search

pyca / pyopenssl

A Python wrapper around the OpenSSL library
https://pyopenssl.org/
Apache License 2.0
885 stars 421 forks source link

x509.sign does not work for Ed25519 keys (digest must be NULL) #1306

Closed bit closed 2 months ago

bit commented 3 months ago

Trying to create a certificate signed with an ed25519 key does not work. Signing currently requires a digest, ed25519 only works with digest set to NULL.

ed448_private_key_pem = b"""-----BEGIN PRIVATE KEY-----
MEcCAQAwBQYDK2VxBDsEOcqZ7a3k6JwrJbYO8CNTPT/d7dlWCo5vCf0EYDj79ZvA\nhD8u9EPHlYJw5Y8ZQdH4WmVEfpKA23xkdQ==
-----END PRIVATE KEY-----
"""
key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, ed448_private_key_pem)
x509 = OpenSSL.crypto.X509()
x509.set_pubkey(key)
x509.sign(key, None)

Its possible to call the internal sign function with NULL to get the certificate:

OpenSSL.crypto._lib.X509_sign(x509._x509, key._pkey, OpenSSL.crypto._ffi.NULL)
alex commented 3 months ago

At this point we recommend using https://cryptography.io/en/latest/ for all X.509 use cases.