Creating an X25519-based Certificate

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Creating an X25519-based Certificate

Michael Scott
Hello,


How do I do this? Using the OpenSSL command line tool, a certificate request must be self-signed, but the X25519 elliptic curve (newly supported in version 1.1.0), doesn't do signature, it can only be used for key exchange.

(Of course the X25519 Montgomery curve is birationally equivalent to an Edwards curve which can do signature. And indeed it is our intention to use the Edwards curve. But first I need a CA-signed X25519 cert. But because of the above catch-22 problem, I cannot create one.) 


Mike



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Salz, Rich
> How do I do this? Using the OpenSSL command line tool, a certificate request must be self-signed, but the X25519 elliptic curve (newly supported in version 1.1.0), doesn't do signature, it can only be used for key exchange.

You cannot do it.

You should look at the CFRG documents on Ed25519.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Jakob Bohm-7
On 29/06/2016 16:53, Salz, Rich wrote:
>> How do I do this? Using the OpenSSL command line tool, a certificate request must be self-signed, but the X25519 elliptic curve (newly supported in version 1.1.0), doesn't do signature, it can only be used for key exchange.
> You cannot do it.
>
> You should look at the CFRG documents on Ed25519.
>
This raises two general questions:

1. What is CFRG, I don't remember that acronym.

2. What is the general procedure for generating a CSR for
   an encryption-only algorithm, such as DH, ECDH etc.?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Michael Scott
WellI can help with CFRG - its Crypto Forum Research Group.

Mike


On Wed, Jun 29, 2016 at 4:10 PM, Jakob Bohm <[hidden email]> wrote:
On 29/06/2016 16:53, Salz, Rich wrote:
How do I do this? Using the OpenSSL command line tool, a certificate request must be self-signed, but the X25519 elliptic curve (newly supported in version 1.1.0), doesn't do signature, it can only be used for key exchange.
You cannot do it.

You should look at the CFRG documents on Ed25519.

This raises two general questions:

1. What is CFRG, I don't remember that acronym.

2. What is the general procedure for generating a CSR for
  an encryption-only algorithm, such as DH, ECDH etc.?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct <a href="tel:%2B45%2031%2013%2016%2010" value="+4531131610" target="_blank">+45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Salz, Rich
In reply to this post by Jakob Bohm-7
> 1. What is CFRG, I don't remember that acronym.

Crypto Forum Research Group,  part of the IETF's affiliated research group.  Co-chair is Kenny Paterson of lucky-13 (etc).  Useful documents here as well as pointers to the mailing list https://datatracker.ietf.org/rg/cfrg/documents/ 

> 2. What is the general procedure for generating a CSR for
>    an encryption-only algorithm, such as DH, ECDH etc.?

I don't know of one.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Erwann Abalea-4
In reply to this post by Michael Scott
Bonjour,

You may have a classic certificate containing your {X,Ed}{25519,448,whatever} public key once:
  • an OID is allocated to identify this type of public key (it will go into tbs.subjectPublicKeyInfo.algorithm.algorithm)
  • a set of associated optional parameters are defined for this OID (to go into tbs.subjectPublicKeyInfo.algorithm.parameters)
  • a canonical encoding for this type of public key is defined, so the key material can be enclosed into tbs.subjectPublicKeyInfo.subjectPublicKey

This certificate may be RSA-signed or ECDSA-signed (or whatever-signed, in fact).

For a CA to be able to Ed{25519,448,whatever}-sign something, the previous steps must have been done, plus:
  • an OID is allocated to identify the signature algorithm to apply (it will not be ECDSA) -> cert.signatureAlgorithm.algorithm
  • a set of associated optional parameters are defined for this OID -> cert.signatureAlgorithm.parameters
  • a canonical encoding for the signature value is defined, so it can be enclosed into cert.signatureValue

All this is being discussed at CFRG.

Cordialement,
Erwann Abalea

Le 29 juin 2016 à 16:46, Michael Scott <[hidden email]> a écrit :

Hello,


How do I do this? Using the OpenSSL command line tool, a certificate request must be self-signed, but the X25519 elliptic curve (newly supported in version 1.1.0), doesn't do signature, it can only be used for key exchange.

(Of course the X25519 Montgomery curve is birationally equivalent to an Edwards curve which can do signature. And indeed it is our intention to use the Edwards curve. But first I need a CA-signed X25519 cert. But because of the above catch-22 problem, I cannot create one.) 


Mike


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Michael Scott
Thanks Erwann, but that's not an answer to my question. 

