-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support signing requests and CRLs using ED25519 #804
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this.
I think the same change can be applied to OpenSSL::X509::CRL. Could you update it as well?
This commit doesn't belong to ruby/openssl. I think you meant |
95531e0
to
55c9ea1
Compare
21fead2
to
3103d90
Compare
Th pkey oid for Ed25519 has different cases depending on the ssl library, so I switched to openssl:
libressl:
|
3103d90
to
0be737a
Compare
303477f
to
79100f5
Compare
It seems https://github.com/ruby/openssl/actions/runs/11711737721/job/32645324677?pr=804#step:10:694 And https://github.com/ruby/openssl/actions/runs/11711737721/job/32645317144?pr=804#step:10:828 |
This commit that went to OpenSSL 1.1.0 seems relevant: openssl/openssl@fa0a9d7. I guess my new assertion in assert_equal(@rsa1024.public_to_der, req.public_key.public_to_der) |
test_pkey wasn't checking for libressl as is done elsewhere. Note the libressl version check is different when testing pkey, because PKey#sign relies on EVP_PKey_sign, whereas signing an X509 cert/request/crl relies on ASN1_item_sign.
Allow requests to be signed using Ed25519 private keys by passing a nil digest. This is similar to commit b0fc100 when signing certs. Calling PKey#public_key is deprecated and does not work for Ed25519. The same can be accomplished by passing the private key.
Allow CRLs to be signed using Ed25519 private keys by passing a nil digest.
79100f5
to
b62375b
Compare
Thanks for your help @rhenium, all tests are passing now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Thank you for the PR!
Allow requests and CRLs to be signed using Ed25519 private keys by passing a nil digest. This is similar to commit b0fc100 when signing certs.
Note Ed25519 keys do not implement the same
public_key
method, so the test must special case RSA and DSA.