Re: Creating an X25519 client certificate
On 3/17/21 9:48 PM, tincanteksup wrote: On 18/03/2021 01:22, Robert Moskowitz wrote: On 3/17/21 8:17 PM, Viktor Dukhovni wrote: Well, CSRs are self-signed, and X25519 does not support signing, so you CANNOT have an X25519 CSR. Slap myself on the forehead Of course I know that. But did not stop to think this through. :( Will read through all this and get back here Wait until you spend 3 days waiting for an answer about Firefox which I accidentally asked in #VBox .. My forehead still bears the palm print and smarts! I think it was the 'ox' which blinded me for so long. ;-) I will have to discuss this with Russ... A quick 'solution' to proof of ownership COULD be achieved IF: The CA has an ECDH cert signed with its signing cert. The client uses this to create a shared secret to KMAC the CSR. The devil is in the details and I have other fish to fry...
Re: Creating an X25519 client certificate
On 18/03/2021 01:22, Robert Moskowitz wrote: On 3/17/21 8:17 PM, Viktor Dukhovni wrote: Well, CSRs are self-signed, and X25519 does not support signing, so you CANNOT have an X25519 CSR. Slap myself on the forehead Of course I know that. But did not stop to think this through. :( Will read through all this and get back here Wait until you spend 3 days waiting for an answer about Firefox which I accidentally asked in #VBox .. My forehead still bears the palm print and smarts! I think it was the 'ox' which blinded me for so long. ;-)
Re: Creating an X25519 client certificate
On 3/17/21 8:17 PM, Viktor Dukhovni wrote: On Wed, Mar 17, 2021 at 07:44:05PM -0400, Robert Moskowitz wrote: I have created my X25519 pub/priv keypair with: openssl genpkey -algorithm X25519\ -out $dir/private/$clientemail-X.key.$format Are you sure you didn't want ed25519 instead? X25519 is a key agreement menthod, not a signature method. My limited understanding is that for encrypted S/MIME, and ECDH cert is needed. Thus if ED25519 is used for signing said S/MIME, X25519 is used for encrypting. I see, this is for CMS, so you're trying to support: https://tools.ietf.org/html/draft-ietf-curdle-cms-ecdh-new-curves-10 openssl req -config $dir/openssl-intermediate.cnf\ -key $dir/private/$clientemail-X.key.$format \ -subj "$DN" -new -out $dir/csr/$clientemail-X.csr.$format which is what I used for ED25519 client certs. But I get an error: 140487683954496:error:0608D096:digital envelope routines:EVP_PKEY_sign_init:operation not supported for this keytype:crypto/evp/pmeth_fn.c:39: Not surprising, why do you expect this to work? Shooting from the hip, a bit. If I am going to have an X25519 cert, then I need a csr and this is the command to make one. So try it and see what it does. Not too well, it turns out. Well, CSRs are self-signed, and X25519 does not support signing, so you CANNOT have an X25519 CSR. Slap myself on the forehead Of course I know that. But did not stop to think this through. :( Will read through all this and get back here You can however create an X25519 certificate directly for a given key: https://crypto.stackexchange.com/questions/19452/static-dh-static-ecdh-certificate-using-openssl with other details (names, extensions, ...) pulled from a CSR. What can't get is proof of posession. Oh, and I am ASSuMEing that a CA cert of ED25519 signs an X25519 client cert. Haven't found instructions on this, but it seems reasonable... https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures Well the CA can use any algorithm that supports signing, and is widely supported. It does not have to be Ed25519.
