feat: can sign ocsp with ed25519 #1420

Minipada · 2025-04-15T17:33:19Z

Summary

This patch adds support for signing OCSP responses with Ed25519 keys in CFSSL's vendored golang.org/x/crypto/ocsp package.

What's Changed

introduced OID for Ed25519 (1.3.101.112) in oidSignatureEd25519
added support for ed25519.PublicKey in signingParamsForPublicKey
updated signatureAlgorithmDetails to include x509.PureEd25519
when ed25519.PublicKey is detected, the appropriate signature algorithm is selected and crypto.SHA512 is set as the hash (dummy value — EdDSA does not use prehashing)
improved error message to reflect that EdDSA is now supported

Notes

while Ed25519 doesn't require a prehash, crypto.SHA512 is currently used as a placeholder to satisfy interfaces — in practice, the signing code path avoids hashing when Hash(0) is detected.
this is part of broader support for modern cryptographic algorithms within CFSSL’s OCSP response generation pipeline.

feat: can sign ocsp with ed25519

e5be173

Minipada force-pushed the feature/sign-ocsp-ed25519 branch from 6e62e2a to e5be173 Compare April 15, 2025 17:33

Minipada mentioned this pull request Apr 16, 2025

crypto/ocsp: add support for Ed25519 signatures in OCSP responses golang/crypto#319

Open

Provide feedback