Skip to content

Commit

Permalink
Support signing CRLs using Ed25519
Browse files Browse the repository at this point in the history 
Allow CRLs to be signed using Ed25519 private keys by passing a nil digest.
  • Loading branch information
@joshcooper
joshcooper committed Nov 19, 2024
1 parent d960903 commit b62375b
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 1 deletion.
6 changes: 5 additions & 1 deletion ext/openssl/ossl_x509crl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,11 @@ ossl_x509crl_sign(VALUE self, VALUE key, VALUE digest)

GetX509CRL(self, crl);
pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
md = ossl_evp_get_digestbyname(digest);
if (NIL_P(digest)) {
md = NULL; /* needed for some key types, e.g. Ed25519 */
} else {
md = ossl_evp_get_digestbyname(digest);
}
if (!X509_CRL_sign(crl, pkey, md)) {
ossl_raise(eX509CRLError, NULL);
}
Expand Down
17 changes: 17 additions & 0 deletions test/openssl/test_x509crl.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,23 @@ def test_sign_and_verify
assert_equal(false, crl.verify(@dsa512))
end

def test_sign_and_verify_ed25519
# Ed25519 is not FIPS-approved.
omit_on_fips
# See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog
omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 8, 1)
ed25519 = OpenSSL::PKey::generate_key("ED25519")
cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
cert, ed25519, nil)
assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
assert_equal(false, crl.verify(OpenSSL::PKey::generate_key("ED25519")))
assert_equal(true, crl.verify(ed25519))
crl.version = 0
assert_equal(false, crl.verify(ed25519))
end

def test_revoked_to_der
# revokedCertificates SEQUENCE OF SEQUENCE {
# userCertificate CertificateSerialNumber,
Expand Down

0 comments on commit b62375b

Please sign in to comment.