EDDSA certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

EDDSA certificates

Robert Moskowitz
Does any version of OpenSSL provide support for EDDSA, particularly
creating and displaying the content of them?

Right now my interest is seeing what is involved in creating them with
EC25519 and evaluating their size and how they parse.

Or meet me at the IETF and talk to me about them.

thank you

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: EDDSA certificates

OpenSSL - User mailing list
 
> Does any version of OpenSSL provide support for EDDSA, particularly creating
> and displaying the content of them?

Not yet.  EDDSA for 25519 and 448 would be great to have in the next relese, tho.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: EDDSA certificates

Robert Moskowitz


On 03/16/2017 04:04 PM, Salz, Rich via openssl-users wrote:
>  
>> Does any version of OpenSSL provide support for EDDSA, particularly creating
>> and displaying the content of them?
> Not yet.  EDDSA for 25519 and 448 would be great to have in the next relese, tho.
Let's talk about it at IETF.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: EDDSA certificates

Robert Moskowitz
In reply to this post by OpenSSL - User mailing list
Rich,

Meant to ask you about this at IETF.

Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to
produce these???

And, relatedly, what do you think about CBOR encoding rather than
ASN.1?  Kill ASN.1 in constrained devices and save on transmission costs?

Thanks

Bob

On 03/16/2017 07:04 PM, Salz, Rich via openssl-users wrote:
>  
>> Does any version of OpenSSL provide support for EDDSA, particularly creating
>> and displaying the content of them?
> Not yet.  EDDSA for 25519 and 448 would be great to have in the next relese, tho.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: EDDSA certificates

OpenSSL - User mailing list
On 07/27/2017 09:18 AM, Robert Moskowitz wrote:
Rich,

Meant to ask you about this at IETF.

Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to produce these???


There is code to validate them, per commit 4328dd41582bcdca8e4f51f0a3abadfafa2163ee.  I didn't look hard enough to find how to generate them, but it ought to be there too.

And, relatedly, what do you think about CBOR encoding rather than ASN.1?  Kill ASN.1 in constrained devices and save on transmission costs?

It seems hard to shift a big ecosystem and introduce risk of incompatibility, but I haven't really thought about it.

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: EDDSA certificates

Robert Moskowitz
I have read:  https://github.com/openssl/openssl/issues/487

And I am trying to grok its meaning.  I am running Fedora24 (I need to
buy an new SSD before upgrading to F26) which has openssl 1.0.2k.

There is a note of a patch to 1.0.2j, but talk about 1.1.1.  I have
attempted to read

https://gist.github.com/ladar/e45e893901f30f480dd49265ba3c42c0

Is there a command line option for creating an ed25519 cert and if so
what version?  I tried:

openssl req -new -outform PEM -out certs/$commonName.crt -newkey ed25519
-nodes -keyout private/$commonName.key -keyform PEM -days 3650 -x509
-extensions v3_req -subj
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"

And got:

Unknown algorithm ed25519

thanks.

On 07/27/2017 10:45 AM, Benjamin Kaduk wrote:

> On 07/27/2017 09:18 AM, Robert Moskowitz wrote:
>> Rich,
>>
>> Meant to ask you about this at IETF.
>>
>> Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to
>> produce these???
>>
>
> There is code to validate them, per commit
> 4328dd41582bcdca8e4f51f0a3abadfafa2163ee.  I didn't look hard enough
> to find how to generate them, but it ought to be there too.
>
>> And, relatedly, what do you think about CBOR encoding rather than
>> ASN.1?  Kill ASN.1 in constrained devices and save on transmission
>> costs?
>
> It seems hard to shift a big ecosystem and introduce risk of
> incompatibility, but I haven't really thought about it.
>
> -Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: EDDSA certificates

OpenSSL - User mailing list
We don't add features to released versions, just bug-fixes.  Ladar has posted a patch for 1.0.2 for those do-it-yourselfers who are so inclined.

The 'master' branch, which will become 1.1.1 at some point, can do it:
; sh /tmp/x
Generating a 2048 bit ED25519 private key
writing new private key to '/tmp/key.key'
-----
; cat /tmp/x
./apps/openssl req -new -outform PEM -out /tmp/cert.crt -newkey \
 ed25519 -nodes -keyout /tmp/key.key -keyform PEM -days \
 3650 -x509 -extensions v3_req -subj \
 "/C=us/O=organizationName/CN=common-name"

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: EDDSA certificates

Robert Moskowitz
Ah,  thanks for the explanation Rich.

On 08/08/2017 11:19 AM, Salz, Rich via openssl-users wrote:
> We don't add features to released versions, just bug-fixes.  Ladar has posted a patch for 1.0.2 for those do-it-yourselfers who are so inclined.
>
> The 'master' branch, which will become 1.1.1 at some point, can do it:
> ; sh /tmp/x
> Generating a 2048 bit ED25519 private key

Wait, 2048 bit ED25519 key?????

> writing new private key to '/tmp/key.key'
> -----
> ; cat /tmp/x
> ./apps/openssl req -new -outform PEM -out /tmp/cert.crt -newkey \
>   ed25519 -nodes -keyout /tmp/key.key -keyform PEM -days \
>   3650 -x509 -extensions v3_req -subj \
>   "/C=us/O=organizationName/CN=common-name"
>
So I guess the question for me is will it make it into Fedora 27....

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: EDDSA certificates

OpenSSL - User mailing list
> > Generating a 2048 bit ED25519 private key
>
> Wait, 2048 bit ED25519 key?????

Looks like a printf bug :)
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users