search

SUNET / python_x509_pkcs11

Python library for signing x509 using keys in an pkcs11 device
MIT License
4 stars 3 forks source link

Updating sign algorithm for RSA keys #26

Open kushaldas opened 1 month ago

kushaldas commented 1 month ago

In https://github.com/mathiasertl/django-ca/blob/1850a72ee3e470318ba726a05b0cb87dc23c3253/ca/django_ca/typehints.py#L42 we have the following allowed algorithms:

Union[
    hashes.SHA224,
    hashes.SHA256,
    hashes.SHA384,
    hashes.SHA512,
    hashes.SHA3_224,
    hashes.SHA3_256,
    hashes.SHA3_384,
    hashes.SHA3_512,
]

But, the pkcs11 library provides options for https://python-pkcs11.readthedocs.io/en/latest/api.html#pkcs11.mechanisms.Mechanism

Only SHA224, SHA256, SHA384, SHA512 are the common between these two lists.

Maybe we can enable any of these options available for the RSA private keys.

kushaldas commented 1 month ago

@mathiasertl what do you think?

mathiasertl commented 1 month ago

Not really sure what the question is?

kushaldas commented 1 month ago

Not really sure what the question is?

In django-ca we can sign using RSA keys and any of the given algorithms, but right now we have only SHA256 for RSA2048 and SHA512 for RSA4096 keys on HSM. I am talking about adding support for SHA224, SHA256, SHA384, SHA512 for any given RSA key.

mathiasertl commented 1 month ago

Yes we should absolutely support that!