feat: can sign ocsp with ed25519 #1420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

Minipada wants to merge 1 commit into cloudflare:master from Minipada:feature/sign-ocsp-ed25519

Minipada commented Apr 15, 2025 •

edited

Loading

Summary

This patch adds support for signing OCSP responses with Ed25519 keys in CFSSL's vendored golang.org/x/crypto/ocsp package.

What's Changed

introduced OID for Ed25519 (1.3.101.112) in oidSignatureEd25519
added support for ed25519.PublicKey in signingParamsForPublicKey
updated signatureAlgorithmDetails to include x509.PureEd25519
when ed25519.PublicKey is detected, the appropriate signature algorithm is selected and crypto.SHA512 is set as the hash (dummy value — EdDSA does not use prehashing)
improved error message to reflect that EdDSA is now supported

Notes

while Ed25519 doesn't require a prehash, crypto.SHA512 is currently used as a placeholder to satisfy interfaces — in practice, the signing code path avoids hashing when Hash(0) is detected.
this is part of broader support for modern cryptographic algorithms within CFSSL’s OCSP response generation pipeline.

To use with golang/crypto#319


          feat: can sign ocsp with ed25519

e5be173

Minipada force-pushed the feature/sign-ocsp-ed25519 branch from 6e62e2a to e5be173 Compare

April 15, 2025 17:33

Minipada mentioned this pull request

crypto/ocsp: add support for Ed25519 signatures in OCSP responses golang/crypto#319

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet