Fix GH-21083: openssl_pkey_new() fails for EC keys when private_key_bits is not set#21211
Open
ThanhNguyxn wants to merge 1 commit intophp:PHP-8.3from
Open
Fix GH-21083: openssl_pkey_new() fails for EC keys when private_key_bits is not set#21211ThanhNguyxn wants to merge 1 commit intophp:PHP-8.3from
ThanhNguyxn wants to merge 1 commit intophp:PHP-8.3from
Conversation
…y_bits is not set The MIN_KEY_LENGTH check in php_openssl_generate_private_key() was applied unconditionally to all key types, including EC where key size is determined by the curve rather than private_key_bits. This caused failures when private_key_bits defaulted to 0 (below the 384-bit minimum), particularly visible with OpenSSL 3.6's stricter error handling. Skip the minimum bits validation for EC key types since the parameter is not applicable to them. Closes phpGH-21083
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
MIN_KEY_LENGTHcheck inphp_openssl_generate_private_key()was applied unconditionally to all key types, including EC where key size is determined by the curve (e.g.,prime256v1= 256 bits,secp384r1= 384 bits) rather thanprivate_key_bits. Whenprivate_key_bitsis not explicitly set, it defaults to 0 (or the value fromopenssl.cnf'sdefault_bits), which is below the 384-bit minimum — causing the function to fail with:This is particularly visible with OpenSSL 3.6 due to stricter error handling, and affects multiple downstream projects (Laravel Passport, web-push-php, LibreNMS).
Changes
typedetermination (php_openssl_get_evp_pkey_type()) before theMIN_KEY_LENGTHcheckEVP_PKEY_EC), sinceprivate_key_bitsis not applicable to themext/openssl/tests/gh21083.phptthat generates EC keys withprime256v1andsecp384r1without settingprivate_key_bitsRelated