Fix GH-21083: Skip private_key_bits validation for EC/curve-based keys#21387
Open
iliaal wants to merge 1 commit intophp:PHP-8.4from
Open
Fix GH-21083: Skip private_key_bits validation for EC/curve-based keys#21387iliaal wants to merge 1 commit intophp:PHP-8.4from
iliaal wants to merge 1 commit intophp:PHP-8.4from
Conversation
Member
|
This shouldn't target master, but 8.4 |
…keys openssl_pkey_new() checks private_key_bits >= 384 before generating any key. For EC, X25519, ED25519, X448, and ED448 the size is inherent to the curve or algorithm, so this check doesn't apply and causes failures when default_bits is missing from openssl.cnf (which is the case in OpenSSL 3.6's default config). Skip the minimum-bits check for key types that don't use private_key_bits. Closes phpGH-21083
iliaal
force-pushed
the
fix/gh-21083-ec-key-private-key-bits
branch
from
a5d817c to
cb819e1
Compare
Contributor
Author
|
Updated branch, btw how does multi-branch fix workflow go no a days, should there be separate PR for each affected branch or something else? |
bukka
reviewed
Mar 9, 2026
Comment on lines
+3831
to
+3835
| if (req->priv_key_type != OPENSSL_KEYTYPE_EC && | ||
| req->priv_key_type != OPENSSL_KEYTYPE_X25519 && | ||
| req->priv_key_type != OPENSSL_KEYTYPE_ED25519 && | ||
| req->priv_key_type != OPENSSL_KEYTYPE_X448 && | ||
| req->priv_key_type != OPENSSL_KEYTYPE_ED448 && |
Member
There was a problem hiding this comment.
It would be probably better to make it opt in (it means for RSA, DH, DSA) as it won't likely apply for new key types as well...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
openssl_pkey_new()checksprivate_key_bits >= 384before generating any key. EC and curve-based key types (X25519, ED25519, X448, ED448) don't useprivate_key_bitsat all, their size comes from the curve or is fixed.This worked by accident because most
openssl.cnffiles setdefault_bits = 2048, which passes the check even though EC keys ignore it. OpenSSL 3.6 ships withdefault_bitscommented out, sopriv_key_bitsdefaults to 0 and the check rejects the key.Fix
Skip the
priv_key_bits < MIN_KEY_LENGTHguard for key types where bit length is inherent:OPENSSL_KEYTYPE_EC- size from curve nameOPENSSL_KEYTYPE_X25519/OPENSSL_KEYTYPE_X448- fixed 256/448 bitsOPENSSL_KEYTYPE_ED25519/OPENSSL_KEYTYPE_ED448- fixed 256/456 bitsTest
ext/openssl/tests/gh21083.phptcreates a minimalopenssl.cnfwithoutdefault_bitsand generates EC, X25519, and ED25519 keys without specifyingprivate_key_bits. Fails before the fix, passes after.Fixes #21083