search

openwisp / django-x509

Reusable django app implementing x509 PKI certificates management
http://openwisp.org
BSD 3-Clause "New" or "Revised" License
340 stars 69 forks source link

[feature] Updated code to handle ECDSA signature algorithm #118 #140

Closed praptisharma28 closed 6 months ago

praptisharma28 commented 6 months ago

Fixes #118

coveralls commented 6 months ago

Coverage Status

coverage: 99.287%. remained the same when pulling 98c5193d29b3ed1a120c42413ebce026163840e0 on praptisharma28:ecdsa into b9699e86363ac12f5d69c416fe3b6f41d86542d3 on openwisp:master.

praptisharma28 commented 6 months ago

I did a bit of research. Since we are adding this algorithm, it doesn't make much sense to not add other algorithms too.

Since we are at it, let's patch it so that more users will be able to use this library.

Until today we have worked mostly with RSA, but other type of algorithm are gaining momentum and would be good to support them.

x509 algorithms

Python libraries for handling X.509 certificates typically support a wide range of algorithms for signing and verifying certificates. These algorithms include various RSA, ECDSA, and SHA-based options. Here are some common algorithms supported by popular Python libraries such as cryptography, pyOpenSSL, and M2Crypto:

Common Algorithms

RSA-based Algorithms:

  • sha1WithRSAEncryption
  • sha256WithRSAEncryption
  • sha384WithRSAEncryption
  • sha512WithRSAEncryption
  • ~md5WithRSAEncryption~ (not recommended due to security vulnerabilities)

ECDSA-based Algorithms:

  • ecdsa-with-SHA1
  • ecdsa-with-SHA256
  • ecdsa-with-SHA384
  • ecdsa-with-SHA512

DSA-based Algorithms:

  • dsaWithSHA1
  • dsaWithSHA256

EdDSA Algorithms:

  • Ed25519
  • Ed448

Can you please add these as well?

Yes @nemesifier will work upon it.

praptisharma28 commented 6 months ago

The suggestion I have given in #118 (comment) is incorrect. I assumed we just had to change that part of the code to support generating certificates with other algorithms but that's not the case. The digest options being added here are invalid, try to create a CA or a cert from the admin interface with any of those and you'll see it doesn't work. To support this feature properly, we must add a way to specify the algorithm used for generating the certificate, which now is hardcoded to be crypto.TYPE_RSA (RSA).

Okay

nemesifier commented 6 months ago

Will close this for now as I don't think we'll work on it.