To get the CA to sign (using RSA or anything) a certificate that contains an X25519 public key, that certificate must first submit to the CA something called a "Certificate request". This takes the form of the supplicant certificate, which is self-signed. However you cannot self-sign with an X25519 key (using the openssl command line tool), as it objects that X25519 does not support signature.  

So the issue arises around the "certificate request" process. There is I agree no problem in creating the certificate itself.


Mike



On Wed, Jun 29, 2016 at 4:27 PM, Erwann Abalea <[hidden email]> wrote:
Bonjour,

You may have a classic certificate containing your {X,Ed}{25519,448,whatever} public key once:
  • an OID is allocated to identify this type of public key (it will go into tbs.subjectPublicKeyInfo.algorithm.algorithm)
  • a set of associated optional parameters are defined for this OID (to go into tbs.subjectPublicKeyInfo.algorithm.parameters)
  • a canonical encoding for this type of public key is defined, so the key material can be enclosed into tbs.subjectPublicKeyInfo.subjectPublicKey

This certificate may be RSA-signed or ECDSA-signed (or whatever-signed, in fact).

For a CA to be able to Ed{25519,448,whatever}-sign something, the previous steps must have been done, plus:
  • an OID is allocated to identify the signature algorithm to apply (it will not be ECDSA) -> cert.signatureAlgorithm.algorithm
  • a set of associated optional parameters are defined for this OID -> cert.signatureAlgorithm.parameters
  • a canonical encoding for the signature value is defined, so it can be enclosed into cert.signatureValue

All this is being discussed at CFRG.

Cordialement,
Erwann Abalea

Le 29 juin 2016 à 16:46, Michael Scott <[hidden email]> a écrit :

Hello,


How do I do this? Using the OpenSSL command line tool, a certificate request must be self-signed, but the X25519 elliptic curve (newly supported in version 1.1.0), doesn't do signature, it can only be used for key exchange.

(Of course the X25519 Montgomery curve is birationally equivalent to an Edwards curve which can do signature. And indeed it is our intention to use the Edwards curve. But first I need a CA-signed X25519 cert. But because of the above catch-22 problem, I cannot create one.) 


Mike


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Salz, Rich
>as it objects that X25519 does not support signature.  

To repeat: X25519 only supports key exchange.  The 25519 signing mechanism is not yet defined.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Salz, Rich

> To repeat: X25519 only supports key exchange.  The 25519 signing
> mechanism is not yet defined.

And see also: https://datatracker.ietf.org/doc/draft-ietf-curdle-pkix/

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Michael Scott


On Wed, Jun 29, 2016 at 6:21 PM, Salz, Rich <[hidden email]> wrote:

> To repeat: X25519 only supports key exchange.  The 25519 signing
> mechanism is not yet defined.

Which I don't have a problem with. 

But surely the openssl command line tool should provide a mechanism for allowing an X25519-based certificate to be signed by a CA. 

Its seems that the "certificate request" protocol, which requires self-signing, prevents this in this case.


Mike
 

And see also: https://datatracker.ietf.org/doc/draft-ietf-curdle-pkix/

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Salz, Rich

> But surely the openssl command line tool should provide a mechanism for allowing an X25519-based certificate to be signed by a CA. 

> Its seems that the "certificate request" protocol, which requires self-signing, prevents this in this case.

Yes, that is exactly the point.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Abe Racioppo
290620161352

On 6/29/16, Salz, Rich <[hidden email]> wrote:

>
>> But surely the openssl command line tool should provide a mechanism for
>> allowing an X25519-based certificate to be signed by a CA.
>
>> Its seems that the "certificate request" protocol, which requires
>> self-signing, prevents this in this case.
>
> Yes, that is exactly the point.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>


--
signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Abe Racioppo
tsets

On 6/29/16, Abe Racioppo <[hidden email]> wrote:

> 290620161352
>
> On 6/29/16, Salz, Rich <[hidden email]> wrote:
>>
>>> But surely the openssl command line tool should provide a mechanism for
>>> allowing an X25519-based certificate to be signed by a CA.
>>
>>> Its seems that the "certificate request" protocol, which requires
>>> self-signing, prevents this in this case.
>>
>> Yes, that is exactly the point.
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
> --
> signature
>


--
signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Erwann Abalea-4
In reply to this post by Michael Scott
Ok, you’re talking about OpenSSL command line tool only, I missed that part.

The solution should then be to modify apps/ca.c:certify() function to add an arg, and avoid the call to X509_REQ_verify when desired.

