Implement & test ed25519 support

Keys/certs here are from rustls-0.22 (because OpenSSL cannot parse PKCS#8.2 format keys.)
rustls · May 3, 2024 · cab679f · cab679f
1 parent 54609be
commit cab679f
Show file tree

Hide file tree

Showing 6 changed files with 77 additions and 1 deletion.
diff --git a/rustls-libssl/src/evp_pkey.rs b/rustls-libssl/src/evp_pkey.rs
@@ -170,6 +170,27 @@ impl EvpScheme for RsaPss {
 unsafe impl Sync for RsaPss {}
 unsafe impl Send for RsaPss {}
 
+pub fn ed25519() -> Box<dyn EvpScheme + Send + Sync> {
+    Box::new(Ed25519)
+}
+
+#[derive(Debug)]
+struct Ed25519;
+
+impl EvpScheme for Ed25519 {
+    fn digest(&self) -> *mut EVP_MD {
+        // "When calling EVP_DigestSignInit() or EVP_DigestVerifyInit(), the
+        // digest type parameter MUST be set to NULL."
+        // <https://www.openssl.org/docs/man3.0/man7/EVP_SIGNATURE-ED25519.html>
+        ptr::null_mut()
+    }
+
+    fn configure_ctx(&self, _: &mut SignCtx) -> Option<()> {
+        // "No additional parameters can be set during one-shot signing or verification."
+        Some(())
+    }
+}
+
 /// Owning wrapper for a signing `EVP_MD_CTX`
 pub(crate) struct SignCtx {
     md_ctx: *mut EVP_MD_CTX,

diff --git a/rustls-libssl/src/sign.rs b/rustls-libssl/src/sign.rs
@@ -10,7 +10,7 @@ use rustls::{SignatureAlgorithm, SignatureScheme};
 
 use crate::error;
 use crate::evp_pkey::{
-    rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, rsa_pss_sha256, rsa_pss_sha384,
+    ed25519, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, rsa_pss_sha256, rsa_pss_sha384,
     rsa_pss_sha512, EvpPkey, EvpScheme,
 };
 use crate::x509::OwnedX509Stack;
@@ -205,6 +205,17 @@ impl sign::SigningKey for OpenSslKey {
 
                 None
             }
+            SignatureAlgorithm::ED25519 => {
+                if offered.contains(&SignatureScheme::ED25519) {
+                    return Some(Box::new(OpenSslSigner {
+                        pkey: self.0.clone(),
+                        pscheme: ed25519(),
+                        scheme: SignatureScheme::ED25519,
+                    }));
+                }
+
+                None
+            }
             _ => None,
         }
     }

