Skip to content

Commit

Permalink
Support signing requests using ED25519
Browse files Browse the repository at this point in the history 
Allow requests to be signed using ED25519 private keys by passing a nil digest.
This is similar to commit b0fc100 when signing certs.

Note ED25519 keys do not implement the same `public_key` method, so the test
must special case based on oid.
  • Loading branch information
@joshcooper
joshcooper committed Oct 30, 2024
1 parent 0e2698a commit a72a43e
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 2 deletions.
6 changes: 5 additions & 1 deletion ext/openssl/ossl_x509req.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,11 @@ ossl_x509req_sign(VALUE self, VALUE key, VALUE digest)

GetX509Req(self, req);
pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
md = ossl_evp_get_digestbyname(digest);
if (NIL_P(digest)) {
md = NULL; /* needed for some key types, e.g. Ed25519 */
} else {
md = ossl_evp_get_digestbyname(digest);
}
if (!X509_REQ_sign(req, pkey, md)) {
ossl_raise(eX509ReqError, NULL);
}
Expand Down
29 changes: 28 additions & 1 deletion test/openssl/test_x509req.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,11 @@ def issue_csr(ver, dn, key, digest)
req = OpenSSL::X509::Request.new
req.version = ver
req.subject = dn
req.public_key = key.public_key
if key.oid.casecmp?('ed25519')
req.public_key = key
else
req.public_key = key.public_key
end
req.sign(key, digest)
req
end
Expand Down Expand Up @@ -132,6 +136,29 @@ def test_sign_and_verify_dsa_md5
issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('MD5')) }
end

def test_sign_and_verify_ed25519
# See test_ed25519 in test_pkey.rb

# Ed25519 is not FIPS-approved.
omit_on_fips

begin
ed25519 = OpenSSL::PKey::generate_key("ED25519")
rescue OpenSSL::PKey::PKeyError => e
# OpenSSL < 1.1.1
#
pend "Ed25519 is not implemented" unless openssl?(1, 1, 1)

raise e
end

# See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog
pend 'ASN1 signing with Ed25519 not yet working' unless openssl? or libressl?(3, 8, 1)

req = issue_csr(0, @dn, ed25519, nil)
assert_equal(true, req.verify(ed25519))
end

def test_dup
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
assert_equal(req.to_der, req.dup.to_der)
Expand Down

0 comments on commit a72a43e

Please sign in to comment.