From 7950482562f3f53fb06d9933474b981358689faf Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <ilia@ilia.ws>
Date: Sun, 8 Mar 2026 17:56:29 -0400
Subject: [PATCH] Fix GH-21083: Skip private_key_bits validation for
 EC/curve-based keys

openssl_pkey_new() checks private_key_bits >= 384 before generating any
key. For EC, X25519, ED25519, X448, and ED448 the size is inherent to
the curve or algorithm, so this check doesn't apply and causes failures
when default_bits is missing from openssl.cnf (which is the case in
OpenSSL 3.6's default config).

Skip the minimum-bits check for key types that don't use private_key_bits.

Closes GH-21387.
---
 NEWS                           |  4 +++
 ext/openssl/openssl.c          |  5 ++-
 ext/openssl/tests/gh21083.phpt | 61 ++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 ext/openssl/tests/gh21083.phpt

diff --git a/NEWS b/NEWS
index 088a2768da3..76cca47611f 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@ PHP                                                                        NEWS
 - Bz2:
   . Fix truncation of total output size causing erroneous errors. (ndossche)
 
+- OpenSSL:
+  . Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based
+    keys). (iliaal)
+
 - PCRE:
   . Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl,
     php_pcre_split_impl, and php_pcre_grep_impl. (David Carlier)
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 2f2aae1e733..7e2b9568325 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -3828,7 +3828,10 @@ static int php_openssl_get_evp_pkey_type(int key_type) {
 /* {{{ php_openssl_generate_private_key */
 static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req)
 {
-	if (req->priv_key_bits < MIN_KEY_LENGTH) {
+	if ((req->priv_key_type == OPENSSL_KEYTYPE_RSA ||
+			req->priv_key_type == OPENSSL_KEYTYPE_DH ||
+			req->priv_key_type == OPENSSL_KEYTYPE_DSA) &&
+			req->priv_key_bits < MIN_KEY_LENGTH) {
 		php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d",
 			MIN_KEY_LENGTH, req->priv_key_bits);
 		return NULL;
diff --git a/ext/openssl/tests/gh21083.phpt b/ext/openssl/tests/gh21083.phpt
new file mode 100644
index 00000000000..31afb7ca084
--- /dev/null
+++ b/ext/openssl/tests/gh21083.phpt
@@ -0,0 +1,61 @@
+--TEST--
+GH-21083 (openssl_pkey_new() fails for EC keys when private_key_bits is not set)
+--EXTENSIONS--
+openssl
+--SKIPIF--
+<?php if (!defined("OPENSSL_KEYTYPE_EC")) die("skip EC disabled"); ?>
+--ENV--
+OPENSSL_CONF=
+--FILE--
+<?php
+// Create a minimal openssl.cnf without default_bits (simulates OpenSSL 3.6 default config)
+$conf = tempnam(sys_get_temp_dir(), 'ossl');
+file_put_contents($conf, "[req]\ndistinguished_name = req_dn\n[req_dn]\n");
+
+// EC key - size is determined by the curve, private_key_bits should not be required
+$key = openssl_pkey_new([
+    'config' => $conf,
+    'private_key_type' => OPENSSL_KEYTYPE_EC,
+    'curve_name' => 'prime256v1',
+]);
+var_dump($key !== false);
+$details = openssl_pkey_get_details($key);
+var_dump($details['bits']);
+var_dump($details['type'] === OPENSSL_KEYTYPE_EC);
+echo "EC OK\n";
+
+// X25519 - fixed size key, private_key_bits should not be required
+if (defined('OPENSSL_KEYTYPE_X25519')) {
+    $key = openssl_pkey_new([
+        'config' => $conf,
+        'private_key_type' => OPENSSL_KEYTYPE_X25519,
+    ]);
+    var_dump($key !== false);
+    echo "X25519 OK\n";
+} else {
+    echo "bool(true)\nX25519 OK\n";
+}
+
+// Ed25519 - fixed size key, private_key_bits should not be required
+if (defined('OPENSSL_KEYTYPE_ED25519')) {
+    $key = openssl_pkey_new([
+        'config' => $conf,
+        'private_key_type' => OPENSSL_KEYTYPE_ED25519,
+    ]);
+    var_dump($key !== false);
+    echo "Ed25519 OK\n";
+} else {
+    echo "bool(true)\nEd25519 OK\n";
+}
+
+unlink($conf);
+?>
+--EXPECT--
+bool(true)
+int(256)
+bool(true)
+EC OK
+bool(true)
+X25519 OK
+bool(true)
+Ed25519 OK