mirror of https://github.com/briansmith/webpki
Add support for Ed25519 certificates
This adds support for verification of ed25519 certificates according to RFC 8410. Implements #49. The test certificate was generated using OpenSSL 1.1.1a, using the following commands (CA.pl is distributed with OpenSSL): openssl genpkey -algorithm ed25519 -outform pem -out root_key.pem openssl req -new -x509 -days 9999 -extensions v3_ca -key root_key.pem \ -inform pem -outform pem -out root_ed25519.pem echo root_ed25519.pem | CA.pl -newca openssl genpkey -algorithm ed25519 -outform pem -out client_key.pem openssl req -new -key client_key.pem -inform pem -outform pem \ -out client_ed25519_csr.pem openssl ca -keyfile ./root_key.pem -days 999 -notext -in \ client_ed25519_csr.pem -out client_ed25519.pem I agree to license my contributions to each file under the terms given at the top of each file I changed.
This commit is contained in:
parent
6c710deee8
commit
d139e98815
|
@ -0,0 +1 @@
|
|||
+ep
|
|
@ -267,6 +267,14 @@ pub static RSA_PSS_2048_8192_SHA512_LEGACY_KEY: SignatureAlgorithm =
|
|||
verification_alg: &signature::RSA_PSS_2048_8192_SHA512,
|
||||
};
|
||||
|
||||
/// ED25519 signatures according to RFC 8410
|
||||
pub static ED25519: SignatureAlgorithm =
|
||||
SignatureAlgorithm {
|
||||
public_key_alg_id: ED_25519,
|
||||
signature_alg_id: ED_25519,
|
||||
verification_alg: &signature::ED25519,
|
||||
};
|
||||
|
||||
struct AlgorithmIdentifier {
|
||||
asn1_id_value: &'static [u8],
|
||||
}
|
||||
|
@ -327,6 +335,9 @@ const RSA_PSS_SHA512: AlgorithmIdentifier = AlgorithmIdentifier {
|
|||
asn1_id_value: include_bytes!("data/alg-rsa-pss-sha512.der"),
|
||||
};
|
||||
|
||||
const ED_25519: AlgorithmIdentifier = AlgorithmIdentifier {
|
||||
asn1_id_value: include_bytes!("data/alg-ed25519.der"),
|
||||
};
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
|
@ -635,6 +646,7 @@ mod tests {
|
|||
&signed_data::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
|
||||
&signed_data::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
|
||||
&signed_data::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
|
||||
&signed_data::ED25519,
|
||||
|
||||
// Algorithms deprecated because they are annoying (P-521) or because
|
||||
// they are nonsensical combinations.
|
||||
|
|
|
@ -95,6 +95,7 @@ pub use signed_data::{
|
|||
RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
|
||||
RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
|
||||
RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
|
||||
ED25519,
|
||||
};
|
||||
|
||||
pub use time::Time;
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -50,7 +50,8 @@ static ALL_SIGALGS: &'static [&'static webpki::SignatureAlgorithm] = &[
|
|||
&webpki::RSA_PKCS1_2048_8192_SHA256,
|
||||
&webpki::RSA_PKCS1_2048_8192_SHA384,
|
||||
&webpki::RSA_PKCS1_2048_8192_SHA512,
|
||||
&webpki::RSA_PKCS1_3072_8192_SHA384
|
||||
&webpki::RSA_PKCS1_3072_8192_SHA384,
|
||||
&webpki::ED25519,
|
||||
];
|
||||
|
||||
/* Checks we can verify netflix's cert chain. This is notable
|
||||
|
@ -81,6 +82,29 @@ pub fn netflix()
|
|||
.unwrap();
|
||||
}
|
||||
|
||||
#[cfg(feature = "trust_anchor_util")]
|
||||
#[test]
|
||||
pub fn ed25519()
|
||||
{
|
||||
let ee = include_bytes!("ed25519/ee.der");
|
||||
let ca = include_bytes!("ed25519/ca.der");
|
||||
|
||||
let ee_input = untrusted::Input::from(ee);
|
||||
let anchors = vec![
|
||||
webpki::trust_anchor_util::cert_der_as_trust_anchor(
|
||||
untrusted::Input::from(ca)
|
||||
).unwrap()
|
||||
];
|
||||
let anchors = webpki::TLSServerTrustAnchors(&anchors);
|
||||
|
||||
let time = webpki::Time::from_seconds_since_unix_epoch(1547363522);
|
||||
|
||||
let cert = webpki::EndEntityCert::from(ee_input).unwrap();
|
||||
let _ = cert.verify_is_valid_tls_server_cert(ALL_SIGALGS, &anchors,
|
||||
&[], time)
|
||||
.unwrap();
|
||||
}
|
||||
|
||||
#[cfg(feature = "trust_anchor_util")]
|
||||
#[test]
|
||||
fn read_root_with_zero_serial() {
|
||||
|
|
Loading…
Reference in New Issue