search

MatthiasValvekens / certomancer

Quickly construct, mock & deploy PKI test configurations using simple declarative configuration.
MIT License
26 stars 4 forks source link

ValueError: Hash algorithm not known for ed25519 #12

Open dotlambda opened 7 months ago

dotlambda commented 7 months ago

When running the tests with a version of asn1crypto that includes https://github.com/wbond/asn1crypto/pull/265, one of them fails:

________________________ test_keyset_templates_in_arch _________________________

    def test_keyset_templates_in_arch():
        cfg = CertomancerConfig.from_file(
            'tests/data/with-arch-templates.yml', 'tests/data'
        )
        old_arch = cfg.get_pki_arch(ArchLabel('testing-ca'))
        algo = old_arch.get_cert(CertLabel('root')).public_key.algorithm
        assert algo == 'rsa'

        new_arch = cfg.get_pki_arch(ArchLabel('testing-ca-2'))
        algo = new_arch.get_cert(CertLabel('root')).public_key.algorithm
        assert algo == 'rsa'

        newer_arch = cfg.get_pki_arch(ArchLabel('testing-ca-3'))
>       algo = newer_arch.get_cert(CertLabel('root')).public_key.algorithm

tests/test_certs.py:859: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
certomancer/registry/pki_arch.py:952: in get_cert
    signature = generic_sign(
certomancer/crypto_utils.py:315: in generic_sign
    return CRYPTO_BACKEND.generic_sign(private_key, tbs_bytes, signature_algo)
certomancer/crypto_utils.py:183: in generic_sign
    digest_algorithm = sd_algo.hash_algo
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <asn1crypto.algos.SignedDigestAlgorithm 140737282252816 b'0\x05\x06\x03+ep'>

    @property
    def hash_algo(self):
        """
        :return:
            A unicode string of "md2", "md5", "sha1", "sha224", "sha256",
            "sha384", "sha512", "sha512_224", "sha512_256" or "shake256"
        """

        algorithm = self['algorithm'].native
        if algorithm in self._algo_map:
            return self._algo_map[algorithm]

        if algorithm == 'rsassa_pss':
            return self['parameters']['hash_algorithm']['algorithm'].native

        if algorithm == 'ed25519' or algorithm == 'ed448':
>           raise ValueError(unwrap(
                '''
                Hash algorithm not known for %s - use .cms_hash_algorithm for CMS purposes.
                More info at https://github.com/wbond/asn1crypto/pull/230.
                ''',
                algorithm
            ))
E           ValueError: Hash algorithm not known for ed25519 - use .cms_hash_algorithm for CMS purposes. More info at https://github.com/wbond/asn1crypto/pull/230.
MatthiasValvekens commented 7 months ago

Whoops, quite possible that I forgot to align this change in Certomancer. Will fix, thanks.

dotlambda commented 7 months ago

Btw the pyHanko tests fail for the same reason.

MatthiasValvekens commented 7 months ago

On closer inspection, I now remember why I didn't fix this (yet): it's because there's no numbered release of asn1crypto with those changes yet.

I'll try to rewrite the code more defensively so it's upgradable cleanly, if that doesn't create too much noise. For some reason, I thought the last asn1crypto release was a few months ago, but apparently it's been almost 2 years already... 🙈

Anyway, I need to allocate some time to do that properly.

stale[bot] commented 5 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions!

dotlambda commented 5 months ago

I'd still like this to be fixed because otherwise I can't use Python 3.12. The last released version of asn1crypto only supports Python 3.11.

djacu commented 5 months ago

I believe the following are related to this issue and are also failing on Python 3.12.

       > FAILED tests/test_services.py::test_crl[ed25519] - ValueError: Hash algorithm not known for ed25519 - use .cms_hash_algorithm ...
       > FAILED tests/test_services.py::test_aia_ca_issuers[ed25519] - ValueError: Hash algorithm not known for ed25519 - use .cms_hash_algorithm ...
       > FAILED tests/test_services.py::test_timestamp[ed25519-True] - ValueError: Hash algorithm not known for ed25519 - use .cms_hash_algorithm ...
       > FAILED tests/test_services.py::test_timestamp[ed25519-False] - ValueError: Hash algorithm not known for ed25519 - use .cms_hash_algorithm ...
       > FAILED tests/test_services.py::test_crl[ed448] - ValueError: Hash algorithm not known for ed448 - use .cms_hash_algorithm fo...
       > FAILED tests/test_services.py::test_aia_ca_issuers[ed448] - ValueError: Hash algorithm not known for ed448 - use .cms_hash_algorithm fo...
       > FAILED tests/test_services.py::test_timestamp[ed448-True] - ValueError: Hash algorithm not known for ed448 - use .cms_hash_algorithm fo...
       > FAILED tests/test_services.py::test_timestamp[ed448-False] - ValueError: Hash algorithm not known for ed448 - use .cms_hash_algorithm fo...
stale[bot] commented 3 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions!

stale[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions!