Support ECDSA private keys for TLS

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/50010

• Created at 2018-11-06 10:29:36 by firstyear (@Firstyear)
• Assigned to mhonek (@kenoh)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1859298

---

Issue Description

Support ECDSA private keys. This is both:

• Pure ECDSA
• Mixed RSA + ECDSA support

How this looks today is unknown. However, it doesn't work given:

/opt/dirsrv/sbin/ns-slapd -d 0 -D /opt/dirsrv/etc/dirsrv/slapd-localhost 
Assertion failure: ((*privkey)->keyType) == rsaKey, at /home/william/development/389ds/ds/ldap/servers/slapd/ssl.c:2893
[1]    12717 abort      /opt/dirsrv/sbin/ns-slapd -d 0 -D /opt/dirsrv/etc/dirsrv/slapd-localhost

This is important as it blocks us from using strong future proof cryptographic mechanisms in TLS.

This may be of interest to @kenoh.

Important would be establishment of a ECDSA type in the nss_ssl.py module so we can test this properly and programmatically.

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-01-03 17:53:57

Metadata Update from @mreynolds389:

• Custom field component adjusted to None
• Custom field origin adjusted to None
• Custom field reviewstatus adjusted to None
• Custom field type adjusted to None
• Custom field version adjusted to None
• Issue set to the milestone: 1.4.1

[389-ds-bot]

Comment from firstyear (@Firstyear) at 2019-01-15 06:20:04

@kenoh We've just had a request for this in 50160, so it would be great if you could look into this soon! Thanks,

[389-ds-bot]

Comment from mhonek (@kenoh) at 2019-01-15 09:46:36

Metadata Update from @kenoh:

• Issue assigned to kenoh

[389-ds-bot]

Comment from mhonek (@kenoh) at 2019-03-06 16:29:08

Metadata Update from @kenoh:

• Issue tagged with: RFE, Security

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2020-02-26 16:48:33

Metadata Update from @mreynolds389:

• Issue priority set to: normal
• Issue set to the milestone: 1.4.4 (was: 1.4.1)

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2020-07-21 18:16:29

Metadata Update from @mreynolds389:

• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1859298

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2020-07-21 18:16:29

Issue linked to Bugzilla: Bug 1859298

[Firstyear]

It sounds like when a user attempts a pure ecdsa key that this can lead to some misleading/vague errors, so we should consider implementing this sooner-than-later.

[progier389]

master branch commit is: d522c92

fe18673..d522c92 master
4b73514..d420d06 389-ds-base-2.1 -> 389-ds-base-2.1
19b989d..1a41447 389-ds-base-2.0 -> 389-ds-base-2.0

[mreynolds389]

9dd47cc..893710d 389-ds-base-1.4.3 -> 389-ds-base-1.4.3