search

sfackler / rust-native-tls

Apache License 2.0
474 stars 199 forks source link

Cannot use self-signed certificate generated with P-256 on Windows #233

Open ZanderFick opened 2 years ago

ZanderFick commented 2 years ago

Originally from https://github.com/est31/rcgen/issues/91;

The issue is trying to use a P-256 self-signed certificate and key to create-and-use native_tls::Identity on Windows 11.

Example:

Create a P-256 key and certificate:

openssl ecparam -name prime256v1 -genkey -noout | openssl pkcs8 -topk8 -nocrypt -outform pem > private-key.pk8

openssl req -x509 -nodes -days 365 -key private-key.pk8 -inform pem -out selfsigned-x509.crt -outform pem

private-key.pk8

-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfaWB8eice9MLtw1y
WVy6hlCUvhDIiNd8iiRxxEsr8wuhRANCAARgoS2tqg7inL0V1G/QxUSWGutx4x7r
5vUyNFPNnJ5dn5TbOLk/XAyngKw/1UfLzW+hliHa/Iay8ap5LqGXNXex
-----END PRIVATE KEY-----

selfsigned-x509.crt

-----BEGIN CERTIFICATE-----
MIICBjCCAa2gAwIBAgIUEN5ugy4udCDU63hh/kPaEPCG910wCgYIKoZIzj0EAwIw
WTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIy
MDkxNTE3NDIxN1oXDTIzMDkxNTE3NDIxN1owWTELMAkGA1UEBhMCQVUxEzARBgNV
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
YKEtraoO4py9FdRv0MVElhrrceMe6+b1MjRTzZyeXZ+U2zi5P1wMp4CsP9VHy81v
oZYh2vyGsvGqeS6hlzV3saNTMFEwHQYDVR0OBBYEFOI0vFSNC2RtKeTNjCvk3odg
OWWVMB8GA1UdIwQYMBaAFOI0vFSNC2RtKeTNjCvk3odgOWWVMA8GA1UdEwEB/wQF
MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgOkQnY7WbDN2V1EofQ4FK8Apr6/pmwrod
rp2b82PEeqsCIHEHf7RyLZpJbKUkVQV3W/ABB2qV1dWhEaCANeXHdivw
-----END CERTIFICATE-----

Try to use the certificate and key to create a native_tls::Identity

use std::fs;
use std::io::Read;

fn main() {
    let mut pkey = vec![];
    let mut crt = vec![];

    fs::File::open("private-key.pk8").unwrap()
        .read_to_end(&mut pkey).unwrap();
    fs::File::open("selfsigned-x509.crt").unwrap()
        .read_to_end(&mut crt).unwrap();

    let identity = native_tls::Identity::from_pkcs8(&crt, &pkey).unwrap();
    /*
        Raises  Os { code: -2146881269, kind: Uncategorized, message: "ASN1 bad tag value met." }

        With the openssl p-256 key        
    */
}
# cargo.toml
# ...
[dependencies]
native-tls = "0.2.10"

Are there configuration settings to set in native_tls to support this key and certificate configuration?

andyleiserson commented 1 year ago

I was interested that Windows and Mac (#225) both have problems with these keys, but my guess at this point is the causes are unrelated.

I did notice that the schannel backend's implementation of from_pkcs8 references an RSA crypto provider. I don't know if that really means only RSA, or if it's just an old name that stuck around, but that might be a place to look.

jfaust commented 1 year ago

I think @andyleiserson is correct - it doesn't look like the Windows native crypto APIs (or at least, the ones in use here, not sure if there are others) support P-256: https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptographic-provider-types