Unable to generate certificate with Ed25519-Dilithium2 digital signature

[Vlad-Magdysh]

Hello!

I tried to use post-quantum digital signature generation in my application and faced an issue. There is go/src/crypto/tls/generate_cert.go file, and if I run it inside the cloudflare/go fork it works. I run it on Ubuntu 24 inside the directory ~/cloudlflare_go/go/src/crypto/tls with the command like this:
~/cloudlflare_go/go/bin/go run ./generate_cert.go --host localhost --circl "Ed25519-Dilithium2"

But if I copy the generate_cert.go file to the custom project, install the necessary cloudflare/circl version and run the same command from the custom project directory:
~/cloudlflare_go/go/bin/go run ./generate_cert.go --host localhost --circl "Ed25519-Dilithium2"
I got the error from signingParamsForPublicKey function:
"Failed to create certificate: x509: only RSA, ECDSA, Ed25519 and circl keys supported
exit status 1"

I tried to do it in a new go module and synchronized their dependencies such as github.com/cloudflare/circl v1.4.1-0.20240905130006-2d6cd9871f69, etc.
Moreover, after several tries, I copied the /go/src/vendor, /go/src/go.mod, /go/src/go.sum to the project, but I got this issue again and again.

For debug purposes, I added the code to convert the public key to circlSign.PublicKey inside the signingParamsForPublicKey function and received the panic: interface conversion: *eddilithium2.PublicKey is not sign.PublicKey: missing method Scheme

I would greatly appreciate your assistance!

[bwesterb]

The reason is that there are two copies of the Circl Dilithium key type: the one of the vendored Circl inside the Go standard library, and the regular Circl. The Go standard library only recognises the internal Dilithium2 key type.

I haven't quite figured out what would be the most elegant method to solve this.

[Vlad-Magdysh]

So, is it impossible to generate a certificate using the x509.CreateCertificate function with any post-quantum digital signature algorithm (such as Dilithium)?

Or can you suggest a simple way to do it (not necessarily the most elegant), without executing generate_cert.go inside the Cloudflare/Go fork?

[tyz-coder]

pub, priv, err := kyber768.GenerateKey(rand.Reader)
if err != nil {
	return
}

validFor := time.Hour * 24 * 365 * 10 // ten years
notBefore := time.Now()
notAfter := notBefore.Add(validFor)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
template := x509.Certificate{
	SerialNumber: serialNumber,
	Subject: pkix.Name{
		Organization: []string{"xxx"},
	},
	NotBefore:             time.Now(),
	NotAfter:              notAfter,
	SignatureAlgorithm:    x509.PureEd25519,
	KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
	ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
	BasicConstraintsValid: true,
}

derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
if err != nil {
	return
}

when I use it like this
get an error: x509: certificate private key does not implement crypto.Signer