diff --git a/rustls-libssl/test-ca/ed25519/ca.cert b/rustls-libssl/test-ca/ed25519/ca.cert
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBTDCB/6ADAgECAhR5rwmHkOFPLTkaLT9cqTrVZXkY9DAFBgMrZXAwHDEaMBgG
+A1UEAwwRcG9ueXRvd24gRWREU0EgQ0EwHhcNMjMxMjIxMTcyMzE1WhcNMzMxMjE4
+MTcyMzE1WjAcMRowGAYDVQQDDBFwb255dG93biBFZERTQSBDQTAqMAUGAytlcAMh
+AJgNZ3ibDQ9rV85DZPPAnnwyuWh8rm3jX9ZCsU/WgG7Io1MwUTAdBgNVHQ4EFgQU
+OFqGAvTdFHBY3OVdI0UB5kzHKpwwHwYDVR0jBBgwFoAUOFqGAvTdFHBY3OVdI0UB
+5kzHKpwwDwYDVR0TAQH/BAUwAwEB/zAFBgMrZXADQQAsRwN+gYyaM5yN45Uo+R1y
+tbiv8+TrEH0W8/oE/RCeRiPGV5qXpr2DqicljjNmNGixJ6ELuymaQ/1oMGuUDkEF
+-----END CERTIFICATE-----
diff --git a/rustls-libssl/test-ca/ed25519/server.cert b/rustls-libssl/test-ca/ed25519/server.cert
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIB0DCCAYKgAwIBAgICAcgwBQYDK2VwMC4xLDAqBgNVBAMMI3Bvbnl0b3duIEVk
+RFNBIGxldmVsIDIgaW50ZXJtZWRpYXRlMB4XDTIzMTIyMTE3MjMxNVoXDTI5MDYx
+MjE3MjMxNVowGTEXMBUGA1UEAwwOdGVzdHNlcnZlci5jb20wKjAFBgMrZXADIQBG
+aQQnDqqVjKAWWubCZJrG6S2ZZcI9/ZO65doj0GcDBqOB2DCB1TAMBgNVHRMBAf8E
+AjAAMAsGA1UdDwQEAwIGwDAdBgNVHQ4EFgQUmyF3DidQEKhYUCk+ITezcqPhqAsw
+RAYDVR0jBD0wO4AUxwg1gMsAfyEa6sLP1y4o71kifi6hIKQeMBwxGjAYBgNVBAMM
+EXBvbnl0b3duIEVkRFNBIENBggF7MFMGA1UdEQRMMEqCDnRlc3RzZXJ2ZXIuY29t
+hwTGM2QBghVzZWNvbmQudGVzdHNlcnZlci5jb22HECABDbgAAAAAAAAAAAAAAAGC
+CWxvY2FsaG9zdDAFBgMrZXADQQA5X4Gdwo2e2TmhjgMcFB5SVbo/IPh3i8FaqKYc
+k+O941Y4S0aBC/7zGZDZx2m0VAThR0eHsyGGnsKUB/uH1MoG
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBeDCCASqgAwIBAgIBezAFBgMrZXAwHDEaMBgGA1UEAwwRcG9ueXRvd24gRWRE
+U0EgQ0EwHhcNMjMxMjIxMTcyMzE1WhcNMzMxMjE4MTcyMzE1WjAuMSwwKgYDVQQD
+DCNwb255dG93biBFZERTQSBsZXZlbCAyIGludGVybWVkaWF0ZTAqMAUGAytlcAMh
+AEZ0Q6H7K8Blul4086JDZCRWtzRM1Qh/Ppu4d5j+9duJo38wfTAdBgNVHQ4EFgQU
+xwg1gMsAfyEa6sLP1y4o71kifi4wIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsG
+AQUFBwMCMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgH+MB8GA1UdIwQYMBaAFDha
+hgL03RRwWNzlXSNFAeZMxyqcMAUGAytlcANBAFPdVYhESKRDGyoWLR3aqDaLN0nn
+jxWzGRPtiLBxZLBmxKS4j5J6dCtKKX85E90oSmV/ElorbpGznBk2l+ky6wY=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBTDCB/6ADAgECAhR5rwmHkOFPLTkaLT9cqTrVZXkY9DAFBgMrZXAwHDEaMBgG
+A1UEAwwRcG9ueXRvd24gRWREU0EgQ0EwHhcNMjMxMjIxMTcyMzE1WhcNMzMxMjE4
+MTcyMzE1WjAcMRowGAYDVQQDDBFwb255dG93biBFZERTQSBDQTAqMAUGAytlcAMh
+AJgNZ3ibDQ9rV85DZPPAnnwyuWh8rm3jX9ZCsU/WgG7Io1MwUTAdBgNVHQ4EFgQU
+OFqGAvTdFHBY3OVdI0UB5kzHKpwwHwYDVR0jBBgwFoAUOFqGAvTdFHBY3OVdI0UB
+5kzHKpwwDwYDVR0TAQH/BAUwAwEB/zAFBgMrZXADQQAsRwN+gYyaM5yN45Uo+R1y
+tbiv8+TrEH0W8/oE/RCeRiPGV5qXpr2DqicljjNmNGixJ6ELuymaQ/1oMGuUDkEF
+-----END CERTIFICATE-----
diff --git a/rustls-libssl/test-ca/ed25519/server.key b/rustls-libssl/test-ca/ed25519/server.key
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIFAeJeUKTXguiUHfGJmqh5nG8AdqjNDKQy9nctnekBE3
+-----END PRIVATE KEY-----
diff --git a/rustls-libssl/tests/runner.rs b/rustls-libssl/tests/runner.rs
@@ -401,6 +401,7 @@ fn server_key_algorithms() {
     server_with_key_algorithm("rsa", "rsa_pkcs1_sha256", "-tls1_2");
     server_with_key_algorithm("rsa", "rsa_pkcs1_sha384", "-tls1_2");
     server_with_key_algorithm("rsa", "rsa_pkcs1_sha512", "-tls1_2");
+    server_with_key_algorithm("ed25519", "ed25519", "-tls1_3");
 }
 
 const NGINX_LOG_LEVEL: &str = "info";