From b62375bcdedea7140eed7babae73353ccb9d6d02 Mon Sep 17 00:00:00 2001 From: Josh Cooper Date: Tue, 29 Oct 2024 14:18:32 -0700 Subject: [PATCH] Support signing CRLs using Ed25519 Allow CRLs to be signed using Ed25519 private keys by passing a nil digest. --- ext/openssl/ossl_x509crl.c | 6 +++++- test/openssl/test_x509crl.rb | 17 +++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c index 368270ce1..4f3177bfb 100644 --- a/ext/openssl/ossl_x509crl.c +++ b/ext/openssl/ossl_x509crl.c @@ -350,7 +350,11 @@ ossl_x509crl_sign(VALUE self, VALUE key, VALUE digest) GetX509CRL(self, crl); pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */ - md = ossl_evp_get_digestbyname(digest); + if (NIL_P(digest)) { + md = NULL; /* needed for some key types, e.g. Ed25519 */ + } else { + md = ossl_evp_get_digestbyname(digest); + } if (!X509_CRL_sign(crl, pkey, md)) { ossl_raise(eX509CRLError, NULL); } diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb index 146ee0730..e5fa6f998 100644 --- a/test/openssl/test_x509crl.rb +++ b/test/openssl/test_x509crl.rb @@ -204,6 +204,23 @@ def test_sign_and_verify assert_equal(false, crl.verify(@dsa512)) end + def test_sign_and_verify_ed25519 + # Ed25519 is not FIPS-approved. + omit_on_fips + # See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog + omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 8, 1) + ed25519 = OpenSSL::PKey::generate_key("ED25519") + cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil) + crl = issue_crl([], 1, Time.now, Time.now+1600, [], + cert, ed25519, nil) + assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) }) + assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) }) + assert_equal(false, crl.verify(OpenSSL::PKey::generate_key("ED25519"))) + assert_equal(true, crl.verify(ed25519)) + crl.version = 0 + assert_equal(false, crl.verify(ed25519)) + end + def test_revoked_to_der # revokedCertificates SEQUENCE OF SEQUENCE { # userCertificate CertificateSerialNumber,