Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass through nil as digest when signing certificates #761

Merged
merged 4 commits into from
Jun 11, 2024
Merged

Pass through nil as digest when signing certificates #761

merged 4 commits into from
Jun 11, 2024

Conversation

gartens
Copy link
Contributor

@gartens gartens commented May 28, 2024

In order to sign certificates with Ed25519 keys, NULL must be passed as md to X509_sign. This NULL is then passed
(via ASN1_item_sign_ex) as type to EVP_DigestSignInit. The documentation of EVP_DigestSignInit states that type must be NULL for various key types, including Ed25519.

@gartens
Pass through nil as digest when signing certificates
f463f56 
In order to sign certificates with Ed25519 keys, NULL must be passed
as md to X509_sign.  This NULL is then passed
(via ASN1_item_sign_ex) as type to EVP_DigestSignInit.  The
documentation[1] of EVP_DigestSignInit states that type must be NULL
for various key types, including Ed25519.

[1]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html
rhenium
rhenium reviewed Jun 8, 2024
View reviewed changes
Copy link
Member

@rhenium rhenium left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this!

ext/openssl/ossl_x509cert.c Show resolved Hide resolved
test/openssl/test_x509cert.rb Outdated Show resolved Hide resolved
@gartens
Use four spaces for indention
b5f9481
@gartens
Generate ed25519 key instead of using fixture
d4a6473 
Suggested by @rhenium.
@gartens
Skip Ed25519 certificate test for LibreSSL < 3.8.1
db41077 
issue_cert ends up calling ASN1_item_sign_ctx in libcrypto, which was
changed to work with Ed25519 in LibreSSL version 3.8.1.
@rhenium rhenium merged commit b0fc100 into ruby:master Jun 11, 2024
54 checks passed
matzbot pushed a commit to ruby/ruby that referenced this pull request Jun 11, 2024
@gartens @matzbot
[ruby/openssl] Pass through nil as digest when signing certificates
c735f49 
(ruby/openssl#761)

In order to sign certificates with Ed25519 keys, NULL must be passed
as md to X509_sign.  This NULL is then passed
(via ASN1_item_sign_ex) as type to EVP_DigestSignInit.  The
documentation[1] of EVP_DigestSignInit states that type must be NULL
for various key types, including Ed25519.

[1]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html

ruby/openssl@b0fc100091
@rhenium
Copy link
Member

rhenium commented Jun 11, 2024

Looks good to me. Thank you!

@nogweii nogweii mentioned this pull request Jun 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhenium rhenium rhenium approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gartens @rhenium