Ed25519 CSR -- bug or an unimplemented feature?

I created a CSR request using GNUTLS with a ed25519 private key. I am getting:
An unexpected error occurred:
The request message was malformed :: Invalid key in certificate request :: unknown key type %!s()
Please see the logfiles in /var/log/letsencrypt for more details.
{
“type”: “urn:acme:error:malformed”,
“detail”: “Invalid key in certificate request :: unknown key type %!s(\u003cnil\u003e)”,
“status”: 400
}
Is this a bug or an unimplemented feature?

EdDSA certificates are not really standardized or ready yet:

The reason that the error looks a bit funny is that the line of code that produces it has a mistake:

return berrors.MalformedError("unknown key type %s", reflect.TypeOf(key))

That %s should probably be %v.

e: opened a PR, but I noticed that the same problem seems to exists in vendored square/go-jose, not sure whether that problem is exposed in Boulder though.

3 Likes

@_az You’re probably correct. Will you open an issue for that line? https://github.com/letsencrypt/boulder/blob/a6597b9f120207eff192c3e4107a7e49972a0250/goodkey/good_key.go#L82

Update: the PR mentionned by @jsha: https://github.com/letsencrypt/boulder/pull/4138

2 Likes

Thanks for the bug report @str255, and for the PR @_az. To add a little detail: Ed25519 isn’t really ready for certificates (which is the use case described here), but for I believe it’s fully spec’ed out for use in JWK, and is a SHOULD in ACME (https://tools.ietf.org/html/rfc8555#page-12). However, Boulder doesn’t yet support it and it isn’t on an immediate roadmap.

3 Likes

It actually is: RFC 8410 - Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure

Ed25519 is the algorithm for EdDSA, which can be used, in theory, for X509 certificates.

Unless with "ready" you mean the whole CA/B forum details. If so, you're totally right of course, we aren't that far yet.

3 Likes

Yep, I meant with regards to browser implementation and CA/Browser Forum Baseline Requirements. Thanks for the clarification!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.