Skip to content

Commit

Permalink
Support signing requests using ED25519
Browse files Browse the repository at this point in the history
Allow requests to be signed using ED25519 private keys by passing a nil digest.
This is similar to commit f463f56 when signing certs.

Note ED25519 keys do not implement the same `public_key` method, so the test
must special case based on oid.
  • Loading branch information
joshcooper committed Oct 8, 2024
1 parent 8367b16 commit 95531e0
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 2 deletions.
6 changes: 5 additions & 1 deletion ext/openssl/ossl_x509req.c
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,11 @@ ossl_x509req_sign(VALUE self, VALUE key, VALUE digest)

GetX509Req(self, req);
pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
md = ossl_evp_get_digestbyname(digest);
if (NIL_P(digest)) {
md = NULL; /* needed for some key types, e.g. Ed25519 */
} else {
md = ossl_evp_get_digestbyname(digest);
}
if (!X509_REQ_sign(req, pkey, md)) {
ossl_raise(eX509ReqError, NULL);
}
Expand Down
29 changes: 28 additions & 1 deletion test/openssl/test_x509req.rb
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,11 @@ def issue_csr(ver, dn, key, digest)
req = OpenSSL::X509::Request.new
req.version = ver
req.subject = dn
req.public_key = key.public_key
if key.oid == "ED25519"
req.public_key = key
else
req.public_key = key.public_key
end
req.sign(key, digest)
req
end
Expand Down Expand Up @@ -132,6 +136,29 @@ def test_sign_and_verify_dsa_md5
issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('MD5')) }
end

def test_sign_and_verify_ed25519
# See test_ed25519 in test_pkey.rb

# Ed25519 is not FIPS-approved.
omit_on_fips

begin
ed25519 = OpenSSL::PKey::generate_key("ED25519")
rescue OpenSSL::PKey::PKeyError => e
# OpenSSL < 1.1.1
#
pend "Ed25519 is not implemented" unless openssl?(1, 1, 1)

raise e
end

# See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog
pend 'ASN1 signing with Ed25519 not yet working' unless openssl? or libressl?(3, 8, 1)

req = issue_csr(0, @dn, ed25519, nil)
assert_equal(true, req.verify(ed25519))
end

def test_dup
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
assert_equal(req.to_der, req.dup.to_der)
Expand Down

0 comments on commit 95531e0

Please sign in to comment.