Re: [openssl-users] ed25519 self-signed root cert

Fri, 27 Jul 2018 07:58:14 -0700 


On 07/27/2018 10:43 AM, Viktor Dukhovni wrote:



On Jul 27, 2018, at 10:36 AM, Robert Moskowitz <r...@htt-consult.com> wrote:

nyway error on the next step:

# openssl req -config $dir/openssl-root.cnf\

      -set_serial 0x$(openssl rand -hex $sn)\
      -keyform pem -outform pem\
      -key $dir/private/ca.key.pem -subj "$DN"\
      -new -x509 -days 7300 -extensions v3_ca\
      -out $dir/certs/ca.cert.pem

Enter pass phrase for /root/ca/private/ca.key.pem:
3064983568:error:1010F08A:elliptic curve routines:pkey_ecd_ctrl:invalid digest 
type:crypto/ec/ecx_meth.c:801:

Do you have a "default_md" in your configuration file?
Ed25519 and Ed448 sign the raw data, not a digest thereof.

It might be more use-friendly to figure out a way to ignore
the requested digest rather than throw an error...




Ouch.  That is bad.  Since ed25519 does not use md, it should not error 
out on this at all.  Makes it especially challenging for a cnf file to 
have multiple uses.  I commented out default_md and it worked.  Dumping 
it shows:


# openssl x509 -inform pem -in $dir/certs/ca.cert.pem\
>         -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            49:b3:1f:0f:cf:8a:9a:d9
        Signature Algorithm: ED25519

        Issuer: C = US, ST = MI, L = Oak Park, O = HTT Consulting, CN = 
Root CA

        Validity
            Not Before: Jul 27 14:49:02 2018 GMT
            Not After : Jul 22 14:49:02 2038 GMT

        Subject: C = US, ST = MI, L = Oak Park, O = HTT Consulting, CN 
= Root CA

        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    ea:c7:3a:3c:80:49:ce:c9:a6:eb:a4:01:0a:11:df:
                    62:58:27:e0:af:77:5c:3e:fd:73:08:24:f8:e4:b1:
                    45:0c
        X509v3 extensions:
            X509v3 Subject Key Identifier:
D6:1B:BA:96:44:EF:F1:07:59:35:A7:F2:77:5F:82:24:21:53:9A:9F
            X509v3 Authority Key Identifier:
keyid:D6:1B:BA:96:44:EF:F1:07:59:35:A7:F2:77:5F:82:24:21:53:9A:9F

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Alternative Name:
                email:postmas...@htt-consult.com
    Signature Algorithm: ED25519
         93:f9:f9:c2:a6:e7:ca:8f:5c:82:4b:fa:7f:a8:0f:4c:e2:46:
         52:f3:99:d0:ad:f0:2c:2b:b4:f3:90:26:27:8f:36:2b:ed:cf:
         58:c5:f4:28:78:ec:59:53:13:ac:96:32:fa:07:ac:b6:d8:eb:
         78:2c:da:19:95:6e:ed:36:bb:09


So on to the next step.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users






















					Reply via email to