If you have keys with a private password, select "Reset password" and then "Change password" again for those keys.

In both cases, the old and new password may be the same. Afterwards XCA 2.5.0 should work.

[SemoTech]

@chris2511 You're a genius! It worked! Resetting the password of the DB (using same pass) in 2.4.0 and opening in 2.5.0 was the fix!

If I may be so bold, can we have just a small aesthetic fix in the next version, and take advantage of wasted space on the bottom of the app to show longer DB paths/name?
Maybe even move the "Search" box further to the right and make it a bit smaller to make even more room for longer paths?

Thanks in advance!