Add Ed25519/Ed448 support to EVP layer#10135
Add Ed25519/Ed448 support to EVP layer#10135JacobBarthelmeh merged 10 commits intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds missing Ed25519/Ed448 OID↔NID mappings to avoid regressions when Ed25519k/Ed448k certificates are processed via the oid2nid() path (notably impacting NGINX/OpenVPN scenarios).
Changes:
- Map
WC_NID_ED25519/WC_NID_ED448toED25519k/ED448kinnid2oid(). - Map
ED25519k/ED448ktoWC_NID_ED25519/WC_NID_ED448inoid2nid(). - Add build-flag guards (
HAVE_ED25519,HAVE_ED448) around the new switch cases.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
When wc_DhKeyDecode() rejected the input, d2iTryAltDhKey() returned 0 after freeing the DH object. d2i_evp_pkey_try() treats any value >= 0 as success, so a non-DH input would stop the probe chain at the DH step and never reach the Falcon, Dilithium, Ed25519, or Ed448 probes that follow. d2i_PUBKEY()/d2i_PrivateKey() consequently returned NULL for any key type past DH in the chain.
- Add WC_EVP_PKEY_ED25519 / WC_EVP_PKEY_ED448 type constants and matching EVP_PKEY_ED25519 / EVP_PKEY_ED448 OpenSSL aliases. - Extend WOLFSSL_EVP_PKEY with ed25519/ed448 fields and ownership bits, and free them in wolfSSL_EVP_PKEY_free(). - Add d2i probe functions that accept both SubjectPublicKeyInfo / PKCS#8 PrivateKeyInfo encodings and raw 32/57-byte key material, and hook them into the d2i_evp_pkey_try() chain. - Map the Ed25519/Ed448 signature OIDs in the relevant lookups and teach the PEM key-format dispatch and SSL_CTX_use_PrivateKey switch about the new types.
lealem47
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 13 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Jenkins retest this please. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 16 out of 16 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
JacobBarthelmeh
left a comment
JacobBarthelmeh
left a comment
There was a problem hiding this comment.
After some direct messages, the 2 new wolfSSL_* API's should be moved out of the wolfssl/wolfcrypt/*.h files for use in FIPS builds.
Description
--enable-opensslallwas only recently added to--enable-nginxFixes zd#21503 and zd#21514
Testing
Tested by customer and new unit tests
Checklist