View Issue Details

IDProjectCategoryView StatusLast Update
0001202Main CAcert Websitecertificate issuingpublic2017-04-07 22:10
ReporterequinoxAssigned To 
PrioritynormalSeveritymajorReproducibilityN/A
Status confirmedResolutionopen 
PlatformallOSallOS Versionall
Product Version 
Target VersionFixed in Version 
Summary0001202: Support for Elliptic Curve Certificates
DescriptionAs some experts are talking about the possibility that RSA and classic DH may be unsure to use in 4 to 5 years [1][2], it might be nice to have support for ECDSA certificates. I tried to sign a CSR using ECDSA some days ago but the system never returned a certificate... i assume it got ignored because ECC is not support by now.

[1] .. http://fr.arxiv.org/abs/1306.4244
[2] .. http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/
Additional Informationsame as 0001238;
have same experience using elliptic keys that are fine for Mozilla and others.
My signing request, on basis of key alg. secp384r1, still worked 6 months ago. But now asking for renewal the check_weak_key.php says that the key algorithm is not recognized and so signing done because of security. This is the default after only some RSA tests.
Now have to redo all security of the webserver because cacert doesn't know DH and elliptic keys anymore.
Requests were generated with latest openssl. Please restore this functionality!
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

has duplicate 0001238 confirmed Problems with signing server certs with elliptic curve crypto 

Activities

ott

2013-08-24 12:01

reporter   ~0004246

I can confirm this. I remember from a short conversation with BenBE about this that OpenSSL just has to be upgraded. A quick look at cacert-devel a82f507306a9eba8a9f5dff82d2091dbd29edf71 confirms this.

ckujau

2014-09-25 22:35

reporter   ~0005031

Hm, I don't understand - https://github.com/CAcertOrg/cacert-devel/commit/a82f507306a9eba8a9f5dff82d2091dbd29edf71 updates some text files...?

Also, when I try to get a EC CSR signed, it's not "not returning a certificate", but it's printing out an error here, without much detail though:

1) openssl ecparam -name prime256v1 -out foo_ecparam.pem
2) openssl req -newkey ec:foo_ecparam.pem -sha512 -out foo_ec.csr \
          -keyout foo_ec.key -nodes \
          -subj "/C=AB/ST=Foo/L=Bar/O=Baz/OU=foo.net/CN=foo.net/emailAddress=admin@foo.net"
3) Go to https://www.cacert.org/account.php?id=10 and paste foo_ec.csr gives:

   The keys you supplied use an unrecognized algorithm.
   For security reasons these keys can not be signed by CAcert.

klondike

2015-10-08 21:10

reporter   ~0005464

This still seems to be an issue. Are there any plans for this?

My1

2016-01-19 00:04

reporter   ~0005493

I cant do it as well. trying with p521 key for tinfoil hat reasons (replacing a 16k rsa key)

BenBE

2016-02-02 20:20

updater   ~0005494

There are plans for support for this.

The comment in https://github.com/CAcertOrg/cacert-devel/blob/release/includes/lib/check_weak_key.php#L205 is related to DSA.

For ECDSA (ECC) to work, the appropriate checks need to be implemented to verify the provided ECDSA key is sane. These checks are currently still completely missing. Providing a patch for these will help greatly.

travm1

2017-04-07 22:10

reporter   ~0005544

Interesting read about ECC
https://www.everipedia.com/Elliptic_curve_cryptography/

Issue History

Date Modified Username Field Change
2013-08-16 16:03 equinox New Issue
2013-08-20 20:30 BenBE Status new => confirmed
2013-08-24 12:01 ott Note Added: 0004246
2014-08-10 10:22 senora Severity feature => major
2014-08-10 10:22 senora Additional Information Updated View Revisions
2014-09-25 22:26 ckujau Relationship added has duplicate 0001238
2014-09-25 22:35 ckujau Note Added: 0005031
2015-10-08 21:10 klondike Note Added: 0005464
2016-01-19 00:04 My1 Note Added: 0005493
2016-02-02 20:20 BenBE Note Added: 0005494
2017-04-07 22:10 travm1 Note Added: 0005544