Cordialement,
Erwann Abalea

Le 29 juin 2016 à 19:17, Michael Scott <[hidden email]> a écrit :

Thanks Erwann, but that's not an answer to my question. 

To get the CA to sign (using RSA or anything) a certificate that contains an X25519 public key, that certificate must first submit to the CA something called a "Certificate request". This takes the form of the supplicant certificate, which is self-signed. However you cannot self-sign with an X25519 key (using the openssl command line tool), as it objects that X25519 does not support signature.  

So the issue arises around the "certificate request" process. There is I agree no problem in creating the certificate itself.


Mike



On Wed, Jun 29, 2016 at 4:27 PM, Erwann Abalea <[hidden email]> wrote:
Bonjour,

You may have a classic certificate containing your {X,Ed}{25519,448,whatever} public key once:
  • an OID is allocated to identify this type of public key (it will go into tbs.subjectPublicKeyInfo.algorithm.algorithm)
  • a set of associated optional parameters are defined for this OID (to go into tbs.subjectPublicKeyInfo.algorithm.parameters)
  • a canonical encoding for this type of public key is defined, so the key material can be enclosed into tbs.subjectPublicKeyInfo.subjectPublicKey

This certificate may be RSA-signed or ECDSA-signed (or whatever-signed, in fact).

For a CA to be able to Ed{25519,448,whatever}-sign something, the previous steps must have been done, plus:
  • an OID is allocated to identify the signature algorithm to apply (it will not be ECDSA) -> cert.signatureAlgorithm.algorithm
  • a set of associated optional parameters are defined for this OID -> cert.signatureAlgorithm.parameters
  • a canonical encoding for the signature value is defined, so it can be enclosed into cert.signatureValue

All this is being discussed at CFRG.

Cordialement,
Erwann Abalea

Le 29 juin 2016 à 16:46, Michael Scott <[hidden email]> a écrit :

Hello,


How do I do this? Using the OpenSSL command line tool, a certificate request must be self-signed, but the X25519 elliptic curve (newly supported in version 1.1.0), doesn't do signature, it can only be used for key exchange.

(Of course the X25519 Montgomery curve is birationally equivalent to an Edwards curve which can do signature. And indeed it is our intention to use the Edwards curve. But first I need a CA-signed X25519 cert. But because of the above catch-22 problem, I cannot create one.) 


Mike


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Michael Scott
Yes, I can certainly program my way out of the problem, but it would be nice if the command line tool allowed me a way to do it.

Thanks!

Mike

On Thu, Jun 30, 2016 at 9:37 AM, Erwann Abalea <[hidden email]> wrote:
Ok, you’re talking about OpenSSL command line tool only, I missed that part.

The solution should then be to modify apps/ca.c:certify() function to add an arg, and avoid the call to X509_REQ_verify when desired.

Cordialement,
Erwann Abalea

Le 29 juin 2016 à 19:17, Michael Scott <[hidden email]> a écrit :

Thanks Erwann, but that's not an answer to my question. 

To get the CA to sign (using RSA or anything) a certificate that contains an X25519 public key, that certificate must first submit to the CA something called a "Certificate request". This takes the form of the supplicant certificate, which is self-signed. However you cannot self-sign with an X25519 key (using the openssl command line tool), as it objects that X25519 does not support signature.  

So the issue arises around the "certificate request" process. There is I agree no problem in creating the certificate itself.


Mike



On Wed, Jun 29, 2016 at 4:27 PM, Erwann Abalea <[hidden email]> wrote:
Bonjour,

You may have a classic certificate containing your {X,Ed}{25519,448,whatever} public key once:
  • an OID is allocated to identify this type of public key (it will go into tbs.subjectPublicKeyInfo.algorithm.algorithm)
  • a set of associated optional parameters are defined for this OID (to go into tbs.subjectPublicKeyInfo.algorithm.parameters)
  • a canonical encoding for this type of public key is defined, so the key material can be enclosed into tbs.subjectPublicKeyInfo.subjectPublicKey

This certificate may be RSA-signed or ECDSA-signed (or whatever-signed, in fact).

For a CA to be able to Ed{25519,448,whatever}-sign something, the previous steps must have been done, plus:
  • an OID is allocated to identify the signature algorithm to apply (it will not be ECDSA) -> cert.signatureAlgorithm.algorithm
  • a set of associated optional parameters are defined for this OID -> cert.signatureAlgorithm.parameters
  • a canonical encoding for the signature value is defined, so it can be enclosed into cert.signatureValue

All this is being discussed at CFRG.

