Admin message

Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.

ed448 unavailable
I would like to test knot's ed448 support, however I cannot get it to work. I have compiled knot myself by cloning the git repository (master, rev. f7e7b44e4fe5cd4a12c3822a6f3a948fc6ff43b7) and running ```shell $ docker build . $ docker run -it ab4ec332669f bash ``` Inside the freshly created container, I tried to generate ed448 keys: ```shell $ mv /config/knot.sample.conf /config/knot.conf $ keymgr example.com. generate algorithm=ed448 Error: unknown algorithm: ed448 Error: invalid parameter ``` The expected behavior is that keymgr generates an ed448 key. I confirmed that `keymgr` is working with ed25519. Considering that there are requirements on GNUTLS and Nettle, the following information may be helpful in debugging. First, I saw that ed448 is enabled during configure: ```shell $ docker build . [...] checking for gnutls >= 3.3... yes checking for gnutls_pkcs11_copy_pubkey... yes checking whether GNUTLS_PK_EDDSA_ED25519 is declared... yes checking whether GNUTLS_SIGN_EDDSA_ED448 is declared... yes checking whether GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE is declared... yes [...] Knot DNS 3.1.dev Target: linux-gnu x86_64 little-endian Compiler: gcc CFLAGS: -g -O2 -Wall -Wshadow -Werror=format-security -Werror=implicit -Werror=attributes -Wstrict-prototypes LIBS: LibURCU: -lurcu-common -lurcu -I/usr/include/x86_64-linux-gnu GnuTLS: -lgnutls -I/usr/include/p11-kit-1 Libedit: -ledit -I/usr/include/editline LMDB: -llmdb Config: 500 MiB default mapsize Prefix: / Run dir: /rundir Storage dir: /storage Config dir: /config Module dir: Static modules: cookies dnsproxy dnstap geoip noudp onlinesign probe queryacl rrl stats synthrecord whoami Shared modules: Knot DNS libraries: yes Knot DNS daemon: yes Knot DNS utilities: yes Knot DNS documentation: no Use recvmmsg: yes Use SO_REUSEPORT(_LB): yes XDP support: yes Socket polling: epoll Memory allocator: auto Fast zone parser: no Utilities with IDN: libidn2 Utilities with DoH: libnghttp2 Utilities with Dnstap: no MaxMind DB support: yes Systemd integration: no POSIX capabilities: no PKCS #11 support: yes Ed25519 support: yes Ed448 support: yes Reproducible signing: yes [...] ``` And inside the container, I'm getting ```shell $ ldconfig -p | egrep -i 'gnutls|nettle' libnettle.so.8 (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libnettle.so.8 libgnutls.so.30 (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 $ ldd $(which keymgr) | egrep -i 'gnutls|nettle' libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f0c81719000) libnettle.so.8 => /usr/lib/x86_64-linux-gnu/libnettle.so.8 (0x00007f0c8109a000) ``` as well as ```shell $ apt show libgnutls30 libnettle8 Package: libgnutls30 Version: 3.7.1-3 Status: install ok installed Priority: optional Section: libs Source: gnutls28 Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org> Installed-Size: 3213 kB Depends: libgmp10 (>= 2:6.0.0), libc6 (>= 2.25), libhogweed6 (>= 3.6), libidn2-0 (>= 2.0.0), libnettle8 (>= 3.7~), libp11-kit0 (>= 0.23.18.1), libtasn1-6 (>= 4.14), libunistring2 (>= 0.9.7) Suggests: gnutls-bin Homepage: https://www.gnutls.org/ Download-Size: unknown APT-Manual-Installed: yes APT-Sources: /var/lib/dpkg/status Description: GNU TLS library - main runtime library GnuTLS is a portable library which implements the Transport Layer Security (TLS 1.0, 1.1, 1.2, 1.3) and Datagram Transport Layer Security (DTLS 1.0, 1.2) protocols. . GnuTLS features support for: - certificate path validation, as well as DANE and trust on first use. - the Online Certificate Status Protocol (OCSP). - public key methods, including RSA and Elliptic curves, as well as password and key authentication methods such as SRP and PSK protocols. - all the strong encryption algorithms, including AES and Camellia. - CPU-assisted cryptography with VIA padlock and AES-NI instruction sets. - HSMs and cryptographic tokens, via PKCS #11. . This package contains the main runtime library. Package: libnettle8 Version: 3.7.2-3 Status: install ok installed Priority: optional Section: libs Source: nettle Maintainer: Magnus Holmgren <holmgren@debian.org> Installed-Size: 492 kB Depends: libc6 (>= 2.17) Homepage: http://www.lysator.liu.se/~nisse/nettle/ Download-Size: unknown APT-Manual-Installed: no APT-Sources: /var/lib/dpkg/status Description: low level cryptographic library (symmetric and one-way cryptos) Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. . It tries to solve a problem of providing a common set of cryptographic algorithms for higher-level applications by implementing a context-independent set of cryptographic algorithms. In that light, Nettle doesn't do any memory allocation or I/O, it simply provides the cryptographic algorithms for the application to use in any environment and in any way it needs. . This package contains the symmetric and one-way cryptographic algorithms. To avoid having this package depend on libgmp, the asymmetric cryptos reside in a separate library, libhogweed. ```
issue