Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certutil: select appropriate hash algorithm for ECDSA signature #11216

Merged
merged 4 commits into from Nov 4, 2021
Merged

certutil: select appropriate hash algorithm for ECDSA signature #11216

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7a9cd52
certutil: select appropriate hash algorithm for ECDSA signature
oncilla Mar 26, 2021
6539489
fix panic
oncilla Nov 3, 2021
a76ca83
add changelog
oncilla Nov 3, 2021
627280d
Tweak changelog.
victorr Nov 4, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/11216.txt
View file
Open in desktop
@@ -0,0 +1,3 @@
```release-note:improvement
secrets/pki: select appropriate signature algorithm for ECDSA signature on certificates.
```
45 changes: 29 additions & 16 deletions sdk/helper/certutil/helpers.go
View file
Open in desktop
Expand Up @@ -655,14 +655,7 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB
case Ed25519PrivateKey:
certTemplate.SignatureAlgorithm = x509.PureEd25519
case ECPrivateKey:
switch data.Params.SignatureBits {
case 256:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256
case 384:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA384
case 512:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA512
}
certTemplate.SignatureAlgorithm = selectSignatureAlgorithmForECDSA(data.SigningBundle.PrivateKey.Public(), data.Params.SignatureBits)
}

caCert := data.SigningBundle.Certificate
Expand Down Expand Up @@ -691,14 +684,7 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB
case "ed25519":
certTemplate.SignatureAlgorithm = x509.PureEd25519
case "ec":
switch data.Params.SignatureBits {
case 256:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256
case 384:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA384
case 512:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA512
}
certTemplate.SignatureAlgorithm = selectSignatureAlgorithmForECDSA(result.PrivateKey.Public(), data.Params.SignatureBits)
}

certTemplate.AuthorityKeyId = subjKeyID
Expand Down Expand Up @@ -733,6 +719,33 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB
return result, nil
}

func selectSignatureAlgorithmForECDSA(pub crypto.PublicKey, signatureBits int) x509.SignatureAlgorithm {
// If signature bits are configured, prefer them to the default choice.
switch signatureBits {
case 256:
return x509.ECDSAWithSHA256
case 384:
return x509.ECDSAWithSHA384
case 512:
return x509.ECDSAWithSHA512
}

key, ok := pub.(*ecdsa.PublicKey)
if !ok {
return x509.ECDSAWithSHA256
}
switch key.Curve {
case elliptic.P224(), elliptic.P256():
return x509.ECDSAWithSHA256
case elliptic.P384():
return x509.ECDSAWithSHA384
case elliptic.P521():
return x509.ECDSAWithSHA512
default:
return x509.ECDSAWithSHA256
}
}

var oidExtensionBasicConstraints = []int{2, 5, 29, 19}

// CreateCSR creates a CSR with the default rand.Reader to
Expand Down