[openssl-users] EDDSA crl creation woes

[Robert Moskowitz]

On 08/09/2018 09:34 AM, Matt Caswell wrote:
>
> On 08/08/18 20:49, Robert Moskowitz wrote:
>> Finally back on working on my EDDSA pki.
>>
>> Working on beta Fedora29 which now ships with:
>>
>> OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018
>>
>>
>> To recap, there are challenges on hash specification.  In creating
>> certs, I cannot have default_md line in my .cnf file, or at least for it
>> to = sha256.  And in those commands where I had to have -md sha256 with
>> ecdsa, I have to have -md null.  This is compared to those commands that
>> took -sha256 and now require nothing in the command line about the hash.
>>
>> So one to crl:
>>
>>     openssl ca -config $dir/openssl-$intermediate.cnf \
>>           -gencrl -out $dir/crl/$crl
>>
>> Using configuration from /root/ca/intermediate/openssl-intermediate.cnf
>> Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
>> variable lookup failed for CA_default::default_md
>> 3069739024:error:0E06D06C:configuration file
>> routines:NCONF_get_string:no
>> value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md
>>
>> In this .cnf file, there is no default_md line.
>>
>> So I added -md to the command line:
>>
>>     openssl ca -config $dir/openssl-$intermediate.cnf -md null\
>>           -gencrl -out $dir/crl/$crl
>>
>> And that worked.
>>
>> Very confusing.  It would be preferable if EDDSA related generation just
>> ignores md values?
>>
>>
> I've just created PR 6901 that will hopefully improve things. This
> basically ignores any -md or default_md setting if EdDSA is in use.
>
> https://github.com/openssl/openssl/pull/6901

Matt,

Thanks for addressing this.  It will keep a lot of questions off the 
user list once use of EDDSA becomes 'mainline'.

Please let me know when a beta is out with this change so I can ask the 
Fedora team to grab it so I can test it.

It pulls a big caveat section from the eddsa-pki draft I am writing.