Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Updated code to handle ECDSA signature algorithm #118 #140

Closed
wants to merge 1 commit into from
Closed

[feature] Updated code to handle ECDSA signature algorithm #118 #140

wants to merge 1 commit into from

Conversation

praptisharma28
Copy link
Member

Fixes #118

@coveralls
Copy link

coveralls commented May 17, 2024
edited
Loading

Coverage Status

coverage: 99.287%. remained the same
when pulling 98c5193 on praptisharma28:ecdsa
into b9699e8 on openwisp:master.

nemesifier
nemesifier requested changes May 17, 2024
View reviewed changes
Copy link
Member

@nemesifier nemesifier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a bit of research. Since we are adding this algorithm, it doesn't make much sense to not add other algorithms too.

Since we are at it, let's patch it so that more users will be able to use this library.

Until today we have worked mostly with RSA, but other type of algorithm are gaining momentum and would be good to support them.

x509 algorithms

Python libraries for handling X.509 certificates typically support a wide range of algorithms for signing and verifying certificates. These algorithms include various RSA, ECDSA, and SHA-based options. Here are some common algorithms supported by popular Python libraries such as cryptography, pyOpenSSL, and M2Crypto:

Common Algorithms

RSA-based Algorithms:

  • sha1WithRSAEncryption
  • sha256WithRSAEncryption
  • sha384WithRSAEncryption
  • sha512WithRSAEncryption
  • md5WithRSAEncryption (not recommended due to security vulnerabilities)

ECDSA-based Algorithms:

  • ecdsa-with-SHA1
  • ecdsa-with-SHA256
  • ecdsa-with-SHA384
  • ecdsa-with-SHA512

DSA-based Algorithms:

  • dsaWithSHA1
  • dsaWithSHA256

EdDSA Algorithms:

  • Ed25519
  • Ed448

Can you please add these as well?

@praptisharma28
Copy link
Member Author

I did a bit of research. Since we are adding this algorithm, it doesn't make much sense to not add other algorithms too.

Since we are at it, let's patch it so that more users will be able to use this library.

Until today we have worked mostly with RSA, but other type of algorithm are gaining momentum and would be good to support them.

x509 algorithms

Python libraries for handling X.509 certificates typically support a wide range of algorithms for signing and verifying certificates. These algorithms include various RSA, ECDSA, and SHA-based options. Here are some common algorithms supported by popular Python libraries such as cryptography, pyOpenSSL, and M2Crypto:

Common Algorithms

RSA-based Algorithms:

  • sha1WithRSAEncryption
  • sha256WithRSAEncryption
  • sha384WithRSAEncryption
  • sha512WithRSAEncryption
  • md5WithRSAEncryption (not recommended due to security vulnerabilities)

ECDSA-based Algorithms:

  • ecdsa-with-SHA1
  • ecdsa-with-SHA256
  • ecdsa-with-SHA384
  • ecdsa-with-SHA512

DSA-based Algorithms:

  • dsaWithSHA1
  • dsaWithSHA256

EdDSA Algorithms:

  • Ed25519
  • Ed448

Can you please add these as well?

Yes @nemesifier will work upon it.

nemesifier
nemesifier requested changes May 22, 2024
View reviewed changes
Copy link
Member

@nemesifier nemesifier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The suggestion I have given in #118 (comment) is incorrect.

I assumed we just had to change that part of the code to support generating certificates with other algorithms but that's not the case.

The digest options being added here are invalid, try to create a CA or a cert from the admin interface with any of those and you'll see it doesn't work.

To support this feature properly, we must add a way to specify the algorithm used for generating the certificate, which now is hardcoded to be crypto.TYPE_RSA (RSA).

django_x509/base/models.py
('dsaWithSHA1', 'DSA with SHA1'),
('dsaWithSHA256', 'DSA with SHA256'),
('ed25519', 'Ed25519'),
('ed448', 'Ed448'),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it makes sense to alter the digest choices. Try creating a new certificate or CA with any of these and watch it fail.

@praptisharma28
Copy link
Member Author

The suggestion I have given in #118 (comment) is incorrect.
I assumed we just had to change that part of the code to support generating certificates with other algorithms but that's not the case.
The digest options being added here are invalid, try to create a CA or a cert from the admin interface with any of those and you'll see it doesn't work.
To support this feature properly, we must add a way to specify the algorithm used for generating the certificate, which now is hardcoded to be crypto.TYPE_RSA (RSA).

Okay

@nemesifier
Copy link
Member

Will close this for now as I don't think we'll work on it.

@nemesifier nemesifier closed this May 29, 2024
@nemesifier nemesifier mentioned this pull request May 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nemesifier nemesifier nemesifier requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[feature] Importing existing CA: KeyError: 'ecdsa-with-SHA384'
3 participants
@praptisharma28 @coveralls @nemesifier