Skip to content

Fix import of certificates with ECC private keys#5400

Open
0xb8000 wants to merge 1 commit intoNetflix:mainfrom
0xb8000:fix/5058-ecc-private-key-import
Open

Fix import of certificates with ECC private keys#5400
0xb8000 wants to merge 1 commit intoNetflix:mainfrom
0xb8000:fix/5058-ecc-private-key-import

Conversation

@0xb8000
Copy link
Copy Markdown

@0xb8000 0xb8000 commented Apr 6, 2026

Summary

  • Update the frontend upload form's ng-pattern regex to accept BEGIN EC PRIVATE KEY format and keys with EC PARAMETERS prefix (produced by openssl ecparam -genkey)
  • Add defensive stripping of the EC PARAMETERS PEM block in parse_private_key() for backend compatibility
  • Add test verifying EC keys with EC PARAMETERS prefix can be parsed

The frontend regex previously only accepted BEGIN PRIVATE KEY (PKCS8) and BEGIN RSA PRIVATE KEY (traditional RSA), causing the private key field to show as invalid (red) for EC keys.

Closes #5058

Test plan

  • test_private_key — existing test still passes
  • test_parse_ec_private_key_with_parameters — new test verifies EC key with EC PARAMETERS prefix is parsed
  • Manual: import a certificate with an ECC key generated via openssl ecparam -genkey -name secp384r1

🤖 Generated with Claude Code

@claude
Fix import of certificates with ECC private keys
9dd8370 
The upload form's frontend validation regex only accepted PKCS8
("BEGIN PRIVATE KEY") and traditional RSA ("BEGIN RSA PRIVATE KEY")
formats, rejecting EC private keys ("BEGIN EC PRIVATE KEY") and
keys prefixed with EC PARAMETERS (as produced by openssl ecparam
-genkey).

Changes:
- Update ng-pattern in upload.tpl.html to accept EC PRIVATE KEY
  format, with optional EC PARAMETERS prefix
- Add defensive stripping of EC PARAMETERS block in
  parse_private_key() for compatibility with older cryptography
  versions
- Add test for parsing EC keys with EC PARAMETERS prefix

Closes Netflix#5058

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jmcrawford45 jmcrawford45 enabled auto-merge April 8, 2026 01:43
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 8, 2026
View reviewed changes
Comment thread lemur/common/utils.py
private_key = re.sub(
r"-----BEGIN EC PARAMETERS-----.*?-----END EC PARAMETERS-----\s*",
"",
private_key,
@coveralls
Copy link
Copy Markdown

coveralls commented Apr 8, 2026

Coverage Status

Coverage is 60.861%0xb8000:fix/5058-ecc-private-key-import into Netflix:main. No base build found for Netflix:main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmcrawford45 jmcrawford45 jmcrawford45 approved these changes

@hosssha hosssha Awaiting requested review from hosssha hosssha is a code owner

@charhate charhate Awaiting requested review from charhate charhate is a code owner

@jtschladen jtschladen Awaiting requested review from jtschladen jtschladen is a code owner

@douglasc-nflx douglasc-nflx Awaiting requested review from douglasc-nflx douglasc-nflx is a code owner

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Import of certificates with ECC private keys does not work

4 participants

@0xb8000 @coveralls @jmcrawford45 @github-advanced-security