openssl_pkey_new() fails for EC keys on OpenSSL 3.6 - incorrectly requires private_key_bits

[ben182]

Description

When using openssl_pkey_new() to generate EC keys with OpenSSL 3.6.0, the function incorrectly requires
private_key_bits even though this parameter is not relevant for elliptic curve keys (the key size is determined
by the curve itself).

The workaround requires setting private_key_bits to 384, which is semantically incorrect for a 256-bit curve
like prime256v1. Setting it to 256 (the actual curve size) still fails.

The OpenSSL CLI generates EC keys without issues (openssl ecparam -name prime256v1 -genkey -noout), suggesting
this is a PHP bindings issue.

Environment: PHP 8.5.2, OpenSSL 3.6.0

Possible cause

OpenSSL 3.6 requires C-99 compilers (no longer ANSI-C), which changes integer behavior and sizes. Additionally,
OpenSSL 3.6 modified EC keygen error handling.

The private_key_bits parameter should not apply to EC keys at all - the curve name (e.g., prime256v1)
implicitly defines the key size. It appears PHP's OpenSSL bindings incorrectly validate private_key_bits for EC
keys when linked against OpenSSL 3.6.

This same error has been reported in other projects:

• https://community.librenms.org/t/new-install-openssl-pkey-new-private-key-length-must-be-at-least-384-bits-conf
  igured-to-0/22396
• passport:install error (openssl_pkey_new(): private key length is too short; it needs to be at least 384 bits, not 0) laravel/passport#757

References

• openssl_pkey_new() fails on OpenSSL 3.6 - missing private_key_bits parameter web-push-libs/web-push-php#445
• https://github.com/openssl/openssl/blob/openssl-3.6.0/CHANGES.md
• Switch to C99 without the features that became optional in C11 openssl/technical-policies#50 (C-99 requirement)

---

The following code:

<?php                                                                                                            
$key = openssl_pkey_new([                                                                                        
    'curve_name'       => 'prime256v1',                                                                          
    'private_key_type' => OPENSSL_KEYTYPE_EC,                                                                    
]);                                                                                                              
                                                                                                                 
var_dump($key);                                                                                                  
var_dump(openssl_error_string());                                                                                
                                                                                                                 
Resulted in this output:                                                                                         
bool(false)                                                                                                      
string(63) "Private key length must be at least 384 bits, configured to 0"                                       
                                                                                                                 
But I expected this output instead:                                                                              
object(OpenSSLAsymmetricKey)#1 (0) {}                                                                            
bool(false)

PHP Version

PHP 8.5.2 (cli) (built: Jan 17 2026 23:04:39) (NTS clang 15.0.0)                                                 
  Copyright (c) The PHP Group                                                                                      
  Built by Laravel Herd                                                                                            
  Zend Engine v4.5.2, Copyright (c) Zend Technologies                                                              
      with Zend OPcache v8.5.2, Copyright (c), by Zend Technologies

Operating System

macOS (Darwin 25.2.0)

[ndossche]

Interestingly I can't reproduce this on OpenSSL 3.6.1.

[ben182]

This is a PHP bug, not an OpenSSL one.

The error message comes from PHP itself — ext/openssl/openssl_backend_common.c, around line 1447:

if (req->priv_key_bits < MIN_KEY_LENGTH) {  // MIN_KEY_LENGTH = 384
    php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d",
        MIN_KEY_LENGTH, req->priv_key_bits);
    return NULL;
}

This check runs before any key-type differentiation — it applies to RSA, DSA, DH, and EC alike. For EC keys that's nonsensical since the curve itself determines the key size, but PHP still validates private_key_bits and bails out before keygen even starts.

priv_key_bits comes from either the user-supplied private_key_bits parameter or the default_bits value in openssl.cnf. If neither is set, it's 0, and 0 < 384 → boom.

The reason this surfaces now is that the openssl.cnf shipped with OpenSSL 3.6 (at least on macOS / Laravel Herd) has default_bits commented out:

#default_bits = 2048

Before, this was active, so priv_key_bits silently defaulted to 2048 and the check passed by accident — even though EC keys never actually use that value.

@ndossche — I suspect the reason you can't reproduce on 3.6.1 is that your openssl.cnf still has default_bits = 2048 uncommented. There were no changes to ec_kmgmt.c between 3.6.0 and 3.6.1 that would affect EC keygen. A quick grep default_bits $(openssl version -d | cut -d'"' -f2)/openssl.cnf should confirm.

Fix-wise, the priv_key_bits check should just be skipped for key types where it doesn't apply:

if (req->priv_key_type != OPENSSL_KEYTYPE_EC &&
    req->priv_key_type != OPENSSL_KEYTYPE_X25519 &&
    req->priv_key_type != OPENSSL_KEYTYPE_X448 &&
    req->priv_key_type != OPENSSL_KEYTYPE_ED25519 &&
    req->priv_key_type != OPENSSL_KEYTYPE_ED448 &&
    req->priv_key_bits < MIN_KEY_LENGTH) {