Cordialement,
Erwann Abalea

Le 29 juin 2016 à 16:46, Michael Scott <[hidden email]> a écrit :

Hello,


How do I do this? Using the OpenSSL command line tool, a certificate request must be self-signed, but the X25519 elliptic curve (newly supported in version 1.1.0), doesn't do signature, it can only be used for key exchange.

(Of course the X25519 Montgomery curve is birationally equivalent to an Edwards curve which can do signature. And indeed it is our intention to use the Edwards curve. But first I need a CA-signed X25519 cert. But because of the above catch-22 problem, I cannot create one.) 


Mike


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Jakob Bohm-7
In reply to this post by Erwann Abalea-4
Which brings back my generalized question from yesterday:

Since X25519 is not the first "encrypt-only" algorithm in the
OpenSSL universe, how was requesting certificates handled for
such algorithms in the past?

For example how would one request a DH certificate?

Whatever was defined back then might be trivially extended
to also handle X25519.



On 30/06/2016 10:37, Erwann Abalea wrote:
Ok, you’re talking about OpenSSL command line tool only, I missed that part.

The solution should then be to modify apps/ca.c:certify() function to add an arg, and avoid the call to X509_REQ_verify when desired.

Le 29 juin 2016 à 19:17, Michael Scott <[hidden email]> a écrit :

Thanks Erwann, but that's not an answer to my question. 

To get the CA to sign (using RSA or anything) a certificate that contains an X25519 public key, that certificate must first submit to the CA something called a "Certificate request". This takes the form of the supplicant certificate, which is self-signed. However you cannot self-sign with an X25519 key (using the openssl command line tool), as it objects that X25519 does not support signature.  

So the issue arises around the "certificate request" process. There is I agree no problem in creating the certificate itself.

On Wed, Jun 29, 2016 at 4:27 PM, Erwann Abalea <[hidden email]> wrote:
Bonjour,

You may have a classic certificate containing your {X,Ed}{25519,448,whatever} public key once:
  • an OID is allocated to identify this type of public key (it will go into tbs.subjectPublicKeyInfo.algorithm.algorithm)
  • a set of associated optional parameters are defined for this OID (to go into tbs.subjectPublicKeyInfo.algorithm.parameters)
  • a canonical encoding for this type of public key is defined, so the key material can be enclosed into tbs.subjectPublicKeyInfo.subjectPublicKey

This certificate may be RSA-signed or ECDSA-signed (or whatever-signed, in fact).

For a CA to be able to Ed{25519,448,whatever}-sign something, the previous steps must have been done, plus:
  • an OID is allocated to identify the signature algorithm to apply (it will not be ECDSA) -> cert.signatureAlgorithm.algorithm
  • a set of associated optional parameters are defined for this OID -> cert.signatureAlgorithm.parameters
  • a canonical encoding for the signature value is defined, so it can be enclosed into cert.signatureValue

All this is being discussed at CFRG.

Le 29 juin 2016 à 16:46, Michael Scott <[hidden email]> a écrit :

How do I do this? Using the OpenSSL command line tool, a certificate request must be self-signed, but the X25519 elliptic curve (newly supported in version 1.1.0), doesn't do signature, it can only be used for key exchange.

(Of course the X25519 Montgomery curve is birationally equivalent to an Edwards curve which can do signature. And indeed it is our intention to use the Edwards curve. But first I need a CA-signed X25519 cert. But because of the above catch-22 problem, I cannot create one.) 

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Salz, Rich
> Since X25519 is not the first "encrypt-only" algorithm in the
> OpenSSL universe, how was requesting certificates handled for
> such algorithms in the past?

It wasn't.

> For example how would one request a DH certificate?

You couldn't.

I don't recall anyone ever asking for such a thing on the public lists.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Matt Caswell-2


On 30/06/16 16:54, Salz, Rich wrote:

>> Since X25519 is not the first "encrypt-only" algorithm in the
>> OpenSSL universe, how was requesting certificates handled for
>> such algorithms in the past?
>
> It wasn't.
>
>> For example how would one request a DH certificate?
>
> You couldn't.
>
> I don't recall anyone ever asking for such a thing on the public lists.
>

There is no standardised way of requesting a DH certificate that I know of.

