EDDSA crl creation woes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

EDDSA crl creation woes

Robert Moskowitz
Finally back on working on my EDDSA pki.

Working on beta Fedora29 which now ships with:

OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018


To recap, there are challenges on hash specification.  In creating
certs, I cannot have default_md line in my .cnf file, or at least for it
to = sha256.  And in those commands where I had to have -md sha256 with
ecdsa, I have to have -md null.  This is compared to those commands that
took -sha256 and now require nothing in the command line about the hash.

So one to crl:

    openssl ca -config $dir/openssl-$intermediate.cnf \
          -gencrl -out $dir/crl/$crl

Using configuration from /root/ca/intermediate/openssl-intermediate.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
variable lookup failed for CA_default::default_md
3069739024:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md

In this .cnf file, there is no default_md line.

So I added -md to the command line:

    openssl ca -config $dir/openssl-$intermediate.cnf -md null\
          -gencrl -out $dir/crl/$crl

And that worked.

Very confusing.  It would be preferable if EDDSA related generation just
ignores md values?


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: EDDSA crl creation woes

Matt Caswell-2


On 08/08/18 20:49, Robert Moskowitz wrote:

> Finally back on working on my EDDSA pki.
>
> Working on beta Fedora29 which now ships with:
>
> OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018
>
>
> To recap, there are challenges on hash specification.  In creating
> certs, I cannot have default_md line in my .cnf file, or at least for it
> to = sha256.  And in those commands where I had to have -md sha256 with
> ecdsa, I have to have -md null.  This is compared to those commands that
> took -sha256 and now require nothing in the command line about the hash.
>
> So one to crl:
>
>    openssl ca -config $dir/openssl-$intermediate.cnf \
>          -gencrl -out $dir/crl/$crl
>
> Using configuration from /root/ca/intermediate/openssl-intermediate.cnf
> Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
> variable lookup failed for CA_default::default_md
> 3069739024:error:0E06D06C:configuration file
> routines:NCONF_get_string:no
> value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md
>
> In this .cnf file, there is no default_md line.
>
> So I added -md to the command line:
>
>    openssl ca -config $dir/openssl-$intermediate.cnf -md null\
>          -gencrl -out $dir/crl/$crl
>
> And that worked.
>
> Very confusing.  It would be preferable if EDDSA related generation just
> ignores md values?
>
>

I've just created PR 6901 that will hopefully improve things. This
basically ignores any -md or default_md setting if EdDSA is in use.

https://github.com/openssl/openssl/pull/6901

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: EDDSA crl creation woes

Robert Moskowitz


On 08/09/2018 09:34 AM, Matt Caswell wrote:

>
> On 08/08/18 20:49, Robert Moskowitz wrote:
>> Finally back on working on my EDDSA pki.
>>
>> Working on beta Fedora29 which now ships with:
>>
>> OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018
>>
>>
>> To recap, there are challenges on hash specification.  In creating
>> certs, I cannot have default_md line in my .cnf file, or at least for it
>> to = sha256.  And in those commands where I had to have -md sha256 with
>> ecdsa, I have to have -md null.  This is compared to those commands that
>> took -sha256 and now require nothing in the command line about the hash.
>>
>> So one to crl:
>>
>>     openssl ca -config $dir/openssl-$intermediate.cnf \
>>           -gencrl -out $dir/crl/$crl
>>
>> Using configuration from /root/ca/intermediate/openssl-intermediate.cnf
>> Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
>> variable lookup failed for CA_default::default_md
>> 3069739024:error:0E06D06C:configuration file
>> routines:NCONF_get_string:no
>> value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md
>>
>> In this .cnf file, there is no default_md line.
>>
>> So I added -md to the command line:
>>
>>     openssl ca -config $dir/openssl-$intermediate.cnf -md null\
>>           -gencrl -out $dir/crl/$crl
>>
>> And that worked.
>>
>> Very confusing.  It would be preferable if EDDSA related generation just
>> ignores md values?
>>
>>
> I've just created PR 6901 that will hopefully improve things. This
> basically ignores any -md or default_md setting if EdDSA is in use.
>
> https://github.com/openssl/openssl/pull/6901

Matt,

Thanks for addressing this.  It will keep a lot of questions off the
user list once use of EDDSA becomes 'mainline'.

Please let me know when a beta is out with this change so I can ask the
Fedora team to grab it so I can test it.

It pulls a big caveat section from the eddsa-pki draft I am writing.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users