openssl doesn't accept ring generated ed25519 key pairs

[est31]

Rust snippet used to generated the ed25519 key:

extern crate ring; // "0.14" in Cargo.toml
extern crate pem; // "0.6" in Cargo.toml

use ring::rand::SystemRandom;
use ring::signature::Ed25519KeyPair;

fn main() {
	let system_random = SystemRandom::new();
	let key_pair_doc = Ed25519KeyPair::generate_pkcs8(&system_random).unwrap();
	let key_pair_serialized = key_pair_doc.as_ref().to_vec();
	let p = pem::Pem {
		tag : "PRIVATE KEY".to_string(),
		contents : key_pair_serialized,
	};
	println!("{}", pem::encode(&p));
}

Example for a generated key:

-----BEGIN PRIVATE KEY-----
MFMCAQEwBQYDK2VwBCIEIGIsMDbeo5rdiq208eOfvZlm3K9SHOsDUt2FI2js1z9Y
oSMDIQDN0z6SeMgqmKvsBQ8E8qcQW5ZJebea7drLQyq7513ovQ==
-----END PRIVATE KEY-----

If you put the Rust generated key into a file key.pem and then create a CSR and try to sign it, you'll get an error:

$ openssl req -new > cert.csr
$ openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Getting Private key
unable to load Private key
140392011777152:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
140392011777152:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:553:Field=attributes, Type=PKCS8_PRIV_KEY_INFO
140392011777152:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88:

Example CSR (the CSR uses RSA-2048):

-----BEGIN CERTIFICATE REQUEST-----
MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMiGv8b1MfACgoi+Wa/hus6/JmzoFO8MTpQtGlJl
sKuHgnaT7OPcOLDKUUiovagsQUU5ebLXn5KoXb9X8YIgEiZ+MJY6cUMQ0Hyqs9Rv
xsy54EsZ5rNidZaPjTixBY7KySGWWS9nW2AsL6HkMh1Oc6LGB02CNtHkGyGcDR2n
znVLWm6OY8KwkN1TP5PNXsCJ+cjLRHEhPD+tCzypkbFDmiriyPBqE4S9r71fWukF
YOyLI4yyEWWPF1znG55epDx3K4HdbqeFgXOE4hFM0KpFu8+cFPfhuliD+B1NYikl
kQqkhyIZSjtncCs95voXBnM1vk051mRSL4DieNTXOVZ750cCAwEAAaAAMA0GCSqG
SIb3DQEBCwUAA4IBAQDC7LQVAmWztt6+KEjDsgRAznus9FMtjuf9Q8e0q9+xu5sW
8hnr5kZEI/khxR+7GIU6miFN/Fe6pPoVXFoQZ3iC0LgR9uTbFFNlzT329MS2ZGyt
9Mkfqqf574zR94AKElMM4lwiBTcrfq3y8sLE4eLDT6wHOavpUb2tqVwSf/RBKo6b
UYDpaG8FpbXC4edgMG+SpZCf8ZRXJuhD5TtM/diN0AcvNKi5SjuB/uj6uKEEJNUW
9MERdpiVQXR394xhw6cho4crMuDWa74S/3B77jCfcg9oahEqKZWXMVAXD+w/BW0h
q2rvPRcZ+b4Gb1r75Roos4VvZ8m7ytOm5ws2TFsE
-----END CERTIFICATE REQUEST-----

Generating an ed25519 key with openssl and using it to sign the CSR works great:

$ openssl x509 -in cert.csr -out cert.pem -req -signkey key2.pem -days 1001
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Getting Private key

The version of the openssl CLI is 1.1.1b (ubuntu distro build).

See also rustls/rcgen#11 where I use the openssl library to load the private key and where it's giving me a similar "wrong tag" error (I've tried both versions 1.1.1b and 1.1.1c both fail).

See also briansmith/ring#833 which is about the other direction: the default parsing function of ring for ed25519 keys is unable to read certificates generated by openssl at least by the default flags (dunno if there are custom flags/modes to generate certificates that ring wants). It seems that openssl and ring are incompatible to each other which is very sad :/.

If I compare the keys that ring generates with the keys that openssl generates, I note two differences: first the version field is set to 0 (v1) in openssl, while the version field is set to 1 (v2) in ring. Second, ring includes the public key while openssl doesn't. The version fields are set consistently by both to RFC 5958 which states:

• version identifies the version of OneAsymmetricKey. If publicKey
  is present, then version is set to v2 else version is set to v1.

Maybe openssl is just unable to read the public key (v2 encoded keys)?

cc @briansmith author of ring.

[briansmith]

ring generates PKSC#8 v2 for Ed25519 and (eventually) X25519 so that the public key can be included, so that the pairwise consistency check required by some NIST standards can be done by the receiving side. (NIST doesn't have standards for Ed25519 yet but I expect they will require a pairwise consistency check like they do for RSA, ECDSA, and ECDH if/when they allow Ed25519.)

[kroeckx]

For the format OpenSSL uses, see RFC 8410.

[kroeckx]

But using the example from the RFC that includes the public key doesn't seem to work.

[briansmith]

For the format OpenSSL uses, see RFC 8410.

But using the example from the RFC that includes the public key doesn't seem to work.

It's PKCS#8 v2 format, like ring generates.

[est31]

But using the example from the RFC that includes the public key doesn't seem to work.

fwiw, ring doesn't accept it either. Probably because of the additional attribute.

[levitte]

#10468 is a new issue specifically asking for PKCS#8 v2. We can close this one.

[est31]

Yeah I realized later that this bug was formulated in a bad way. Opening a new one is a good idea.