Fix import of certificates with ECC private keys

lemur/common/utils.py

@@ -90,12 +90,26 @@
     """
     Parses a PEM-format private key (RSA, DSA, ECDSA or any other supported algorithm).
 
+    Strips any EC PARAMETERS block that may precede EC private keys (e.g. from
+    ``openssl ecparam -genkey``), since some cryptography versions cannot parse
+    a PEM bundle containing both sections.
+
     Raises ValueError for an invalid string. Raises AssertionError when passed value is not str-type.
 
     :param private_key: String containing PEM private key
     """
     assert isinstance(private_key, str)
 
+    # Strip EC PARAMETERS block if present (produced by openssl ecparam -genkey)
+    if "-----BEGIN EC PARAMETERS-----" in private_key:
+        import re
+        private_key = re.sub(
+            r"-----BEGIN EC PARAMETERS-----.*?-----END EC PARAMETERS-----\s*",
+            "",
+            private_key,
+            flags=re.DOTALL,
+        )
+
     return load_pem_private_key(
         private_key.encode("utf8"), password=None, backend=default_backend()
     )

lemur/static/app/angular/certificates/certificate/upload.tpl.html

@@ -56,7 +56,7 @@ <h3 class="modal-title">Import a certificate <span class="text-muted"><small>enc
       <div class="col-sm-10">
                 <textarea name="privateKey" ng-model="certificate.privateKey" placeholder="PEM encoded string..."
                           class="form-control"
-                          ng-pattern="/(^-----BEGIN PRIVATE KEY-----[\S\s]*-----END PRIVATE KEY-----)|(^-----BEGIN RSA PRIVATE KEY-----[\S\s]*-----END RSA PRIVATE KEY-----)/"></textarea>
+                          ng-pattern="/(^(-----BEGIN EC PARAMETERS-----[\S\s]*-----END EC PARAMETERS-----\s*)?-----BEGIN (RSA |EC )?PRIVATE KEY-----[\S\s]*-----END (RSA |EC )?PRIVATE KEY-----)/"></textarea>
 
         <p ng-show="uploadForm.privateKey.$invalid && !uploadForm.privateKey.$pristine" class="help-block">Enter
           a valid certificate.</p>

lemur/tests/test_validators.py

@@ -15,6 +15,19 @@ def test_private_key(session):
         parse_private_key("invalid_private_key")
 
 
+def test_parse_ec_private_key_with_parameters(session):
+    """Verify that EC keys with an EC PARAMETERS prefix can be parsed (issue #5058)."""
+    import subprocess
+    result = subprocess.run(
+        ["openssl", "ecparam", "-genkey", "-name", "secp384r1"],
+        capture_output=True, text=True,
+    )
+    ec_key_with_params = result.stdout
+    assert "BEGIN EC PARAMETERS" in ec_key_with_params
+    key = parse_private_key(ec_key_with_params)
+    assert key is not None
+
+
 def test_validate_private_key(session):
     key = parse_private_key(SAN_CERT_KEY)