From 155feb345cb9680938a26e31ac01cee7fe8a5ce8 Mon Sep 17 00:00:00 2001
From: Jakub Pastuszek <jpastuszek@protonmail.com>
Date: Tue, 19 Nov 2019 10:15:41 +0000
Subject: [PATCH] always use NAMED_CURVE format for EC key storage; fixes #9

---
 acme_common/src/crypto/openssl_keys.rs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/acme_common/src/crypto/openssl_keys.rs b/acme_common/src/crypto/openssl_keys.rs
index 3e5a93f..535baee 100644
--- a/acme_common/src/crypto/openssl_keys.rs
+++ b/acme_common/src/crypto/openssl_keys.rs
@@ -2,7 +2,7 @@ use crate::b64_encode;
 use crate::crypto::KeyType;
 use crate::error::Error;
 use openssl::bn::{BigNum, BigNumContext};
-use openssl::ec::{EcGroup, EcKey};
+use openssl::ec::{EcGroup, EcKey, Asn1Flag};
 use openssl::ecdsa::EcdsaSig;
 use openssl::nid::Nid;
 use openssl::pkey::{Id, PKey, Private};
@@ -147,7 +147,11 @@ fn gen_rsa_pair(nb_bits: u32) -> Result<PKey<Private>, Error> {
 
 fn gen_ec_pair(nid: Nid) -> Result<PKey<Private>, Error> {
     // TODO: check if map_err is required
-    let group = EcGroup::from_curve_name(nid).map_err(|_| Error::from(""))?;
+    let mut group = EcGroup::from_curve_name(nid).map_err(|_| Error::from(""))?;
+
+    // Use NAMED_CURVE format; OpenSSL 1.0.1 and 1.0.2 default to EXPLICIT_CURVE which won't work (see #9)
+    group.set_asn1_flag(Asn1Flag::NAMED_CURVE);
+
     let ec_priv_key = EcKey::generate(&group).map_err(|_| Error::from(""))?;
     let pk = PKey::from_ec_key(ec_priv_key).map_err(|_| Error::from(""))?;
     Ok(pk)