Bug 1440873

Summary: curl can't load EC certificates from files
Product: [Fedora] Fedora Reporter: Hristo Venev <hristo>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: akostadi, dwmw2, john.j5live, kdudka, paul
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: curl-7.54.0-3.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-03 17:51:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hristo Venev 2017-04-10 16:15:23 UTC
Description of problem:
curl does not support EC certificates

Version-Release number of selected component (if applicable):
7.53.1-4

How reproducible:
Always

Steps to Reproduce:
1. openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp521r1 -out pkcs8-pem.key
2. openssl pkey -in pkcs8-pem.key -outform DER -out pkcs8-der.key
3. openssl pkey -in pkcs8-pem.key -outform PEM -traditional -out traditional-pem.key
4. openssl pkey -in pkcs8-pem.key -outform DER -traditional -out traditional-der.key
5. openssl pkey -pubout -in pkcs8-pem.key | please-give-me-a-certificate -out cert.pem
6. curl --cert cert.pem --key pkcs8-pem.key https://test.invalid/
7. curl --cert cert.pem --key pkcs8-der.key https://test.invalid/
8. curl --cert cert.pem --key traditional-pem.key https://test.invalid/
9. curl --cert cert.pem --key traditional-der.key https://test.invalid/

Actual results:
None of the invocations of curl work:

$ curl --cert cert.pem --key pkcs8-pem.key https://test.invalid/
*   Trying 192.0.2.1...
* TCP_NODELAY set
* Connected to test.invalid (192.0.2.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate from file
* 	subject: CN=certificate
* 	start date: Mar 28 00:00:00 2017 GMT
* 	expire date: Apr 27 00:00:00 2017 GMT
* 	common name: certificate
* 	issuer: CN=ca
* NSS error -8152 (SEC_ERROR_INVALID_KEY)
* The key does not support the requested operation.
* stopped the pause stream!
* Closing connection 0
curl: (35) The key does not support the requested operation.

$ curl --cert cert.pem --key pkcs8-der.key https://test.invalid/
*   Trying 192.0.2.1...
* TCP_NODELAY set
* Connected to test.invalid (192.0.2.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate from file
* 	subject: CN=certificate
* 	start date: Mar 28 00:00:00 2017 GMT
* 	expire date: Apr 27 00:00:00 2017 GMT
* 	common name: certificate
* 	issuer: CN=ca
* NSS error -8152 (SEC_ERROR_INVALID_KEY)
* The key does not support the requested operation.
* stopped the pause stream!
* Closing connection 0
curl: (35) The key does not support the requested operation.

$ curl --cert cert.pem --key traditional-pem.key https://test.invalid/
*   Trying 192.0.2.1...
* TCP_NODELAY set
* Connected to test.invalid (192.0.2.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
* NSS error -8178 (SEC_ERROR_BAD_KEY)
* Peer's public key is invalid.
* Closing connection 0
curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

$ curl --cert cert.pem --key traditional-der.key https://test.invalid/
*   Trying 192.0.2.1...
* TCP_NODELAY set
* Connected to test.invalid (192.0.2.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate from file
* 	subject: CN=certificate
* 	start date: Mar 28 00:00:00 2017 GMT
* 	expire date: Apr 27 00:00:00 2017 GMT
* 	common name: certificate
* 	issuer: CN=ca
* NSS error -8152 (SEC_ERROR_INVALID_KEY)
* The key does not support the requested operation.
* stopped the pause stream!
* Closing connection 0
curl: (35) The key does not support the requested operation.

Expected results:
At least one (preferably all) of the invocations of curl works.

Additional info:
1. The command please-give-me-a-certificate, the domain test.invalid and the IP address 192.0.2.1 are used as an example. It should be relatively straightforward to guess what they mean.
2. These tests don't cover loading keys from nssdb.
3. Some of the invocations work if RSA keys are used instead.
4. pkcs8-pem.key works with both openssl s_client and gnutls-cli.

Comment 1 Kamil Dudka 2017-04-11 10:00:02 UTC
This is a limitation of nss-pem.  Please consider opening a pull request at:

https://github.com/kdudka/nss-pem

Note that curl is currently undergoing the system wide change process to be recompiled against OpenSSL in Fedora 27:

https://fedoraproject.org/wiki/Changes/libcurlBackToOpenSSL

If the change is approved and successfully implemented, this bug will probably go away.  You can try testing packages from the following Copr:

https://copr.fedorainfracloud.org/coprs/kdudka/curl-minimal/

Comment 2 Fedora End Of Life 2018-05-03 07:57:16 UTC
This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 3 Aleksandar Kostadinov 2018-05-03 17:51:00 UTC
This is working for me on Fedora 27.

For anybody hitting this issue and coming here from search engines, just FYI this is the Red Hat Enterprise Linux 7 kbase:

https://access.redhat.com/solutions/3390021

tl;dr; one needs to export certificate in user local nss keystore and specify to curl via alias

Comment 4 Kamil Dudka 2018-05-03 21:25:30 UTC
(In reply to Aleksandar Kostadinov from comment #3)
> This is working for me on Fedora 27.

(lib)curl in Fedora 27 does not use nss/nss-pem any more.  It uses OpenSSL again:

https://fedoraproject.org/wiki/Changes/libcurlBackToOpenSSL

Comment 5 Aleksandar Kostadinov 2018-05-03 21:28:37 UTC
I know, that's why I marked issue as fixed. Or should I have marked it as NOTABUG or WONTFIX or EOL because it was filed against Fedora 26?

Comment 6 Kamil Dudka 2018-05-04 07:30:48 UTC
Sorry, I misunderstood your comment.  Let's close it NEXTRELEASE as it is already reassigned to curl and curl works as expected in Fedora 27.