[RFE] Support signing CSRs with EdDSA public keys #5239
Description
I attempted to use ipa cert-request to obtain a signed certificate containing an ED25519 public key. The ipa tool responded with:
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. Unable to create enrollment request: Invalid Request
The following backtrace was emitted to /var/log/pki/pki-tomcat/ca/debug...log:
2025-12-05 22:19:51 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: AgentCertAuthentication: authenticated uid=ipara,ou=People,o=ipaca
2025-12-05 22:19:51 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: EnrollProfile: Parsing PKCS #10 request:
2025-12-05 22:19:51 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] SEVERE: Unable to parse PKCS #10 request: subject key, java.security.NoSuchAlgorithmException: no such algorithm: OID.1.
3.101.112 for provider Mozilla-JSS
java.io.IOException: subject key, java.security.NoSuchAlgorithmException: no such algorithm: OID.1.3.101.112 for provider Mozilla-JSS
at org.mozilla.jss.netscape.security.x509.X509Key.parsePublicKey(X509Key.java:460)
at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:173)
at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:234)
at org.dogtagpki.server.ca.CAEngine.parsePKCS10(CAEngine.java:1972)
at com.netscape.cms.profile.common.EnrollProfile.createRequests(EnrollProfile.java:250)
at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:186)
at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:95)
at org.dogtagpki.server.ca.rest.v1.CertRequestDAO.submitRequest(CertRequestDAO.java:225)
at org.dogtagpki.server.ca.rest.v1.CertRequestService.enrollCert(CertRequestService.java:172)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at java.base/java.lang.reflect.Method.invoke(Method.java:565)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:195)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:116)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:314)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:666)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:604)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:666)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:421)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1776)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:975)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:493)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:1474)
2025-12-05 22:19:51 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] SEVERE: Unable to create enrollment request: Invalid Request
Invalid Request
at org.dogtagpki.server.ca.CAEngine.parsePKCS10(CAEngine.java:1980)
at com.netscape.cms.profile.common.EnrollProfile.createRequests(EnrollProfile.java:250)
at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:186)
at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:95)
at org.dogtagpki.server.ca.rest.v1.CertRequestDAO.submitRequest(CertRequestDAO.java:225)
at org.dogtagpki.server.ca.rest.v1.CertRequestService.enrollCert(CertRequestService.java:172)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at java.base/java.lang.reflect.Method.invoke(Method.java:565)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:195)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:116)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:314)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:666)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:604)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:666)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:421)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1776)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:975)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:493)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:1474)
Caused by: java.io.IOException: subject key, java.security.NoSuchAlgorithmException: no such algorithm: OID.1.3.101.112 for provider Mozilla-JSS
at org.mozilla.jss.netscape.security.x509.X509Key.parsePublicKey(X509Key.java:460)
at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:173)
at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:234)
at org.dogtagpki.server.ca.CAEngine.parsePKCS10(CAEngine.java:1972)
... 44 more
2025-12-05 22:19:51 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: PKIExceptionMapper: Returning PKIException
I'm running the following version:
dogtag-pki-base-11.8.0-1.fc43.noarch
dogtag-jss-5.8.0-1.fc43.x86_64
freeipa-server-4.12.5-3.fc43.x86_64