-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for EdDSA (Ed25519 & Ed448) #487
Comments
I don't think anyone is actually working on this. There's also https://rt.openssl.org/Ticket/Display.html?id=4077 tracking this (that you created as well), with just one reply from @richsalz https://mta.openssl.org/pipermail/openssl-dev/2015-October/003010.html (that went only to the mailing list and not RT, so I'm guessing you haven't seen it). It kinda seemed like you were interested in working on this, or at least finding a suitable implementation that could be used by OpenSSL, but maybe I got the wrong idea. |
Has CFRG concluded yet? It's pretty clear only "deterministic DSA" right? |
You might profit from the work of boringssl: |
It sure would be nice if someone was working on it. :) |
@richsalz just so this is canonicalized here, CFRG isn't done yet, but the Ed25519 portion is pretty solid at this point: https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-02 |
Yes, we're aware. We'll have to see. It might be hard to get it into 1.1; a PR with source doc and test would help :) |
I figured you were aware, just wanted to make sure anyone viewing this PR had an answer :-) |
The answer is: send code, else I think it's doubtful. My opinion. |
Please support Ed511187. |
@stas730 please open a separate issue. |
@stas730 Your Ed511187 does not exist. |
Why I see it in a some library? Library name CoCryl. |
UPD: Normal link |
M-511 is this Curve. |
Linked below is a gist/patch file that will add support for Ed25519 to OpenSSL 1.0.2j. The effort isn't perfect, by any means, but hopefully it will tide me (and others) over till a) EdDSA is fully supported officially, b) v1.1.1 is released (assuming Ed25519 makes the cut for 1.1.1, and c) several years pass, bugs are fixed, and confidence is gained in v1.1.1 and migrations are made. This patch bolts the boringssl Ed25519 and X25519 functions onto OpenSSL v1.0.2. Note that master already has X25519 functions but the interfaces are slightly different, so I felt it was easier to take the whole boringssl package rather than mix and match interfaces. Unfortunately none of the implementations (boringssl or master) add support for Ed25519 to the EVP interfaces, so you'll have to use the raw interfaces:
I plan to cleanup a few minor things when time allows, so if anyone notices an issue let me know and I'll see what I can do. https://gist.github.com/ladar/04bf594b793e957e6b576633e00467c0 |
Since curve25519 and ed25519 use different derivation logic when going from a private seed value to a public exponent, I added the function ED25519_public_from_private() to the patch. There is already an X25519 function for this purpose.
https://gist.github.com/ladar/e45e893901f30f480dd49265ba3c42c0 |
Suggest you post this to openssl-users so more people will see what you’ve got. |
The patch links above have been updated to use the ED25519_keypair_from_seed() nomenclature/prototype as discussed on the boringssl change review linked below. I updated the patch to reflect the API change so the two remain consistent with each other. https://boringssl-review.googlesource.com/#/c/12040/ P.S. @richsalz I haven't had time to post the patch to the dev/users mailing lists yet. Feel free to share them for me if you think others would be interested. |
New: RFC8080: Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC (Ed25519 and Ed448) (I have powerdns in mind.) Edit: I would switch from P-384 only to Ed448. (Special use) |
Could anyone clarify if OpenSSL will fully support Ed25519 and Ed448 anytime soon? PS: Would the Ed448-Goldilocks implementation by Mike Hamburg that is currently licensed under the MIT license be suiteable for OpenSSL? |
In my personal opinion, I doubt it would happen before Q3, and might not show up in release until 2018. The team is working mainly on other things, especially TLS 1.3 A PR that worked and fit into the EVP API would speed things up tremendously. |
PowerDNS already supports Ed25519 via libsodium. |
Update: I'm working on Ed25519 support. I should have an initial WIP PR soon. |
@snhenson @richsalz regarding the new API, after #3503
|
In other key types, See #487 (comment). It's unfortunate that the API gives names are the opposite of what one would expect here ("sign" is sign digest and "DigestSign" is sign message), but so it goes. :-/ |
Is that really so? In my understanding Other key types call these two functions after pre-hashing, but nowhere the documentation states that But this is not really the point of my questions: currently Ed25519, and one day Ed448 or other EdDSA implementations, have their own API for sign/verify and need to be treated differently from any other Not having |
@romen If I understood your comment correctly, there is no |
@R030t1 I was not pointing at that but what you say is also true: X25519 and Ed25519 are implemented at the What I wanted to point out is that external libraries or programs (end even the builtin apps in openssl accessible from the openssl command line utility), since the introduction of changes for ED25519, apparently lack a unified API way to sign/verify, as some methods require to use digestsign/digestverify instead of the sign/verify function and there is no programmatic way of querying a method to discover which function should be used. |
You should always use the digestsign/digestverify functions for signing messages. That's your unified API. To answer your earlier question, |
@davidben If the end result is that I can't perform certain operations with a signature system then I am not sure the API is unified. |
It seems it's not possible to create eddsa certificates via command line. Do you plan to add support for that ? |
It is perfectly possible to create EdDSA certs from the command line. E.g.:
|
Thank you, @mattcaswell . Indeed it works with openssl compiled from master branch |
I'm trying to generate a key in different way and getting following error
It's a bit weird, because same command works for RSA and ECDSA |
What's in openssl.cnf? |
I do have
but commenting this line doesn't change anything. That's my full file:
|
As well as the line you pointed out, you also have a second similar one in the
What happens if you comment that out? |
Ahh, I've missed that one. |
Great! I wonder what should happen in that scenario? Do we do the right thing by complaining? Or should we ignore a default md in that case? |
I'm not sure what would be better codewise, but I think I would vote for ignore, my arguments:
|
EdDSA is a public-key digital signature system, instantiated with common parameters as Ed25519 and Ed448. It would be nice to have this implemented in OpenSSL, both at the crypto API level and at the TLS level.
Crypto: https://tools.ietf.org/html/draft-irtf-cfrg-eddsa
TLS: https://tools.ietf.org/html/draft-ietf-tls-rfc4492bis
I'm sure people are thinking and working this, but I did not find a good place to follow progress about this, so I'm hoping a wishlist like this will help to make the status of this work public.
/Simon
The text was updated successfully, but these errors were encountered: