xca
xca copied to clipboard
ED25519 Cert generation fails -
I can generate a ed25519 private key in xca but creating a cert using it fails with:
The following error occurred:
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large
Console:
OpenSSL error (func.cpp:552) : error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large
OpenSSL error (func.cpp:552) : error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large
It is supported by the version of openssl installed and I can confirm it's the linked version..
$ /opt/openssl/1.1.1e/bin/openssl list -public-key-algorithms |grep -i ed25519
Name: OpenSSL ED25519 algorithm
OID: ED25519
PEM string: ED25519
$
$/opt/openssl/1.1.1e/bin/openssl genpkey -algorithm ED25519
-----BEGIN PRIVATE KEY-----
aaaasdf233adlllj23longkeywerewaitwhyareyoureadingthis23nlr]p]3
-----END PRIVATE KEY-----
From what I gather it's coming from https://github.com/chris2511/xca/blob/eea60e7904c6d2f518c78df9f699f13604a81837/lib/func.cpp#L546-L554
Not sure if this is qt related or OpenSSL though?
I am having the exact same issue on Ubuntu 20.04.
Here's the relevant version info from the Help -> About window:
Version: 2.4.133-dev
commit: c53aabbbdfc980ccc90cf70d698aac887e499e24
OpenSSL 1.1.1f 31 Mar 2020
QT version: 5.15.3
Maybe remove "Add support for Ed25519 keys" from the release notes until it actually works?
I've created a workaround for it - it seems that the error was not caused by decryptKey itself - it's just how openssl errors work.
This commit might be the cause 61fa66b12976582d1f6f38df2308fd800be4cbef
@chris2511 - I guess, this class cannot handle no MD for ED25519? For Ed25519, name is empty string, this explains why OpenSSL throws an error
So, I guess, it's either digest::digest checks for empty string, and returns nid = 0, or just ignores openssl error. I think, first approach is better, I'll change my MR to use it.
There is another report of the same issue, in #376 (closed as duplicate)
@h1z1, @nv4, @marek22k - could you please test this commit https://github.com/ya-isakov/xca/commit/a8433a8fc4487209de2b34d6952c3f422cac0af2, if it fixes issue for you?
still there for me
OpenSSL error (oid.cpp:163) : error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large
error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large
OpenSSL error (func.cpp:552) : error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large
see log.txt
@marek22k hmm, I cannot reproduce neither error in oid.cpp, nor in func.cpp anymore. It seems that oid.cpp error is related to those eku.txt errors you can see in your log - could it be that in /usr/local/share/xca you have files for old version of XCA? Also, you're running xca not from build dir, it seems?
P.S. Yes, it looks like oid.cpp warning is caused by either missing oids.txt, or outdated - as eku.txt entries are matched against oids.txt. I think, for test, you can delete /usr/local/share/xca completely - for me, the only binary xca is enough.
P.P.S. I've tested my commit only against simple certificate, with common fields, so, if you're using some non-standard ones, for test, please check if it works with bare minimum.
It works!
I "disabled" the directory with sudo mv /usr/local/share/xca /usr/local/share/xca_abcde
and could now create a certificate.
How can I update my /usr/local/share/xca folder?
@marek22k It depends, how you created it in the first place - as it's not something from your distribution, I guess. Official README said that to install xce, sudo cmake --install build
should be used
I installed xca from the standard Debian package source.
Debian should not install anything in /usr/local, for sure https://packages.debian.org/bullseye/amd64/xca/filelist, https://packages.debian.org/sid/amd64/xca/filelist. I've tried to install xca using sudo cmake --install build
- it installs files in /usr/local/share/xca, but everything is in place, and xca is working perfectly with these files.
P.S. If you have xca installed from Debian - this version should work without any patches, as change which broke Ed25519 was not in any release.
I just remembered that in the Debian version ed25519 was not included at all. Then I apparently compiled and installed xca myself. If the eku.txt is not necessary, can I delete it without hesitation?
Well, it's needed, in case if you need extensions from it. OTOH, xca will try to find it in /usr/share, too, so, if Debian package is still installed, xca will fall back to /usr/share/xca for all of it's files.
It defines the Extended Key Usage table content.
But please send me the files from that directory, because If understood correctly, they were the culprit of the observed error (even with the fix of @ya-isakov (many thanks btw)). I would like to investigate the files. They don't contain any secrets.
@chris2511, it seems that there were two independent issues, both of them causes issue in same function, because openssl error is raised in some place, but not handled - and this is why this function (which has the first openssl_error call) is wrongly seen as source of error One issue is caused with these shared files broken, and another (which my fix is fixing) is not related to these files, but only to digest::digest not being able to handle empty string (in case of Ed25519). I had only second issue, as I was not having these files at all (as I did not install xca, and run if from build folder)
P.S. Reproducer for 2nd issue (which, I think, is more common) is easy - just create ed25519 key, and try to create self-signed cert using it.
$cat eku.txt
# The path of the user settings directory depends on the
# operating system and version.
# The path where XCA looks for this file is shown in the
# "About" dialog of XCA as "User settings path"
#
# Do not edit this file, rather use:
# /usr/local/share/xca/eku.txt or HOME/.local/share/xca/eku.txt
serverAuth
clientAuth
codeSigning
emailProtection
timeStamping
msCodeInd
msCodeCom
msCTLSign
msSGC
msEFS
nsSGC
msEFSFR
ipsecEndSystem
ipsecTunnel
ipsecUser
iKEIntermediate
msSmartcardLogin
OCSPSigning
id-kp-eapOverPPP
id-kp-eapOverLAN
pkInitKDC
pkInitClientAuth
secureShellClient
adobePDFSigning
msofficeSigning
driveEncryption
dataRecoveryAgent