Re: [openssl-users] EDDSA certificates
> > Generating a 2048 bit ED25519 private key > > Wait, 2048 bit ED25519 key? Looks like a printf bug :) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] EDDSA certificates
Ah, thanks for the explanation Rich. On 08/08/2017 11:19 AM, Salz, Rich via openssl-users wrote: We don't add features to released versions, just bug-fixes. Ladar has posted a patch for 1.0.2 for those do-it-yourselfers who are so inclined. The 'master' branch, which will become 1.1.1 at some point, can do it: ; sh /tmp/x Generating a 2048 bit ED25519 private key Wait, 2048 bit ED25519 key? writing new private key to '/tmp/key.key' - ; cat /tmp/x ./apps/openssl req -new -outform PEM -out /tmp/cert.crt -newkey \ ed25519 -nodes -keyout /tmp/key.key -keyform PEM -days \ 3650 -x509 -extensions v3_req -subj \ "/C=us/O=organizationName/CN=common-name" So I guess the question for me is will it make it into Fedora 27 Bob -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] EDDSA certificates
We don't add features to released versions, just bug-fixes. Ladar has posted a patch for 1.0.2 for those do-it-yourselfers who are so inclined. The 'master' branch, which will become 1.1.1 at some point, can do it: ; sh /tmp/x Generating a 2048 bit ED25519 private key writing new private key to '/tmp/key.key' - ; cat /tmp/x ./apps/openssl req -new -outform PEM -out /tmp/cert.crt -newkey \ ed25519 -nodes -keyout /tmp/key.key -keyform PEM -days \ 3650 -x509 -extensions v3_req -subj \ "/C=us/O=organizationName/CN=common-name" -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] EDDSA certificates
I have read: https://github.com/openssl/openssl/issues/487 And I am trying to grok its meaning. I am running Fedora24 (I need to buy an new SSD before upgrading to F26) which has openssl 1.0.2k. There is a note of a patch to 1.0.2j, but talk about 1.1.1. I have attempted to read https://gist.github.com/ladar/e45e893901f30f480dd49265ba3c42c0 Is there a command line option for creating an ed25519 cert and if so what version? I tried: openssl req -new -outform PEM -out certs/$commonName.crt -newkey ed25519 -nodes -keyout private/$commonName.key -keyform PEM -days 3650 -x509 -extensions v3_req -subj "/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress" And got: Unknown algorithm ed25519 thanks. On 07/27/2017 10:45 AM, Benjamin Kaduk wrote: On 07/27/2017 09:18 AM, Robert Moskowitz wrote: Rich, Meant to ask you about this at IETF. Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to produce these??? There is code to validate them, per commit 4328dd41582bcdca8e4f51f0a3abadfafa2163ee. I didn't look hard enough to find how to generate them, but it ought to be there too. And, relatedly, what do you think about CBOR encoding rather than ASN.1? Kill ASN.1 in constrained devices and save on transmission costs? It seems hard to shift a big ecosystem and introduce risk of incompatibility, but I haven't really thought about it. -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] EDDSA certificates
On 07/27/2017 09:18 AM, Robert Moskowitz wrote: > Rich, > > Meant to ask you about this at IETF. > > Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to > produce these??? > There is code to validate them, per commit 4328dd41582bcdca8e4f51f0a3abadfafa2163ee. I didn't look hard enough to find how to generate them, but it ought to be there too. > And, relatedly, what do you think about CBOR encoding rather than > ASN.1? Kill ASN.1 in constrained devices and save on transmission costs? It seems hard to shift a big ecosystem and introduce risk of incompatibility, but I haven't really thought about it. -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] EDDSA certificates
Rich, Meant to ask you about this at IETF. Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to produce these??? And, relatedly, what do you think about CBOR encoding rather than ASN.1? Kill ASN.1 in constrained devices and save on transmission costs? Thanks Bob On 03/16/2017 07:04 PM, Salz, Rich via openssl-users wrote: Does any version of OpenSSL provide support for EDDSA, particularly creating and displaying the content of them? Not yet. EDDSA for 25519 and 448 would be great to have in the next relese, tho. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] EDDSA certificates
On 03/16/2017 04:04 PM, Salz, Rich via openssl-users wrote: Does any version of OpenSSL provide support for EDDSA, particularly creating and displaying the content of them? Not yet. EDDSA for 25519 and 448 would be great to have in the next relese, tho. Let's talk about it at IETF. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] EDDSA certificates
Does any version of OpenSSL provide support for EDDSA, particularly creating and displaying the content of them? Right now my interest is seeing what is involved in creating them with EC25519 and evaluating their size and how they parse. Or meet me at the IETF and talk to me about them. thank you -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users