golang
Support Ed25519 signing OCSP
verified with this demo:
package main
import (
"crypto"
"crypto/ed25519"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"os"
"time"
"golang.org/x/crypto/ocsp"
)
func genCert() (cert *x509.Certificate, privKey crypto.Signer) {
_, privKey, err := ed25519.GenerateKey(rand.Reader)
// privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
panic(err)
}
template := &x509.Certificate{
Subject: pkix.Name{
CommonName: "OCSP Responder",
},
SerialNumber: big.NewInt(1),
NotBefore: time.Now(),
NotAfter: time.Now().Add(365 * 24 * time.Hour),
BasicConstraintsValid: true,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCRLSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageOCSPSigning},
IsCA: true,
}
certBytes, err := x509.CreateCertificate(rand.Reader, template, template, privKey.Public(), privKey)
if err != nil {
panic(err)
}
cert, err = x509.ParseCertificate(certBytes)
if err != nil {
panic(err)
}
file, err := os.Create("ca_cert.pem")
if err != nil {
panic(err)
}
pem.Encode(file, &pem.Block{Type: "CERTIFICATE", Bytes: certBytes})
file.Close()
privKeyDER, err := x509.MarshalPKCS8PrivateKey(privKey)
if err != nil {
panic(err)
}
file, err = os.Create("ca_key.pem")
if err != nil {
panic(err)
}
pem.Encode(file, &pem.Block{Type: "PRIVATE KEY", Bytes: privKeyDER})
file.Close()
return cert, privKey
}
func genResp() {
caCert, privKey := genCert()
resp := ocsp.Response{
Status: ocsp.Good,
SerialNumber: big.NewInt(123456789),
ThisUpdate: time.Now(),
NextUpdate: time.Now().Add(24 * time.Hour),
}
respBytes, err := ocsp.CreateResponse(caCert, caCert, resp, privKey)
if err != nil {
panic(err)
}
os.WriteFile("ocsp_response.der", respBytes, 0644)
}
func main() {
genResp()
}
and openssl command
openssl ocsp -text -respin ocsp_response.der -issuer ca_cert.pem
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: CN = OCSP Responder
Produced At: Sep 9 03:49:00 2025 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 31CD3802B3300F488C2D7B829551A7CAC184C429
Issuer Key Hash: B4174F7BAEA50A5804B34C2BD9DA8D2E3A19129D
Serial Number: 075BCD15
Cert Status: good
This Update: Sep 9 03:49:31 2025 GMT
Next Update: Sep 10 03:49:31 2025 GMT
Signature Algorithm: ED25519
Signature Value:
53:10:ac:62:3f:08:41:b7:ef:ef:68:c4:b7:fa:01:f1:d8:40:
ed:83:6d:2e:6d:34:03:4c:46:ef:85:16:58:da:75:f2:bd:4d:
1f:ef:ce:b2:3a:ea:a3:7e:db:f4:56:7a:ef:76:74:fe:5b:6d:
be:eb:ad:f3:ad:47:99:4f:3a:0c
Response verify OK
also add go tests for ecdsa and ed25519
This PR (HEAD: 1acc324665238fa0c0bdf694219c10fc5a5973f9) has been imported to Gerrit for code review.
Please visit Gerrit at https://go-review.googlesource.com/c/crypto/+/701975.
Important tips:
- Don't comment on this PR. All discussion takes place in Gerrit.
- You need a Gmail or other Google account to log in to Gerrit.
- To change your code in response to feedback:
- Push a new commit to the branch used by your GitHub PR.
- A new "patch set" will then appear in Gerrit.
- Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
- Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
- Multiple commits in the PR will be squashed by GerritBot.
- The title and description of the GitHub PR are used to construct the final commit message.
- Edit these as needed via the GitHub web interface (not via Gerrit or git).
- You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
- See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.
Message from Gopher Robot:
Patch Set 1:
(1 comment)
Please don’t reply on this GitHub thread. Visit golang.org/cl/701975. After addressing review feedback, remember to publish your drafts!
Message from Gopher Robot:
Patch Set 1:
Congratulations on opening your first change. Thank you for your contribution!
Next steps: A maintainer will review your change and provide feedback. See https://go.dev/doc/contribute#review for more info and tips to get your patch through code review.
Most changes in the Go project go through a few rounds of revision. This can be surprising to people new to the project. The careful, iterative review process is our way of helping mentor contributors and ensuring that their contributions have a lasting impact.
During May-July and Nov-Jan the Go project is in a code freeze, during which little code gets reviewed or merged. If a reviewer responds with a comment like R=go1.11 or adds a tag like "wait-release", it means that this CL will be reviewed as part of the next development cycle. See https://go.dev/s/release for more details.
Please don’t reply on this GitHub thread. Visit golang.org/cl/701975. After addressing review feedback, remember to publish your drafts!
Message from Daniel McCarney:
Patch Set 1:
(1 comment)
Please don’t reply on this GitHub thread. Visit golang.org/cl/701975. After addressing review feedback, remember to publish your drafts!
Message from Yun Dou (dixyes):
Patch Set 1:
(1 comment)
Please don’t reply on this GitHub thread. Visit golang.org/cl/701975. After addressing review feedback, remember to publish your drafts!