Re: Creating an X25519 client certificate
On Wed, Mar 17, 2021 at 07:44:05PM -0400, Robert Moskowitz wrote: > >> I have created my X25519 pub/priv keypair with: > >> > >> openssl genpkey -algorithm X25519\ > >> -out $dir/private/$clientemail-X.key.$format > > > Are you sure you didn't want ed25519 instead? X25519 is a key agreement > > menthod, not a signature method. > > My limited understanding is that for encrypted S/MIME, and ECDH cert > is needed. Thus if ED25519 is used for signing said S/MIME, X25519 is > used for encrypting. I see, this is for CMS, so you're trying to support: https://tools.ietf.org/html/draft-ietf-curdle-cms-ecdh-new-curves-10 > >> openssl req -config $dir/openssl-intermediate.cnf\ > >> -key $dir/private/$clientemail-X.key.$format \ > >> -subj "$DN" -new -out $dir/csr/$clientemail-X.csr.$format > >> > >> which is what I used for ED25519 client certs. But I get an error: > >> > >> 140487683954496:error:0608D096:digital envelope > >> routines:EVP_PKEY_sign_init:operation not supported for this > >> keytype:crypto/evp/pmeth_fn.c:39: > > Not surprising, why do you expect this to work? > > Shooting from the hip, a bit. If I am going to have an X25519 cert, > then I need a csr and this is the command to make one. So try it and > see what it does. Not too well, it turns out. Well, CSRs are self-signed, and X25519 does not support signing, so you CANNOT have an X25519 CSR. You can however create an X25519 certificate directly for a given key: https://crypto.stackexchange.com/questions/19452/static-dh-static-ecdh-certificate-using-openssl with other details (names, extensions, ...) pulled from a CSR. What can't get is proof of posession. > >> Oh, and I am ASSuMEing that a CA cert of ED25519 signs an X25519 client > >> cert. Haven't found instructions on this, but it seems reasonable... > > https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures Well the CA can use any algorithm that supports signing, and is widely supported. It does not have to be Ed25519. -- Viktor.
Re: Creating an X25519 client certificate
On 3/17/21 7:22 PM, Viktor Dukhovni wrote: On Wed, Mar 17, 2021 at 05:50:41PM -0400, Robert Moskowitz wrote: I have created my X25519 pub/priv keypair with: openssl genpkey -algorithm X25519\ -out $dir/private/$clientemail-X.key.$format Are you sure you didn't want ed25519 instead? X25519 is a key agreement menthod, not a signature method. My limited understanding is that for encrypted S/MIME, and ECDH cert is needed. Thus if ED25519 is used for signing said S/MIME, X25519 is used for encrypting. I have seen CA Cert policies for "Device Encryption Certificates" that use: id-ecPublicKey {1 2 840 10045 2 1}; I need to talk to the CP author more about this and what he sees the equiv Edward cert would look like. openssl req -config $dir/openssl-intermediate.cnf\ -key $dir/private/$clientemail-X.key.$format \ -subj "$DN" -new -out $dir/csr/$clientemail-X.csr.$format which is what I used for ED25519 client certs. But I get an error: 140487683954496:error:0608D096:digital envelope routines:EVP_PKEY_sign_init:operation not supported for this keytype:crypto/evp/pmeth_fn.c:39: Not surprising, why do you expect this to work? Shooting from the hip, a bit. If I am going to have an X25519 cert, then I need a csr and this is the command to make one. So try it and see what it does. Not too well, it turns out. Can someone point me to what I am missing? Oh, and I am ASSuMEing that a CA cert of ED25519 signs an X25519 client cert. Haven't found instructions on this, but it seems reasonable... https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures very familiar with this point and did look at this response during my searches today. I quite understand in TLS the use of EdDSA certs that allow keyEncipherment and ?dataEncipherment? to permit an ECDHE exchange. but my limited research claims that for S/MIME you can have an X25519 cert for static ECDH, rather than ephemeral, saving supposedly the exchange of keys before sending encrypted S/MIME.
Re: Creating an X25519 client certificate
On Wed, Mar 17, 2021 at 05:50:41PM -0400, Robert Moskowitz wrote: > I have created my X25519 pub/priv keypair with: > > openssl genpkey -algorithm X25519\ > -out $dir/private/$clientemail-X.key.$format Are you sure you didn't want ed25519 instead? X25519 is a key agreement menthod, not a signature method. > openssl req -config $dir/openssl-intermediate.cnf\ > -key $dir/private/$clientemail-X.key.$format \ > -subj "$DN" -new -out $dir/csr/$clientemail-X.csr.$format > > which is what I used for ED25519 client certs. But I get an error: > > 140487683954496:error:0608D096:digital envelope > routines:EVP_PKEY_sign_init:operation not supported for this > keytype:crypto/evp/pmeth_fn.c:39: Not surprising, why do you expect this to work? > Can someone point me to what I am missing? > > Oh, and I am ASSuMEing that a CA cert of ED25519 signs an X25519 client > cert. Haven't found instructions on this, but it seems reasonable... https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures -- Viktor.