Nonetheless OpenSSL does support the generation of DH certificates, but
it's a bit nasty:

https://security.stackexchange.com/questions/44251/openssl-generate-different-types-of-self-signed-certificate/82868#82868

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Michael Scott


On Thu, Jun 30, 2016 at 5:11 PM, Matt Caswell <[hidden email]> wrote:


On 30/06/16 16:54, Salz, Rich wrote:
>> Since X25519 is not the first "encrypt-only" algorithm in the
>> OpenSSL universe, how was requesting certificates handled for
>> such algorithms in the past?
>
> It wasn't.
>
>> For example how would one request a DH certificate?
>
> You couldn't.
>
> I don't recall anyone ever asking for such a thing on the public lists.
>

There is no standardised way of requesting a DH certificate that I know of.

Nonetheless OpenSSL does support the generation of DH certificates, but
it's a bit nasty:

https://security.stackexchange.com/questions/44251/openssl-generate-different-types-of-self-signed-certificate/82868#82868



That seems to be exactly what I was looking for! So create a bogus RSA cert and create its self-signed certificate request. But then use the -force_pubkey flag to substitute my own X25519 public key for the RSA public key, just prior to getting it signed by the CA.

Reminds me of the cuckoo..

I would worry about the damage that could be done if -force_pubkey fell into the wrong hands :)

Thanks!


Mike 
 
Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519-based Certificate

Erwann Abalea-4
In reply to this post by Jakob Bohm-7
Maybe we just didn’t. At least not with the command line tools.
The CHANGES file lists a merge between « dh », « gendh », and « dhparam » in 2000, but no evolution since then.
The oldest version I could find is 0.9.6, and there’s no command-line DH key generation.

Cordialement,
Erwann Abalea

Le 30 juin 2016 à 16:58, Jakob Bohm <[hidden email]> a écrit :

Which brings back my generalized question from yesterday:

Since X25519 is not the first "encrypt-only" algorithm in the
OpenSSL universe, how was requesting certificates handled for
such algorithms in the past?

For example how would one request a DH certificate?

Whatever was defined back then might be trivially extended
to also handle X25519.



On 30/06/2016 10:37, Erwann Abalea wrote:
Ok, you’re talking about OpenSSL command line tool only, I missed that part.

The solution should then be to modify apps/ca.c:certify() function to add an arg, and avoid the call to X509_REQ_verify when desired.

Le 29 juin 2016 à 19:17, Michael Scott <[hidden email][hidden email]> a écrit :

Thanks Erwann, but that's not an answer to my question. 

To get the CA to sign (using RSA or anything) a certificate that contains an X25519 public key, that certificate must first submit to the CA something called a "Certificate request". This takes the form of the supplicant certificate, which is self-signed. However you cannot self-sign with an X25519 key (using the openssl command line tool), as it objects that X25519 does not support signature.  

So the issue arises around the "certificate request" process. There is I agree no problem in creating the certificate itself.

On Wed, Jun 29, 2016 at 4:27 PM, Erwann Abalea <[hidden email]> wrote:
Bonjour,

You may have a classic certificate containing your {X,Ed}{25519,448,whatever} public key once:
  • an OID is allocated to identify this type of public key (it will go into tbs.subjectPublicKeyInfo.algorithm.algorithm)
  • a set of associated optional parameters are defined for this OID (to go into tbs.subjectPublicKeyInfo.algorithm.parameters)
  • a canonical encoding for this type of public key is defined, so the key material can be enclosed into tbs.subjectPublicKeyInfo.subjectPublicKey

This certificate may be RSA-signed or ECDSA-signed (or whatever-signed, in fact).

For a CA to be able to Ed{25519,448,whatever}-sign something, the previous steps must have been done, plus:
  • an OID is allocated to identify the signature algorithm to apply (it will not be ECDSA) -> cert.signatureAlgorithm.algorithm
  • a set of associated optional parameters are defined for this OID -> cert.signatureAlgorithm.parameters
  • a canonical encoding for the signature value is defined, so it can be enclosed into cert.signatureValue

All this is being discussed at CFRG.

Le 29 juin 2016 à 16:46, Michael Scott <[hidden email][hidden email]> a écrit :

How do I do this? Using the OpenSSL command line tool, a certificate request must be self-signed, but the X25519 elliptic curve (newly supported in version 1.1.0), doesn't do signature, it can only be used for key exchange.

(Of course the X25519 Montgomery curve is birationally equivalent to an Edwards curve which can do signature. And indeed it is our intention to use the Edwards curve. But first I need a CA-signed X25519 cert. But because of the above catch-22 problem, I cannot create one.) 

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded 
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users