openwisp / django-x509

Reusable django app implementing x509 PKI certificates management
http://openwisp.org
BSD 3-Clause "New" or "Revised" License
340 stars 69 forks source link

[feature] Importing existing CA: KeyError: 'ecdsa-with-SHA384' #118

Open MEschenbacher opened 3 years ago

MEschenbacher commented 3 years ago

I'm trying to importing an existing CA certificate which generates an error:

  File "/home/max/git/django-x509/django_x509/base/models.py", line 362, in _import
    self.digest = SIGNATURE_MAPPING[algorithm]
KeyError: 'ecdsa-with-SHA384'
[13/Jun/2021 00:03:38] "POST /admin/django_x509/ca/add/ HTTP/1.1" 500 142363

Looking into django_x509/base/models.py dict SIGNATURE_MAPPING: are EC signatures and certificates/keys supported?

nemesifier commented 3 years ago

I'm trying to importing an existing CA certificate which generates an error:

  File "/home/max/git/django-x509/django_x509/base/models.py", line 362, in _import
    self.digest = SIGNATURE_MAPPING[algorithm]
KeyError: 'ecdsa-with-SHA384'
[13/Jun/2021 00:03:38] "POST /admin/django_x509/ca/add/ HTTP/1.1" 500 142363

Looking into django_x509/base/models.py dict SIGNATURE_MAPPING: are EC signatures and certificates/keys supported?

@MEschenbacher looks like these are not supported: https://github.com/openwisp/django-x509/blob/9b3795ec07ceee4bdd27e99b08424d048cbf05c7/django_x509/base/models.py#L39-L45

I guess these can be added with a bit of work.

How do you generate an ecdsa cert for testing purposes?

MEschenbacher commented 3 years ago

Here's a minimal example for creation of the ecdsa certificate:

openssl ecparam -genkey -name secp384r1 | openssl ec -aes256 -out ca.key.pem
openssl req -new -sha384 -key ca.key.pem -out ca.req.pem
openssl req -x509 -sha384 -days 365 -key ca.key.pem -in ca.req.pem -out ca.cert.pem
sid-008 commented 1 year ago

Hey there @nemesisdesign I'd like to take a shot at working on this, how do you propose I start?

nemesifier commented 1 year ago

Hey there @nemesisdesign I'd like to take a shot at working on this, how do you propose I start?

Start with https://github.com/openwisp/django-x509#installing-for-development, then come to the dev chat to coordinate.

nemesifier commented 5 months ago

To support this feature properly, we must add a way to specify the algorithm used for generating the certificate, which now is hardcoded to be crypto.TYPE_RSA (RSA).

An attempt was made in https://github.com/openwisp/django-x509/pull/140.