Is ED25519 supported?

[Yenya]

I want to try to use a key pair based on elliptic curve cryptography. Can it be done with Crypt::LE?

When I try to use ED25519 as an account key, it fails:

$ openssl genpkey -out account.key --algorithm ED25519
$ le.pl --curve ED25519 --key account.key  --csr test.csr --csr-key test.key --crt test.crt --domains my.fq.dn --generate-missing  --path /var/www/html/.well-known/acme-challenge --unlink
2021/08/31 09:48:31 [ Crypt::LE client v0.38 started. ]
2021/08/31 09:48:31 Loading an account key from account.key
2021/08/31 09:48:31 Could not load an account key: Key loading error.

Using RSA account key works, but le.pl fails when generating a CSR:

$ openssl genpkey -out account.key --algorithm rsa
...................+++++
.................................................+++++
$ le.pl --curve ED25519 --key account.key  --csr test.csr --csr-key test.key --crt test.crt --domains my.fq.dn --generate-missing  --path /var/www/html/.well-known/acme-challenge --unlink
2021/08/31 09:57:16 [ Crypt::LE client v0.38 started. ]
2021/08/31 09:57:16 Loading an account key from account.key
2021/08/31 09:57:16 Generating a new CSR for domains my.fq.dn
2021/08/31 09:57:16 New CSR will be based on a generated key
2021/08/31 09:57:16 Could not generate a CSR: Could not generate the private key 'ED25519' - unknown curve nid=1087

When I use an incorrect curve name, I get unknown curve <curve_name> instead of unknown curve nid=XXX,
so I guess --curve ED25519 is correct.

When I create also a private key for the certificate manually, le.pl fails withUnexpected CSR error:

$ openssl genpkey -out test.key --algorithm ED25519
$  le.pl --curve ED25519 --key account.key  --csr test.csr --csr-key test.key --crt test.crt --domains my.fq.dn --generate-missing  --path /var/www/html/.well-known/acme-challenge --unlink
2021/08/31 09:58:43 [ Crypt::LE client v0.38 started. ]
2021/08/31 09:58:43 Loading an account key from account.key
2021/08/31 09:58:43 Generating a new CSR for domains my.fq.dn
2021/08/31 09:58:43 New CSR will be based on 'test.key' key
2021/08/31 09:58:43 Could not generate a CSR: Unexpected CSR error.

Thanks in advance,

-Yenya

[do-know]

The account key is RSA-only, but the CSR one can use any curve that is supported on the system by Net::SSLeay library which basically provides an interface to OpenSSL functions. The error you are seeing is not coming from the application itself but from Net::SSLeay (around these lines) - this might indicate for example that the library was installed from a package and later OpenSSL was upgraded. Rebuilding the library could help I believe - it can be installed either via CPAN or cpanminus (though you might need to run sudo apt-get install libssl-dev or yum install openssl-devel for Ubuntu/CentOS respectively). I hope that helps.

[Yenya]

Alexander, thanks for the fast reply. I have already tried to remove the system Net::SSLeay (I use Fedora Linux) and build a local one using cpanm, but it did not help.

The error indeed comes from Net::SSLeay itself:

$ perl -MNet::SSLeay -e 'Net::SSLeay::EC_KEY_generate_key("ED25519")'
unknown curve nid=1087 at -e line 1.

So I am going to close the issue and look into the Net::SSLeay build. Sorry for the noise and thanks again for the fast reply.

-Yenya