Support signing CRLs using ED25519

Allow CRLs to be signed using ED25519 private keys by passing a nil digest.

Author: joshcooper

ext/openssl/ossl_x509crl.c

@@ -350,7 +350,11 @@ ossl_x509crl_sign(VALUE self, VALUE key, VALUE digest)
 
     GetX509CRL(self, crl);
     pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
-    md = ossl_evp_get_digestbyname(digest);
+    if (NIL_P(digest)) {
+	md = NULL; /* needed for some key types, e.g. Ed25519 */
+    } else {
+	md = ossl_evp_get_digestbyname(digest);
+    }
     if (!X509_CRL_sign(crl, pkey, md)) {
 	ossl_raise(eX509CRLError, NULL);
     }

test/openssl/test_x509crl.rb

@@ -204,6 +204,36 @@ def test_sign_and_verify
     assert_equal(false, crl.verify(@dsa512))
   end
 
+  def test_sign_and_verify_ed25519
+    # See test_ed25519 in test_pkey.rb
+
+    # Ed25519 is not FIPS-approved.
+    omit_on_fips
+
+    begin
+      ed25519 = OpenSSL::PKey::generate_key("ED25519")
+    rescue OpenSSL::PKey::PKeyError => e
+      # OpenSSL < 1.1.1
+      #
+      pend "Ed25519 is not implemented" unless openssl?(1, 1, 1)
+
+      raise e
+    end
+
+    # See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog
+    pend 'ASN1 signing with Ed25519 not yet working' unless openssl? or libressl?(3, 8, 1)
+
+    cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil)
+    crl = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert, ed25519, nil)
+    assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
+    assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
+    assert_equal(false,  crl.verify(OpenSSL::PKey::generate_key("ED25519")))
+    assert_equal(true,  crl.verify(ed25519))
+    crl.version = 0
+    assert_equal(false,  crl.verify(ed25519))
+  end
+
   def test_revoked_to_der
     # revokedCertificates     SEQUENCE OF SEQUENCE  {
     #      userCertificate         CertificateSerialNumber,