Creating an X25519 client certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Creating an X25519 client certificate

Robert Moskowitz
I have created my X25519 pub/priv keypair with:

openssl genpkey -algorithm X25519\
     -out $dir/private/$clientemail-X.key.$format

And displays properly with:

openssl pkey -in $dir/private/$clientemail-X.key.$format -text -noout


So now to make the csr with:

openssl req -config $dir/openssl-intermediate.cnf\
     -key $dir/private/$clientemail-X.key.$format \
     -subj "$DN" -new -out $dir/csr/$clientemail-X.csr.$format

which is what I used for ED25519 client certs.  But I get an error:

140487683954496:error:0608D096:digital envelope
routines:EVP_PKEY_sign_init:operation not supported for this
keytype:crypto/evp/pmeth_fn.c:39:

I can't figure out from my config file why this error.  and googling the
error has not helped.  yet.

Can someone point me to what I am missing?

Oh, and I am ASSuMEing that a CA cert of ED25519 signs an X25519 client
cert.  Haven't found instructions on this, but it seems reasonable...

thanks


Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519 client certificate

Viktor Dukhovni
On Wed, Mar 17, 2021 at 05:50:41PM -0400, Robert Moskowitz wrote:

> I have created my X25519 pub/priv keypair with:
>
> openssl genpkey -algorithm X25519\
>      -out $dir/private/$clientemail-X.key.$format

Are you sure you didn't want ed25519 instead?  X25519 is a key agreement
menthod, not a signature method.

> openssl req -config $dir/openssl-intermediate.cnf\
>      -key $dir/private/$clientemail-X.key.$format \
>      -subj "$DN" -new -out $dir/csr/$clientemail-X.csr.$format
>
> which is what I used for ED25519 client certs.  But I get an error:
>
> 140487683954496:error:0608D096:digital envelope
> routines:EVP_PKEY_sign_init:operation not supported for this
> keytype:crypto/evp/pmeth_fn.c:39:

Not surprising, why do you expect this to work?

> Can someone point me to what I am missing?
>
> Oh, and I am ASSuMEing that a CA cert of ED25519 signs an X25519 client
> cert.  Haven't found instructions on this, but it seems reasonable...

https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519 client certificate

Robert Moskowitz


On 3/17/21 7:22 PM, Viktor Dukhovni wrote:
> On Wed, Mar 17, 2021 at 05:50:41PM -0400, Robert Moskowitz wrote:
>
>> I have created my X25519 pub/priv keypair with:
>>
>> openssl genpkey -algorithm X25519\
>>       -out $dir/private/$clientemail-X.key.$format
> Are you sure you didn't want ed25519 instead?  X25519 is a key agreement
> menthod, not a signature method.

My limited understanding is that for encrypted S/MIME, and ECDH cert is
needed.  Thus if ED25519 is used for signing said S/MIME, X25519 is used
for encrypting.

I have seen CA Cert policies for "Device Encryption Certificates" that
use:  id-ecPublicKey {1 2 840 10045 2 1}; I need to talk to the CP
author more about this and what he sees the equiv Edward cert would look
like.

>
>> openssl req -config $dir/openssl-intermediate.cnf\
>>       -key $dir/private/$clientemail-X.key.$format \
>>       -subj "$DN" -new -out $dir/csr/$clientemail-X.csr.$format
>>
>> which is what I used for ED25519 client certs.  But I get an error:
>>
>> 140487683954496:error:0608D096:digital envelope
>> routines:EVP_PKEY_sign_init:operation not supported for this
>> keytype:crypto/evp/pmeth_fn.c:39:
> Not surprising, why do you expect this to work?

Shooting from the hip, a bit.  If I am going to have an X25519 cert,
then I need a csr and this is the command to make one.  So try it and
see what it does.  Not too well, it turns out.

>
>> Can someone point me to what I am missing?
>>
>> Oh, and I am ASSuMEing that a CA cert of ED25519 signs an X25519 client
>> cert.  Haven't found instructions on this, but it seems reasonable...
> https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures
>
very familiar with this point and did look at this response during my
searches today.

I quite understand in TLS the use of EdDSA certs that allow
keyEncipherment and ?dataEncipherment? to permit an ECDHE exchange.

but my limited research claims that for S/MIME you can have an X25519
cert for static ECDH, rather than ephemeral, saving supposedly the
exchange of keys before sending encrypted S/MIME.


Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519 client certificate

Viktor Dukhovni
On Wed, Mar 17, 2021 at 07:44:05PM -0400, Robert Moskowitz wrote:

> >> I have created my X25519 pub/priv keypair with:
> >>
> >> openssl genpkey -algorithm X25519\
> >>       -out $dir/private/$clientemail-X.key.$format
>
> > Are you sure you didn't want ed25519 instead?  X25519 is a key agreement
> > menthod, not a signature method.
>
> My limited understanding is that for encrypted S/MIME, and ECDH cert
> is needed.  Thus if ED25519 is used for signing said S/MIME, X25519 is
> used for encrypting.

