Skip to content

crypto/ocsp: add support for Ed25519 signatures in OCSP responses #319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

crypto/ocsp: add support for Ed25519 signatures in OCSP responses #319

wants to merge 1 commit into from
+24 −5

Conversation

Minipada
Copy link

@Minipada Minipada commented Apr 16, 2025
edited
Loading

This PR is necessary to work with the ocsp server in cfssl.
See additional PR there cloudflare/cfssl#1420

This PR adds support for the EdDSA Ed25519 signature algorithm
to the OCSP response signing logic. This allows cfssl to
generate OCSP responses using Ed25519 keys, in compliance
with RFC 8410.

Key Changes:

  • added OID for Ed25519 (1.3.101.112) in oidSignatureEd25519
  • updated signingParamsForPublicKey to recognize ed25519.PublicKey, set
    appropriate pkix.AlgorithmIdentifier, and avoid setting Parameters
    (as required by RFC 8410)
  • extended signatureAlgorithmDetails to include x509.PureEd25519
  • updated CreateResponse to avoid hashing the TBSResponseData when
    crypto.Hash(0) is used (i.e., for Ed25519), passing the raw DER
    directly to priv.Sign
  • error messages updated to reflect Ed25519 as a supported key type

Motivation:

Ed25519 is widely adopted due to its performance, small key size, and
resistance to common cryptographic attacks. Supporting it in OCSP
flows is critical for enabling modern PKI infrastructures that
prefer or require Ed25519-based certificates and responders.

Compatibility

This change is backward-compatible. The existing RSA and ECDSA flows
remain untouched. Ed25519 is only engaged if the responder key is of
type ed25519.PublicKey and the SignatureAlgorithm is x509.PureEd25519.

@gopherbot
Copy link
Contributor

This PR (HEAD: 41a68e2) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/crypto/+/665955.

Important tips:

  • Don't comment on this PR. All discussion takes place in Gerrit.
  • You need a Gmail or other Google account to log in to Gerrit.
  • To change your code in response to feedback:
    • Push a new commit to the branch used by your GitHub PR.
    • A new "patch set" will then appear in Gerrit.
    • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
    • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
    • Multiple commits in the PR will be squashed by GerritBot.
  • The title and description of the GitHub PR are used to construct the final commit message.
    • Edit these as needed via the GitHub web interface (not via Gerrit or git).
    • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
  • See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

@gopherbot
Copy link
Contributor

Message from Gopher Robot:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/665955.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Gopher Robot:

Patch Set 1:

Congratulations on opening your first change. Thank you for your contribution!

Next steps:
A maintainer will review your change and provide feedback. See
https://go.dev/doc/contribute#review for more info and tips to get your
patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.

During May-July and Nov-Jan the Go project is in a code freeze, during which
little code gets reviewed or merged. If a reviewer responds with a comment like
R=go1.11 or adds a tag like "wait-release", it means that this CL will be
reviewed as part of the next development cycle. See https://go.dev/s/release
for more details.

Please don’t reply on this GitHub thread. Visit golang.org/cl/665955.
After addressing review feedback, remember to publish your drafts!

@Minipada Minipada mentioned this pull request Apr 16, 2025
Open
@Minipada Minipada force-pushed the feature/add-support-eddsa25519 branch from 41a68e2 to fdf63c3 Compare April 17, 2025 09:38
@gopherbot
Copy link
Contributor

This PR (HEAD: fdf63c3) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/crypto/+/665955.

Important tips:

  • Don't comment on this PR. All discussion takes place in Gerrit.
  • You need a Gmail or other Google account to log in to Gerrit.
  • To change your code in response to feedback:
    • Push a new commit to the branch used by your GitHub PR.
    • A new "patch set" will then appear in Gerrit.
    • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
    • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
    • Multiple commits in the PR will be squashed by GerritBot.
  • The title and description of the GitHub PR are used to construct the final commit message.
    • Edit these as needed via the GitHub web interface (not via Gerrit or git).
    • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
  • See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

@Minipada Minipada changed the title add support for Ed25519 signatures in OCSP responses crypto/ocsp: add support for Ed25519 signatures in OCSP responses Apr 17, 2025
@Minipada Minipada force-pushed the feature/add-support-eddsa25519 branch from fdf63c3 to 98842f9 Compare April 17, 2025 10:05
@gopherbot
Copy link
Contributor

This PR (HEAD: 98842f9) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/crypto/+/665955.

Important tips:

  • Don't comment on this PR. All discussion takes place in Gerrit.
  • You need a Gmail or other Google account to log in to Gerrit.
  • To change your code in response to feedback:
    • Push a new commit to the branch used by your GitHub PR.
    • A new "patch set" will then appear in Gerrit.
    • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
    • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
    • Multiple commits in the PR will be squashed by GerritBot.
  • The title and description of the GitHub PR are used to construct the final commit message.
    • Edit these as needed via the GitHub web interface (not via Gerrit or git).
    • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
  • See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

@gopherbot
Copy link
Contributor

Message from david bensoussan:

Patch Set 5:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/665955.
After addressing review feedback, remember to publish your drafts!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Minipada @gopherbot