pki_crypto: Support Ed25519 keys in PEM files

This adds support for Ed25519 keys from files in PEM format when using OpenSSL with Ed25519 support. The default encoding for the PEM file is expected to be PKCS#8. Encrypted files are supported. For the lack of an API, it is not possible to export keys in PEM format, only in OpenSSH format. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> (cherry picked from commit a3a0529b41)
2026-02-09 09:54:25 +09:00 · 2019-08-30 18:41:16 +02:00
parent 3f6820694e
commit 4f7cb6076a
3 changed files with 229 additions and 22 deletions
--- a/tests/unittests/torture_pki_ed25519.c
+++ b/tests/unittests/torture_pki_ed25519.c
@@ -643,14 +643,131 @@ static void torture_pki_ed25519_sign(void **state)
    assert_non_null(blob);

    assert_int_equal(ssh_string_len(blob), sizeof(ref_signature));
-    assert_memory_equal(ssh_string_data(blob), ref_signature, sizeof(ref_signature));
-    /* ssh_print_hexa("signature", ssh_string_data(blob), ssh_string_len(blob)); */
+    assert_memory_equal(ssh_string_data(blob), ref_signature,
+                        sizeof(ref_signature));
+
    ssh_signature_free(sig);
    SSH_KEY_FREE(privkey);
    SSH_STRING_FREE(blob);

 }

+static void torture_pki_ed25519_sign_openssh_privkey_passphrase(void **state)
+{
+    ssh_key privkey = NULL;
+    ssh_signature sig = NULL;
+    ssh_string blob = NULL;
+    const char *keystring = NULL;
+    int rc;
+
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
+    (void)state;
+
+    keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 1);
+    rc = ssh_pki_import_privkey_base64(keystring,
+                                       torture_get_testkey_passphrase(),
+                                       NULL,
+                                       NULL,
+                                       &privkey);
+    assert_true(rc == SSH_OK);
+    assert_non_null(privkey);
+
+    sig = pki_do_sign(privkey, HASH, sizeof(HASH), SSH_DIGEST_AUTO);
+    assert_non_null(sig);
+
+    blob = pki_signature_to_blob(sig);
+    assert_non_null(blob);
+    assert_int_equal(ssh_string_len(blob), sizeof(ref_signature));
+    assert_memory_equal(ssh_string_data(blob), ref_signature,
+                        sizeof(ref_signature));
+
+    ssh_signature_free(sig);
+    SSH_KEY_FREE(privkey);
+    SSH_STRING_FREE(blob);
+}
+
+#ifdef HAVE_OPENSSL_ED25519
+static void torture_pki_ed25519_sign_pkcs8_privkey(void **state)
+{
+    ssh_key privkey = NULL;
+    ssh_signature sig = NULL;
+    ssh_string blob = NULL;
+    const char *keystring = NULL;
+    int rc;
+
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
+    (void)state;
+
+    keystring = torture_get_testkey(SSH_KEYTYPE_ED25519, 0);
+    rc = ssh_pki_import_privkey_base64(keystring,
+                                       NULL,
+                                       NULL,
+                                       NULL,
+                                       &privkey);
+    assert_true(rc == SSH_OK);
+    assert_non_null(privkey);
+
+    sig = pki_do_sign(privkey, HASH, sizeof(HASH), SSH_DIGEST_AUTO);
+    assert_non_null(sig);
+
+    blob = pki_signature_to_blob(sig);
+    assert_non_null(blob);
+    assert_int_equal(ssh_string_len(blob), sizeof(ref_signature));
+    assert_memory_equal(ssh_string_data(blob), ref_signature,
+                        sizeof(ref_signature));
+
+    ssh_signature_free(sig);
+    SSH_KEY_FREE(privkey);
+    SSH_STRING_FREE(blob);
+}
+
+static void torture_pki_ed25519_sign_pkcs8_privkey_passphrase(void **state)
+{
+    ssh_key privkey = NULL;
+    ssh_signature sig = NULL;
+    ssh_string blob = NULL;
+    const char *keystring = NULL;
+    int rc;
+
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
+    (void)state;
+
+    keystring = torture_get_testkey(SSH_KEYTYPE_ED25519, 1);
+    rc = ssh_pki_import_privkey_base64(keystring,
+                                       torture_get_testkey_passphrase(),
+                                       NULL,
+                                       NULL,
+                                       &privkey);
+    assert_true(rc == SSH_OK);
+    assert_non_null(privkey);
+
+    sig = pki_do_sign(privkey, HASH, sizeof(HASH), SSH_DIGEST_AUTO);
+    assert_non_null(sig);
+
+    blob = pki_signature_to_blob(sig);
+    assert_non_null(blob);
+    assert_int_equal(ssh_string_len(blob), sizeof(ref_signature));
+    assert_memory_equal(ssh_string_data(blob), ref_signature,
+                        sizeof(ref_signature));
+
+    ssh_signature_free(sig);
+    SSH_KEY_FREE(privkey);
+    SSH_STRING_FREE(blob);
+}
+#endif /* HAVE_OPENSSL_ED25519 */
+
 static void torture_pki_ed25519_verify(void **state){
    ssh_key pubkey = NULL;
    ssh_signature sig = NULL;
@@ -895,6 +1012,11 @@ int torture_run_tests(void) {
                                        teardown),
        cmocka_unit_test(torture_pki_ed25519_import_privkey_base64_passphrase),
        cmocka_unit_test(torture_pki_ed25519_sign),
+        cmocka_unit_test(torture_pki_ed25519_sign_openssh_privkey_passphrase),
+#ifdef HAVE_OPENSSL_ED25519
+        cmocka_unit_test(torture_pki_ed25519_sign_pkcs8_privkey),
+        cmocka_unit_test(torture_pki_ed25519_sign_pkcs8_privkey_passphrase),
+#endif
        cmocka_unit_test(torture_pki_ed25519_verify),
        cmocka_unit_test(torture_pki_ed25519_verify_bad),
        cmocka_unit_test(torture_pki_ed25519_privkey_dup),