I see, this is for CMS, so you're trying to support:

    https://tools.ietf.org/html/draft-ietf-curdle-cms-ecdh-new-curves-10

> >> openssl req -config $dir/openssl-intermediate.cnf\
> >>       -key $dir/private/$clientemail-X.key.$format \
> >>       -subj "$DN" -new -out $dir/csr/$clientemail-X.csr.$format
> >>
> >> which is what I used for ED25519 client certs.  But I get an error:
> >>
> >> 140487683954496:error:0608D096:digital envelope
> >> routines:EVP_PKEY_sign_init:operation not supported for this
> >> keytype:crypto/evp/pmeth_fn.c:39:
> > Not surprising, why do you expect this to work?
>
> Shooting from the hip, a bit.  If I am going to have an X25519 cert,
> then I need a csr and this is the command to make one.  So try it and
> see what it does.  Not too well, it turns out.

Well, CSRs are self-signed, and X25519 does not support signing, so
you CANNOT have an X25519 CSR.  You can however create an X25519
certificate directly for a given key:

https://crypto.stackexchange.com/questions/19452/static-dh-static-ecdh-certificate-using-openssl

with other details (names, extensions, ...) pulled from a CSR.
What can't get is proof of posession.

> >> Oh, and I am ASSuMEing that a CA cert of ED25519 signs an X25519 client
> >> cert.  Haven't found instructions on this, but it seems reasonable...
> > https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures

Well the CA can use any algorithm that supports signing, and is widely
supported.  It does not have to be Ed25519.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519 client certificate

Robert Moskowitz


On 3/17/21 8:17 PM, Viktor Dukhovni wrote:

> On Wed, Mar 17, 2021 at 07:44:05PM -0400, Robert Moskowitz wrote:
>
>>>> I have created my X25519 pub/priv keypair with:
>>>>
>>>> openssl genpkey -algorithm X25519\
>>>>        -out $dir/private/$clientemail-X.key.$format
>>> Are you sure you didn't want ed25519 instead?  X25519 is a key agreement
>>> menthod, not a signature method.
>> My limited understanding is that for encrypted S/MIME, and ECDH cert
>> is needed.  Thus if ED25519 is used for signing said S/MIME, X25519 is
>> used for encrypting.
> I see, this is for CMS, so you're trying to support:
>
>      https://tools.ietf.org/html/draft-ietf-curdle-cms-ecdh-new-curves-10
>
>>>> openssl req -config $dir/openssl-intermediate.cnf\
>>>>        -key $dir/private/$clientemail-X.key.$format \
>>>>        -subj "$DN" -new -out $dir/csr/$clientemail-X.csr.$format
>>>>
>>>> which is what I used for ED25519 client certs.  But I get an error:
>>>>
>>>> 140487683954496:error:0608D096:digital envelope
>>>> routines:EVP_PKEY_sign_init:operation not supported for this
>>>> keytype:crypto/evp/pmeth_fn.c:39:
>>> Not surprising, why do you expect this to work?
>> Shooting from the hip, a bit.  If I am going to have an X25519 cert,
>> then I need a csr and this is the command to make one.  So try it and
>> see what it does.  Not too well, it turns out.
> Well, CSRs are self-signed, and X25519 does not support signing, so
> you CANNOT have an X25519 CSR.

Slap myself on the forehead....

Of course I know that.  But did not stop to think this through.   :(

Will read through all this and get back here....

> You can however create an X25519
> certificate directly for a given key:
>
> https://crypto.stackexchange.com/questions/19452/static-dh-static-ecdh-certificate-using-openssl
>
> with other details (names, extensions, ...) pulled from a CSR.
> What can't get is proof of posession.
>
>>>> Oh, and I am ASSuMEing that a CA cert of ED25519 signs an X25519 client
>>>> cert.  Haven't found instructions on this, but it seems reasonable...
>>> https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures
> Well the CA can use any algorithm that supports signing, and is widely
> supported.  It does not have to be Ed25519.
>

Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519 client certificate

tincanteksup


On 18/03/2021 01:22, Robert Moskowitz wrote:

>
>
> On 3/17/21 8:17 PM, Viktor Dukhovni wrote:
>> Well, CSRs are self-signed, and X25519 does not support signing, so
>> you CANNOT have an X25519 CSR.
>
> Slap myself on the forehead....
>
> Of course I know that.  But did not stop to think this through.   :(
>
> Will read through all this and get back here....
>

Wait until you spend 3 days waiting for an answer about Firefox
which I accidentally asked in #VBox ..

My forehead still bears the palm print and smarts!
I think it was the 'ox' which blinded me for so long. ;-)
Reply | Threaded
Open this post in threaded view
|

Re: Creating an X25519 client certificate

Robert Moskowitz


On 3/17/21 9:48 PM, tincanteksup wrote:

>
>
> On 18/03/2021 01:22, Robert Moskowitz wrote:
>>
>>
>> On 3/17/21 8:17 PM, Viktor Dukhovni wrote:
>>> Well, CSRs are self-signed, and X25519 does not support signing, so
>>> you CANNOT have an X25519 CSR.
>>
>> Slap myself on the forehead....
>>
>> Of course I know that.  But did not stop to think this through.   :(
>>
>> Will read through all this and get back here....
>>
>
> Wait until you spend 3 days waiting for an answer about Firefox
> which I accidentally asked in #VBox ..
>
> My forehead still bears the palm print and smarts!
> I think it was the 'ox' which blinded me for so long. ;-)

I will have to discuss this with Russ...

A quick 'solution' to proof of ownership COULD be achieved IF:

The CA has an ECDH cert signed with its signing cert.

The client uses this to create a shared secret to KMAC the CSR.

The devil is in the details and I have other fish to fry...