How can I sign an X509 object using an ED25519 key in hardware

[aveenismail]

I have an ED25519 key inside an HSM and I want to use it to produce a self-signed X509 certificate but I can't seem to figure out how to set all the required parameters.

I'm using OpenSSL version 3.3.0 to construct/produce the self-signed certificate. As far as I can figure out, the ED25519 key should be stored in an EVP_PKEY object, and I also need to implement a custom signing function (in the snippet bellow, it's the ed_meth_sign() function) and have an EVP_PKEY_METHOD pointing to it, then somehow, connect the EVP_PKEY object and the EVP_PKEY_METHOD objects so that my custom signing function is called when signing the X509 data object.

What I've done so far is the following:

static int ed_meth_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *slen,
                           const unsigned char *data, size_t dlen) {
  size_t siglen = 1024;
  const struct hw_key *private_key = EVP_PKEY_CTX_get_data(ctx);
  if (sign_data(private_key, data, dlen, sig, &siglen)) { // sign_data() is a function implemented elsewhere
    *slen = (unsigned int)siglen;
    return 1;
  }
  return 0;
}

void get_selfsigned_cert(EVP_PKEY *public_key, hw_key *private_key_data) {

  X509 *x509 = X509_new();
  X509_set_pubkey(x509, public_key);

  // fill more X509cert fields here

  EVP_PKEY *sk = EVP_PKEY_new();
  EVP_PKEY_set_type(sk, EVP_PKEY_ED25519);

  EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new(sk, NULL);
  EVP_PKEY_CTX_set_data(evp_ctx, private_key_data);

  EVP_PKEY_METHOD *ameth = EVP_PKEY_meth_new(0, 0);
  EVP_PKEY_meth_set_sign(ameth, NULL, ed_meth_sign);
  EVP_PKEY_meth_add0(ameth);

  if (X509_sign(x509, sk, NULL) == 0) {
    ERR_print_errors_fp(stderr);
  }
  
  EVP_PKEY_free(sk);
}

The X509_sign() fails with the error

8077F520107F0000:error:03000086:digital envelope routines:do_sigver_init:initialization error:crypto/evp/m_sigver.c:189

I traced the OpenSSL code and I can see the following snippet in function evp_pkey_export_to_provider() returns NULL (I am not operating in FIPS mode):

    /* No key data => nothing to export */
    check = 1;
#ifndef FIPS_MODULE
    check = check && pk->pkey.ptr == NULL;
#endif
    check = check && pk->keydata == NULL;
    if (check) {
      return NULL;
    }

I'm not sure what that means. Are the ptr and keydata here refering to the private key? Is there another way to set this data other than the way I did above by calling EVP_PKEY_CTX_set_data()? Am I going completely in the wrong direction with the whole thing?

PS. I have posted this on stackoverflow first but I think it might be too specific, hence opening a ticket here.