Thanks for opening a thread about this @ndilieto
Though having spotted this fix upstream I’m somewhat glad we hadn’t adopted it immediately.
For me this kind of issue is a great reminder that adding support for new cryptographic algorithms carries fairly significant risk and requires careful review above and beyond piping together the right libraries and code.
It will be a little bit more involved than that. The
validSelfAuthenticatedJWS function in
wfe2/verify.go that will be used when evaluating JWS with embedded JWK (like for
newAccount) also calls out to a key policy object and its
GoodKey function. The RA also vets all new v1 registration keys and v2 account keys the same way.
The relevant code for that is mostly in
goodkey/good_key.go. Like with
sigAlgorithmForKey in the WFE2 the Goodkey function outwards would need to support EdDSA, with a particular eye towards anywhere we might need to verify the public key’s parameters above and beyond what may be done by
goodkey is complicated by the fact that the same package/functions are used by the RA and the CA to verify CSR public keys (e.g. the RA verifying a CSR during order finalization). It’s unlikely we will be able to support EdDSA in subscriber certificates (see the other thread) anytime soon so the
goodkey package would need to be modified to know whether it was verifying an account key or a CSR key. (Again this is a change that makes my spider sense tingle: we would be adding a joint where there wasn’t one before and if it bends the wrong way in production because of a bug we could disastrously allow a Ed25519 public key in a subscriber certificate. This would be a misissuance and have to be reported in that year’s audit and to the root programs).
I’m not sure if there is any specific reason we haven’t evaluated Ed25519 account keys before now. I agree it seems possible, I disagree that it’s necessarily simple. Like most things I think it’s primarily a question of prioritization. My personal opinion is that I think this falls more into the nice-to-have category. A well-written PR on Boulder with good test coverage would be harder to say no to
@jsha Do you have any other thoughts?