Re: ed25519 self-signed root cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/27/2018 10:43 AM, Viktor Dukhovni wrote:



On Jul 27, 2018, at 10:36 AM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:

nyway error on the next step:

# openssl req -config $dir/openssl-root.cnf\

      -set_serial 0x$(openssl rand -hex $sn)\
      -keyform pem -outform pem\
      -key $dir/private/ca.key.pem -subj "$DN"\
      -new -x509 -days 7300 -extensions v3_ca\
      -out $dir/certs/ca.cert.pem

Enter pass phrase for /root/ca/private/ca.key.pem:
3064983568:error:1010F08A:elliptic curve routines:pkey_ecd_ctrl:invalid digest type:crypto/ec/ecx_meth.c:801:

Do you have a "default_md" in your configuration file?
Ed25519 and Ed448 sign the raw data, not a digest thereof.

It might be more use-friendly to figure out a way to ignore
the requested digest rather than throw an error...
Ouch.  That is bad.  Since ed25519 does not use md, it should not error out on this at all.  Makes it especially challenging for a cnf file to have multiple uses.  I commented out default_md and it worked.  Dumping it shows: 

# openssl x509 -inform pem -in $dir/certs/ca.cert.pem\
>         -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            49:b3:1f:0f:cf:8a:9a:d9
        Signature Algorithm: ED25519
        Issuer: C = US, ST = MI, L = Oak Park, O = HTT Consulting, CN = Root CA 
        Validity
            Not Before: Jul 27 14:49:02 2018 GMT
            Not After : Jul 22 14:49:02 2038 GMT
        Subject: C = US, ST = MI, L = Oak Park, O = HTT Consulting, CN = Root CA 
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    ea:c7:3a:3c:80:49:ce:c9:a6:eb:a4:01:0a:11:df:
                    62:58:27:e0:af:77:5c:3e:fd:73:08:24:f8:e4:b1:
                    45:0c
        X509v3 extensions:
            X509v3 Subject Key Identifier:
D6:1B:BA:96:44:EF:F1:07:59:35:A7:F2:77:5F:82:24:21:53:9A:9F
            X509v3 Authority Key Identifier:
keyid:D6:1B:BA:96:44:EF:F1:07:59:35:A7:F2:77:5F:82:24:21:53:9A:9F

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Alternative Name:
                email:postmaster@xxxxxxxxxxxxxxx
    Signature Algorithm: ED25519
         93:f9:f9:c2:a6:e7:ca:8f:5c:82:4b:fa:7f:a8:0f:4c:e2:46:
         52:f3:99:d0:ad:f0:2c:2b:b4:f3:90:26:27:8f:36:2b:ed:cf:
         58:c5:f4:28:78:ec:59:53:13:ac:96:32:fa:07:ac:b6:d8:eb:
         78:2c:da:19:95:6e:ed:36:bb:09


So on to the next step.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux