openssl_pkey_new() fails on OpenSSL 3.6 - missing private_key_bits parameter

[ben182]

Description

On systems with OpenSSL 3.6.0, the Encryption::createLocalKeyObject() method fails with:

openssl_pkey_new(): Private key length must be at least 384 bits, configured to 0

Environment

• PHP: 8.4 / 8.5
• OpenSSL: 3.6.0 (released October 2025)
• web-push: 10.0.1

Cause

OpenSSL 3.6 now requires an explicit private_key_bits parameter for EC key generation. The current code in
src/Encryption.php:254 does not provide this:

$keyResource = openssl_pkey_new([                                                                                        
    'curve_name'       => 'prime256v1',                                                                                  
    'private_key_type' => OPENSSL_KEYTYPE_EC,                                                                            
]);                                                                                                                      
                                                                                                                         
Fix                                                                                                                      
                                                                                                                         
Add private_key_bits to the options array:                                                                               
                                                                                                                         
$keyResource = openssl_pkey_new([                                                                                        
    'curve_name'       => 'prime256v1',                                                                                  
    'private_key_type' => OPENSSL_KEYTYPE_EC,                                                                            
    'private_key_bits' => 384,                                                                                           
]);

[Minishlink]

Hello, this is a weird error since private_key_bits makes sense for RSA keys not elliptic curves? Especially this minimal value 384 is suspicious in this case. Is there a bug listed on OpenSSL?

[Rotzbua]

I agree the error and fix points to a missing EC-curve support. Does checkRequirementKeyCipherHash() pass without any thrown error?

[ben182]

Hey, tested this again on my system.

Setup: PHP 8.5.2, OpenSSL 3.6.0

Results

Without private_key_bits → error as described
With private_key_bits = 384 → works
With private_key_bits = 256 → error (even though prime256v1 is a 256-bit curve)

@Minishlink

Yeah it's weird. The CLI works fine though:

openssl ecparam -name prime256v1 -genkey -noout # no problem

So it seems like a PHP/OpenSSL bindings issue, not OpenSSL itself. Searched the https://bugs.php.net and
https://github.com/php/php-src/issues - nothing specific. The
https://github.com/openssl/openssl/blob/openssl-3.6.0/CHANGES.md doesn't mention any changes to private_key_bits
validation either.

@Rotzbua

checkRequirementKeyCipherHash() passes without errors. Curve, cipher and hash are all available - the issue only
happens during actual key generation.

The 384 bits fix works as a workaround but feels semantically wrong since prime256v1 is a 256-bit curve. Looks
like a PHP OpenSSL bindings bug to me. Might be worth reporting at https://github.com/php/php-src/issues?

[Rotzbua]

A breaking change is the compiler requirement for 3.6:

An ANSI-C toolchain is no longer sufficient for building OpenSSL.
The code should be built using compilers supporting C-99 features.

They have different integer behavour and sizes.

I think PHP needs to address this change.

[ben182]

I've opened an issue on php-src for this: php/php-src#21083

[Minishlink]

Thanks @ben182 @Rotzbua. We can merge a workaround PR if this is a blocker. Adding private_key_bits is safe for other versions of OpenSSL?

[Rotzbua]

Openssl 3.6 is not yet widely used. In the readme, key generation via php is only a fallback. I would just keep the issue open.

[Rotzbua]

@ben182 There is bit different option to create key. Can you test this:

$keyResource = openssl_pkey_new(['ec' => [
    'curve_name'       => 'prime256v1',
    'private_key_type' => OPENSSL_KEYTYPE_EC,
]]);

[Minishlink]

#448 did the trick. Let me know if you need any backport fix

[ben182]

Hey @Minishlink @eyupcanakman, thanks for the quick fix! 🙏

Just wanted to add some context for anyone following along: PR #448 works perfectly as a fix for this library, but it's essentially a workaround for an underlying PHP bug.

The 'ec' => [...] nested syntax takes a completely different code path in PHP (php_openssl_pkey_init_ec() in openssl.c) that returns early and never reaches the priv_key_bits < 384 check. The old flat syntax goes through php_openssl_generate_private_key() which still validates priv_key_bits for all key types - including EC, where it doesn't apply.

So the PHP issue I reported at php/php-src#21083 is still valid and affects anyone using the flat openssl_pkey_new() syntax with OPENSSL_KEYTYPE_EC on systems where default_bits is not set in the openssl.cnf that PHP reads.

Just flagging this so it's documented - the fix here is totally fine for web-push-php! 👍