Problem creating self signed cert with ECDSA algorithm and using as client identity in native-tls #82

DerAndereAndi · 2022-04-11T08:50:43Z

Hi everyone,

I am having trouble creating a self signed certificate with ECDSA that will be usable (on macOS) with native-tls as a client identity.

This is the code I have so far:

fn get_identity() -> Result<native_tls::Identity, String>
    let mut dn = DistinguishedName::new();
    dn.push(rcgen::DnType::OrganizationName, "Demo");
    dn.push(rcgen::DnType::CountryName, "DE");
    dn.push(rcgen::DnType::CommonName, "Demo");
    
    let mut cert_params = CertificateParams::default();
    cert_params.distinguished_name = dn;
    cert_params.serial_number = Option::Some(1);
    cert_params.alg = &rcgen::PKCS_ECDSA_P256_SHA256;
    cert_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);

    let certificate = match Certificate::from_params(cert_params) {
        Ok(certificate) => certificate,
        Err(e) => return Err(e.to_string()),
    };

    let certificate = match Certificate::from_params(cert_params) {
        Ok(certificate) => certificate,
        Err(e) => return Err(e.to_string()),
    };

    let cert = match certificate.serialize_pem() {
        Ok(cert) => cert,
        Err(err) => return Err(format!("Error in serializing the cert pem: {}", err)),
    };
    let key = certificate.serialize_private_key_pem();
    
    match native_tls::Identity::from_pkcs8(cert.as_bytes(), key.as_bytes()) {
        Ok(identity) => return Ok(identity),
        Err(err) => {
            println!("Error in creating identity: {}", err);
        },
    };
}

The error I am getting from macOS security framework is:

Error in creating identity: Unknown format in import.

I got as far as identifying the issue being with the private key.

Is there anything I am doing completely wrong?

Thanks
Andreas

The text was updated successfully, but these errors were encountered:

est31 · 2022-04-11T11:52:43Z

How have you isolated the issue to the private key?

rcgen uses ring to generate and serialize private keys. How ring serializes them is described here.

est31 · 2022-04-11T11:53:36Z

There might be an incompatibility between how ring serializes a key and how Mac OS expects it. Can you paste two keys here in base64 / PEM format, one that works, and one that doesn't?

DerAndereAndi · 2022-04-11T12:42:32Z

Thanks for getting back to me @est31!

This key/cert combo does not work (generated with the code above):

While this one works (generated via code in golang):

Had to replace the header string -----BEGIN EC PRIVATE KEY----- into -----BEGIN PRIVATE KEY----- in the second one for native-tls. (of course the footer as well)

est31 · 2022-04-11T13:18:24Z

Huh, that's interesting. I've put the cert as well as the key generated by rcgen/ring into lapo.it, and couldn't find a difference in the ASN.1 to the cert and the key generated by golang (outside of ASN.1 payloads of course).

ZanderFick mentioned this issue Sep 14, 2022

Using a simple self-signed certificate with native-tls identity #91

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Problem creating self signed cert with ECDSA algorithm and using as client identity in native-tls #82

Problem creating self signed cert with ECDSA algorithm and using as client identity in native-tls #82

DerAndereAndi commented Apr 11, 2022

est31 commented Apr 11, 2022

est31 commented Apr 11, 2022

DerAndereAndi commented Apr 11, 2022

est31 commented Apr 11, 2022

Problem creating self signed cert with ECDSA algorithm and using as client identity in native-tls #82

Problem creating self signed cert with ECDSA algorithm and using as client identity in native-tls #82

Comments

DerAndereAndi commented Apr 11, 2022

est31 commented Apr 11, 2022

est31 commented Apr 11, 2022

DerAndereAndi commented Apr 11, 2022

est31 commented Apr 11, 2022