search

sfackler / rust-openssl

OpenSSL bindings for Rust
1.38k stars 740 forks source link

Encryption/decryption using Ed25519. #2272

Open rahulksnv opened 1 month ago

rahulksnv commented 1 month ago

I am trying to encrypt using Ed25519, I ran into this error:

ErrorStack([Error { code: 50331798, library: "digital envelope routines", function: "evp_pkey_asym_cipher_init", reason: "operation not supported for this keytype", file: "crypto/evp/asymcipher.c", line: 189 }])

From looking around previous reports on this error, I am not sure if encryption/decryption is even supported for Ed25519, as it is primarily intended for signatures. Please let mw know.

Some context on why Ed25519 is being used: we have existing infra that uses biscuit_auth for authentication, and biscuit is primarily based on Ed25519. Ideally, would like to use the same key pair for the encrypt/decrypt as well.

Thanks.

alex commented 1 month ago

ed25519 is a signature algorithm, it cannot be used for encryption.

On Mon, Jul 29, 2024 at 5:51 PM Rahul Subramaniyam @.***> wrote:

I am trying to encrypt using Ed25519, I ran into this error:

ErrorStack([Error { code: 50331798, library: "digital envelope routines", function: "evp_pkey_asym_cipher_init", reason: "operation not supported for this keytype", file: "crypto/evp/asymcipher.c", line: 189 }])

From looking around previous reports on this error, I am not sure if encryption/decryption is even supported for Ed25519, as it is primarily intended for signatures. Please let mw know.

Some context on why Ed25519 is being used: we have existing infra that uses biscuit_auth for authentication, and biscuit is primarily based on Ed25519. Ideally, would like to use the same key pair for the encrypt/decrypt as well.

Thanks.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

rahulksnv commented 1 month ago

Thanks for confirming. In this case, what are the choices apart from RSA for the asymmetric encryption? Any EC based ones that should be preferred?

alex commented 1 month ago

It is possible to use ECDH to build a hybrid asymmetric encryption scheme (see, ECIES for example).

On Mon, Jul 29, 2024 at 6:08 PM Rahul Subramaniyam @.***> wrote:

Thanks for confirming. In this case, what are the choices apart from RSA for the asymmetric encryption? Any EC based ones that should be preferred?

— Reply to this email directly, view it on GitHub https://github.com/sfackler/rust-openssl/issues/2272#issuecomment-2257092974, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBFPV6MS3SKSZCX4CXDZO24MFAVCNFSM6AAAAABLVDGJTGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJXGA4TEOJXGQ . You are receiving this because you commented.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

rahulksnv commented 1 month ago

From what I understand, ECIES is not something openssl supports as is. We would need to add some layers on top for the hybrid scheme. Is this correct?

alex commented 1 month ago

Yes, you'd have to build it yourself.

On Mon, Jul 29, 2024 at 6:22 PM Rahul Subramaniyam @.***> wrote:

From what I understand, ECIES is not something openssl supports as is. We would need to add some layers on top for the hybrid scheme. Is this correct?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.