[openssl-users] ed25519 self-signed root cert

Robert Moskowitz rgm at htt-consult.com
Fri Jul 27 14:56:59 UTC 2018 


On 07/27/2018 10:43 AM, Viktor Dukhovni wrote:
>
>> On Jul 27, 2018, at 10:36 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>>
>> nyway error on the next step:
>>
>> # openssl req -config $dir/openssl-root.cnf\
>>>       -set_serial 0x$(openssl rand -hex $sn)\
>>>       -keyform pem -outform pem\
>>>       -key $dir/private/ca.key.pem -subj "$DN"\
>>>       -new -x509 -days 7300 -extensions v3_ca\
>>>       -out $dir/certs/ca.cert.pem
>> Enter pass phrase for /root/ca/private/ca.key.pem:
>> 3064983568:error:1010F08A:elliptic curve routines:pkey_ecd_ctrl:invalid digest type:crypto/ec/ecx_meth.c:801:
> Do you have a "default_md" in your configuration file?
> Ed25519 and Ed448 sign the raw data, not a digest thereof.
>
> It might be more use-friendly to figure out a way to ignore
> the requested digest rather than throw an error...
>

Ouch.  That is bad.  Since ed25519 does not use md, it should not error 
out on this at all.  Makes it especially challenging for a cnf file to 
have multiple uses.  I commented out default_md and it worked.  Dumping 
it shows:

# openssl x509 -inform pem -in $dir/certs/ca.cert.pem\
 >         -text -noout
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             49:b3:1f:0f:cf:8a:9a:d9
         Signature Algorithm: ED25519
         Issuer: C = US, ST = MI, L = Oak Park, O = HTT Consulting, CN = 
Root CA
         Validity
             Not Before: Jul 27 14:49:02 2018 GMT
             Not After : Jul 22 14:49:02 2038 GMT
         Subject: C = US, ST = MI, L = Oak Park, O = HTT Consulting, CN 
= Root CA
         Subject Public Key Info:
             Public Key Algorithm: ED25519
                 ED25519 Public-Key:
                 pub:
                     ea:c7:3a:3c:80:49:ce:c9:a6:eb:a4:01:0a:11:df:
                     62:58:27:e0:af:77:5c:3e:fd:73:08:24:f8:e4:b1:
                     45:0c
         X509v3 extensions:
             X509v3 Subject Key Identifier:
D6:1B:BA:96:44:EF:F1:07:59:35:A7:F2:77:5F:82:24:21:53:9A:9F
             X509v3 Authority Key Identifier:
keyid:D6:1B:BA:96:44:EF:F1:07:59:35:A7:F2:77:5F:82:24:21:53:9A:9F

             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
             X509v3 Subject Alternative Name:
                 email:postmaster at htt-consult.com
     Signature Algorithm: ED25519
          93:f9:f9:c2:a6:e7:ca:8f:5c:82:4b:fa:7f:a8:0f:4c:e2:46:
          52:f3:99:d0:ad:f0:2c:2b:b4:f3:90:26:27:8f:36:2b:ed:cf:
          58:c5:f4:28:78:ec:59:53:13:ac:96:32:fa:07:ac:b6:d8:eb:
          78:2c:da:19:95:6e:ed:36:bb:09


So on to the next step.

More information about the openssl-users mailing list