Certificate Authority using ed25519 key on Gnuk?

Fri Oct 4 10:54:46 CEST 2024

On 4/10/24 17:34, Werner Koch wrote:
> On Fri,  4 Oct 2024 09:20, NIIBE Yutaka said:
> 
>> I don't know for X.509 CA use cases.  Could you please ask gnupg-devel?
> 
> The problem with ed25519 X.509 certifciates is that we don't have real
> sample data or a large CA which uses such certificates.  IIRC, I
> implemented X.509 support for ed25519 or at least for ECDSA keys but it
> has never been thoroughly tested.
> 

Maybe I don't need to ask on gnupg-devel since I have the ear of both 
Werner Koch and NIIBE Yutaka?

It certainly looks like the functionality should work based upon what 
the commit link said: 
https://dev.gnupg.org/rG6dc3846d78192e393be73c16c72750734a9174d1
But I am not a developer, so I wouldn't know.

Here is what I did:

I compiled and installed to my local user account GnuPG software devel 
version 2.5.1 after first compiling and locally installing all the 
dependency libraries which my Debian Bookworm system doesn't have 
(libgpg-error-1.50, libgcrypt-1.11.0, libassuan-3.0.0, libksba-1.6.7). 
Then I reconfigured my Debian /usr/lib/systemd/user/gpg-agent.service to 
use the newly installed versions in my local user path after configuring 
appropriate PATH and LD_LIBRARY_PATH variables in user $HOME/.profile.

gpg --version
 > gpg (GnuPG) 2.5.1
 > libgcrypt 1.11.0
 > ...

gpg --card-status sees my Gnuk token correctly exactly as it does under 
the Debian stable version of gnupg.

gpg-agent log:
 > 2024-10-04 16:58:03 gpg-agent[1066523] gpg-agent (GnuPG) 2.5.1 started
 > 2024-10-04 16:58:03 gpg-agent[1066523] card has S/N: 
D276000124010200FFFE3931CF920000

Now trying gpgsm again to create a self signed CA:

gpgsm --armor --gen-key
gpgsm (GnuPG) 2.5.1; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
    (1) RSA
    (2) Existing key
    (3) Existing key from card
Your selection? 3
Serial number of the card: D276000124010200FFFE3931CF920000
Available keys:
    (1) FD125D82F23050A7BB3AE9069BB63C0D29FB0CEC OPENPGP.1 ed25519 
(cert,sign)
    (2) 5EA0EB1BA041CC48A0F1CAD493ED8A41D3C7D6CB OPENPGP.2 cv25519 (encr)
    (3) E652047FB00D17CB06A0C49BDDBE279521B95984 OPENPGP.3 ed25519 
(sign,auth)
Your selection? 1
Possible actions for a RSA key:
    (1) sign, encrypt
    (2) sign
    (3) encrypt
Your selection? 2
Enter the X.509 subject name: CN=example.org CA, O=example.org, C=US
Enter email addresses (end with an empty line):
 > admin at example.org
 >
Enter DNS names (optional; end with an empty line):
 >
Enter URIs (optional; end with an empty line):
 >
Enter extensions (optional; end with an empty line):
 >
Create self-signed certificate? (y/N) y
These parameters are used:
     Key-Type: card:OPENPGP.1
     Key-Length: 1024
     Key-Usage: sign
     Serial: random
     Name-DN: CN=example.org CA, O=example.org, C=AU
     Name-Email: admin at example.org

Proceed with creation? (y/N) y
Now creating self-signed certificate.  This may take a while ...
gpgsm: about to sign the certificate for key: 
&FD125D82F23050A7BB3AE9069BB63C0D29FB0CEC
gpgsm: signing failed: Not implemented
gpgsm: error creating certificate request: Not implemented <GPG Agent>

Just in case, I re-tried with the parameter file used in the linked 
commit after changing the Key-Grip value to my key.  But, unfortunately 
I received the exact same error.

Maybe I am doing something wrong or I have installed some component 
incorrectly?

I am prepared to install Debian sid to a spare machine and then install 
gnupg from the "experimental" distribution which has gnupg version 
2.4.5, if you think that might make a difference?