rcgen Problem creating self signed cert with ECDSA algorithm and using as client identity in native-tls

Hi everyone,

I am having trouble creating a self signed certificate with ECDSA that will be usable (on macOS) with native-tls as a client identity.

This is the code I have so far:

fn get_identity() -> Result<native_tls::Identity, String>
    let mut dn = DistinguishedName::new();
    dn.push(rcgen::DnType::OrganizationName, "Demo");
    dn.push(rcgen::DnType::CountryName, "DE");
    dn.push(rcgen::DnType::CommonName, "Demo");
    
    let mut cert_params = CertificateParams::default();
    cert_params.distinguished_name = dn;
    cert_params.serial_number = Option::Some(1);
    cert_params.alg = &rcgen::PKCS_ECDSA_P256_SHA256;
    cert_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);

    let certificate = match Certificate::from_params(cert_params) {
        Ok(certificate) => certificate,
        Err(e) => return Err(e.to_string()),
    };

    let certificate = match Certificate::from_params(cert_params) {
        Ok(certificate) => certificate,
        Err(e) => return Err(e.to_string()),
    };

    let cert = match certificate.serialize_pem() {
        Ok(cert) => cert,
        Err(err) => return Err(format!("Error in serializing the cert pem: {}", err)),
    };
    let key = certificate.serialize_private_key_pem();
    
    match native_tls::Identity::from_pkcs8(cert.as_bytes(), key.as_bytes()) {
        Ok(identity) => return Ok(identity),
        Err(err) => {
            println!("Error in creating identity: {}", err);
        },
    };
}

The error I am getting from macOS security framework is:

Error in creating identity: Unknown format in import.

I got as far as identifying the issue being with the private key.

Is there anything I am doing completely wrong?

Thanks Andreas

Apr 11 '22 08:04 DerAndereAndi

How have you isolated the issue to the private key?

rcgen uses ring to generate and serialize private keys. How ring serializes them is described here.

Apr 11 '22 11:04 est31

There might be an incompatibility between how ring serializes a key and how Mac OS expects it. Can you paste two keys here in base64 / PEM format, one that works, and one that doesn't?

Apr 11 '22 11:04 est31

Thanks for getting back to me @est31!

This key/cert combo does not work (generated with the code above):

While this one works (generated via code in golang):

Had to replace the header string -----BEGIN EC PRIVATE KEY----- into -----BEGIN PRIVATE KEY----- in the second one for native-tls. (of course the footer as well)

Apr 11 '22 12:04 DerAndereAndi

Huh, that's interesting. I've put the cert as well as the key generated by rcgen/ring into lapo.it, and couldn't find a difference in the ASN.1 to the cert and the key generated by golang (outside of ASN.1 payloads of course).

Apr 11 '22 13:04 est31