Skip to content

Commit

Permalink
Support signing CRLs using Ed25519
Browse files Browse the repository at this point in the history 
Allow CRLs to be signed using Ed25519 private keys by passing a nil digest.
  • Loading branch information
@joshcooper
joshcooper committed Nov 6, 2024
1 parent ade53f2 commit 79100f5
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 1 deletion.
6 changes: 5 additions & 1 deletion ext/openssl/ossl_x509crl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,11 @@ ossl_x509crl_sign(VALUE self, VALUE key, VALUE digest)

GetX509CRL(self, crl);
pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
md = ossl_evp_get_digestbyname(digest);
if (NIL_P(digest)) {
md = NULL; /* needed for some key types, e.g. Ed25519 */
} else {
md = ossl_evp_get_digestbyname(digest);
}
if (!X509_CRL_sign(crl, pkey, md)) {
ossl_raise(eX509CRLError, NULL);
}
Expand Down
15 changes: 15 additions & 0 deletions test/openssl/test_x509crl.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,21 @@ def test_sign_and_verify
assert_equal(false, crl.verify(@dsa512))
end

def test_sign_and_verify_ed25519
omit_on_fips
omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 8, 1)
ed25519 = OpenSSL::PKey::generate_key("ED25519")
cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
cert, ed25519, nil)
assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
assert_equal(false, crl.verify(OpenSSL::PKey::generate_key("ED25519")))
assert_equal(true, crl.verify(ed25519))
crl.version = 0
assert_equal(false, crl.verify(ed25519))
end

def test_revoked_to_der
# revokedCertificates SEQUENCE OF SEQUENCE {
# userCertificate CertificateSerialNumber,
Expand Down

0 comments on commit 79100f5

Please sign in to comment.