private_key_jwt works fine with self-signed RSA cert but I can't get EC to work

[rjr162]

Hello!

I'm sure this is a me thing, but I was able to get a RSA self-signed certificate to work with the private_key_jwt for my backend secret to Microsoft Entra, but I can't get an EC certificate to work for anything, although I see they should be supported per the .conf

I'm guessing I'm not doing something right in my process to make the EC self-signed certificate. The first time I realized there weren't any X509v3 extensions saying like CA:TRUE, so I re-generated using a slightly different flow and now all of that information is there but it's still failing.

I confirmed the privkey and pubkey halves match, the public cert is in Entra just like the RSA cert, but it's still failing. I used prime256v1 with a Sig Algorithm of ecdsa-with-SHA256.

The error I'm getting appears to be the same as if mod_auth_openidc couldn't read in the key file:

oidc_proto_token_endpoint_auth: token_endpoint_auth=private_key_jwt
oidc_proto_endpoint_auth_private_key_jwt: enter
oidc_util_generate_random_bytes: oidc_util_random_bytes [apr] call for 16 bytes
oidc_util_generate_random_bytes: oidc_util_random_bytes returned: 1
oidc_proto_endpoint_auth_private_key_jwt: no private signing keys have been configured to use for private_key_jwt client authentication (OIDCPrivateKeyFiles)
oidc_proto_resolve_code_and_validate_response: failed to resolve the code
oidc_util_html_send_error: setting OIDC_ERROR environment variable to: OpenID Connect Provider error: Error in handling response type.
oidc_util_html_send_error: setting OIDC_ERROR_DESC environment variable to: (null)

The browser just returns a 400 error with:

Bad Request
Your browser sent a request that this server could not understand.

Has anyone ran into this and found a work around, or have any suggestions on what I may be doing wrong? As soon as I switch back to the RSA keypair it works fine, and the files live in the same area with the same permissions.

Thank you!

[zandbelt]

can you paste the config primitives (OIDCPrivateKeyFiles/OIDCPublicKeyFiles) for the RSA case and the EC case? also, can you list the version of mod_auth_openidc that you are using?

[rjr162]

Sure thing!

For the version I used in testing, I tested both 2.4.15.1 pulled in from the Ubuntu 24.04 default repo as well as dpkg installing 2.4.17.1

For the config primitives, I have:

OIDCPrivateKeyFiles /etc/apache2/ssl/private/test.key
OIDCPublicKeyFiles /etc/apache2/ssl/certs/test.crt
#OIDCPrivateKeyFiles /etc/apache2/ssl/private/test-ec.key
#OIDCPublicKeyFiles /etc/apache2/ssl/cert/test-ec.crt

so same lines, files in the same locations, just flipping which is being called and which is commented out.

My test EC cert is using the prime256v1, public key algo id-ecPublicKey, and has the same X509v3 extensions as my RSA setup (Subject Key Identifier, Authority Key Identifier, Basic Contraints: critical, CA: TRUE)

Seems to end with the URL /valid/redirect_uri?code=1.ARIARY30fNs9iU..... and the error "Your browser sent a request that this server could not understand." and that "no private signing keys" error in the odic debug logs

[zandbelt]

both 2.4.15.1 and 2.4.17.1 should work but it is preferred to use the latest; it looks like the public and/or private key could not be loaded, isn't there any error about that in the logs earlier?

[zandbelt]

oh well, it turns out that signing with Elliptic Curve keys is supported is a number of scenarios (e.g. dPOP) but not for token endpoint authentication.. that is added now in 95bf267 and will be in 2.4.17.2 soonish

[zandbelt]

2.4.17.2 is out now: https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.17.2