Signing, Renewal and CRL error in 2.5.0

[matthiasradde]

I've updated XCA from 2.4.0 to 2.5.0 and opened the xca-database-file.
Tried to extend an existing certificate (by one year) which will expire within a few days.
Resulted in following errormessage

Der folgende Fehler ist aufgetreten:
(8pki_x509[]:corei5-10_4)
error:0300009C:digital envelope routines::unsupported algorithm
error:068C0100:asn1 encoding routines::malloc failure
error:068C0100:asn1 encoding routines::malloc failure

(C:\Users\chris\build\xca-2.5.0\lib\pki_x509.cpp:582)

Uninstalled 2.5.0 and installed 2.4.0. Now extending the same certificate was successful.

Certificate to be extended was signed with sha512WithRSAEncryption (OID 1.2.840.113549.1.1.13) and used with its 4096-bit-key.

What did I do wrong? Or what additional information is needed to reproduce this issue?

[chris2511]

I could not reproduce here on Windows 10 with xca-2.5.0 and sha512WithRSAEncryption with 4096bit RSA key
Do you use the installed version or the portable?
What library versions does the "About" dialog show?

[lwt-pressy]

similar problem here with generating a crl. Also with sha512WithRSAEncryption and 4096-bit-key

(7pki_crl[]:TERTA-Zertifizierungs CA 2015)
error:0300009C:digital envelope routines::unsupported algorithm
error:068C0100:asn1 encoding routines::malloc failure
error:068C0100:asn1 encoding routines::malloc failure

(C:\Users\chris\build\xca-2.5.0\lib\pki_crl.cpp:250)

working Version:

---

Version: 2.4.0
ECC With RFC 5639 Brainpool curves
OpenSSL 1.1.1k 25 Mar 2021
QT version: 5.12.0

not working:

Copyright 2001 - 2023 by Christian Hohnstädt
Version: 2.5.0
OpenSSL 3.1.2 1 Aug 2023
QT version: 6.5.2

I'm not sure if it is relevant, but I select always typical install.

[matthiasradde]

re-checked the issue - always used full installation on Windows 10 - not the portable version

XCA - working

Copyright 2001 - 2021 by Christian Hohnstädt
Version: 2.4.0
ECC With RFC 5639 Brainpool curves
OpenSSL 1.1.1k 25 Mar 2021
QT version: 5.12.0
https://hohnstaedt.de/xca
Entropy strength: 110

Installation path:
C:\Program Files\xca
User settings path:
C:\Users\Matthias\AppData\Roaming\xca
Working directory:
C:\Users\Matthias\Desktop\

XCA - non working

Copyright 2001 - 2023 by Christian Hohnstädt
Version: 2.5.0
OpenSSL 3.1.2 1 Aug 2023
QT version: 6.5.2
https://hohnstaedt.de/xca
Entropy strength: 40

Installation path:
C:\Users\Matthias\AppData\Roaming\xca
User settings path:
C:\Users\Matthias\AppData\Roaming\xca
Working directory:
C:\Users\Matthias\Desktop\

checked (re-)creating a CRL

Der folgende Fehler ist aufgetreten:
(7pki_crl[]:radde-ca-server)
error:0300009C:digital envelope routines::unsupported algorithm
error:068C0100:asn1 encoding routines::malloc failure
error:068C0100:asn1 encoding routines::malloc failure

(C:\Users\chris\build\xca-2.5.0\lib\pki_crl.cpp:250)

extend a certificate

Der folgende Fehler ist aufgetreten:
(8pki_x509[]:corei5-10_4)
error:0300009C:digital envelope routines::unsupported algorithm
error:068C0100:asn1 encoding routines::malloc failure
error:068C0100:asn1 encoding routines::malloc failure

(C:\Users\chris\build\xca-2.5.0\lib\pki_x509.cpp:582)

[chris2511]

According to #461 and #410 this issue does not depend on the operating system ....

[SemoTech]

Hi @chris2511 thats very strange as 2.4.0 works fine to create.
I wonder if there is something specific about my setup or that of @matthiasradde
Interestingly it is failing on Windows for him and on Mac OS 12.7 for me...
The failure occurs both when extending as well as creating new certs with v2.5.0

[SemoTech]

@chris2511 can you maybe add a detailed debugging option into a beta build, link it here, and then we can both submit the logs to you?

[amette]

I have the same error on 2.4.0 when trying to create a new certificate. Key generation seems to have been successful.

[chris2511]

I have the same error on 2.4.0 when trying to create a new certificate. Key generation seems to have been successful.

You mean 2.5.0 ? (Just to be sure, because all other observations say: works in 2.4.0, fails in 2.5.0)

[amette]

No, I meant 2.4.0. I just tried changing the password, which didn't work and yielded the following error:

The following error occurred:
(7pki_evp[1]:CCI CA)
error:1D8C0102:ENCODER routines::passed a null parameter

(pki_evp.cpp:573)

[amette]

I was able to change the password with XCA 2.4.0 on a Debian 12 machine. Then I copied the database back to my Gentoo machine and was able to create certificates with XCA 2.4.0 on Gentoo.

Edit: XCA's About page says "Compile time: OpenSSL 3.0.3 3 May 2022 / Run time: OpenSSL 3.0.9 30 May 2023" on Debian and "OpenSSL 3.0.10 1 Aug 2023" on Gentoo. Just in case that might be related.

[6XGate]

There seems to be a similar issue on Ubuntu 22.04. Using XCA 2.4.0 to fix the legacy DB keys results in the null parameter error on some databases but not all. Compile time version: OpenSSL 3.0.3 3 May 2022, runtime version: OpenSSL 3.0.11 19 Sep 2023.

[chris2511]

There is a solution (I think):
The common cause is the age. Your database was created before 2.0.0 and I dropped support for the old database password encryption with XCA 2.5.0. However, the keys were not re-encrypted with the new PKCS#8 format during upgrade to the SQL database scheme, which did not matter, because XCA until 2.4.0 was still able to read them.

The malfunctioning key should say "Legacy database" in the "Context-menu"-> Properties->Source.
The encryption scheme needs an update. XCA-2.4.0 can do this:

• Select "Change database Password" with XCA 2.4.0
• If you have keys with a private password, select "Reset password" and then "Change password" again for those keys.

In both cases, the old and new password may be the same.
Afterwards XCA 2.5.0 should work.

[lwt-pressy]

updating the password, did also work for me. I could create the new crls without problems, thx.

[6XGate]

Looks like this solution may be unusable for some using Linux when the older XCA version is no longer available for their system.

[Bgs4269]

You can downgrade using another package. e.g. fc39 comes with 2.5.0, but you can get a 2.4.0 repackage/rebuild here (I used this personally): https://rpmfind.net/linux/RPM/fedora/39/x86_64/x/xca-2.4.0-5.fc39.x86_64.html
Look for one specific to your distro.

[6XGate]

Discovered a few days later Distrobox can be used to run older XCA builds from other distros as well.

[gwtad]

After going through this process, the keys still show source "Legacy Database". Is this expected? Is there a way to upgrade those keys?

[SemoTech]

@chris2511 You're a genius! It worked! Resetting the password of the DB (using same pass) in 2.4.0 and opening in 2.5.0 was the fix!

If I may be so bold, can we have just a small aesthetic fix in the next version, and take advantage of wasted space on the bottom of the app to show longer DB paths/name?
Maybe even move the "Search" box further to the right and make it a bit smaller to make even more room for longer paths?

Thanks in advance!