Skip to content

Commit

Permalink
Support signing CRLs using ED25519
Browse files Browse the repository at this point in the history
Allow CRLs to be signed using ED25519 private keys by passing a nil digest.
  • Loading branch information
joshcooper committed Oct 29, 2024
1 parent 9090410 commit 83de708
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 1 deletion.
6 changes: 5 additions & 1 deletion ext/openssl/ossl_x509crl.c
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,11 @@ ossl_x509crl_sign(VALUE self, VALUE key, VALUE digest)

GetX509CRL(self, crl);
pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
md = ossl_evp_get_digestbyname(digest);
if (NIL_P(digest)) {
md = NULL; /* needed for some key types, e.g. Ed25519 */
} else {
md = ossl_evp_get_digestbyname(digest);
}
if (!X509_CRL_sign(crl, pkey, md)) {
ossl_raise(eX509CRLError, NULL);
}
Expand Down
30 changes: 30 additions & 0 deletions test/openssl/test_x509crl.rb
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,36 @@ def test_sign_and_verify
assert_equal(false, crl.verify(@dsa512))
end

def test_sign_and_verify_ed25519
# See test_ed25519 in test_pkey.rb

# Ed25519 is not FIPS-approved.
omit_on_fips

begin
ed25519 = OpenSSL::PKey::generate_key("ED25519")
rescue OpenSSL::PKey::PKeyError => e
# OpenSSL < 1.1.1
#
pend "Ed25519 is not implemented" unless openssl?(1, 1, 1)

raise e
end

# See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog
pend 'ASN1 signing with Ed25519 not yet working' unless openssl? or libressl?(3, 8, 1)

cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
cert, ed25519, nil)
assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
assert_equal(false, crl.verify(OpenSSL::PKey::generate_key("ED25519")))
assert_equal(true, crl.verify(ed25519))
crl.version = 0
assert_equal(false, crl.verify(ed25519))
end

def test_revoked_to_der
# revokedCertificates SEQUENCE OF SEQUENCE {
# userCertificate CertificateSerialNumber,
Expand Down

0 comments on commit 83de708

Please sign in to comment.