pyopenssl x509.sign does not work for Ed25519 keys (digest must be NULL)

x509.sign does not work for Ed25519 keys (digest must be NULL)

Open bit opened this issue 1 year ago • 1 comments

Trying to create a certificate signed with an ed25519 key does not work. Signing currently requires a digest, ed25519 only works with digest set to NULL.

ed448_private_key_pem = b"""-----BEGIN PRIVATE KEY-----
MEcCAQAwBQYDK2VxBDsEOcqZ7a3k6JwrJbYO8CNTPT/d7dlWCo5vCf0EYDj79ZvA\nhD8u9EPHlYJw5Y8ZQdH4WmVEfpKA23xkdQ==
-----END PRIVATE KEY-----
"""
key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, ed448_private_key_pem)
x509 = OpenSSL.crypto.X509()
x509.set_pubkey(key)
x509.sign(key, None)

Its possible to call the internal sign function with NULL to get the certificate:

OpenSSL.crypto._lib.X509_sign(x509._x509, key._pkey, OpenSSL.crypto._ffi.NULL)

Jun 08 '24 11:06 bit

At this point we recommend using https://cryptography.io/en/latest/ for all X.509 use cases.

Jun 08 '24 12:06 alex

pyopenssl pyopenssl copied to clipboard

x509.sign does not work for Ed25519 keys (digest must be NULL)

pyopenssl
pyopenssl copied to clipboard