scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 11:08:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

certutil: select appropriate hash algorithm for ECDSA signature (#11216)

Browse Source 
* certutil: select appropriate hash algorithm for ECDSA signature

Select the appropriate signature algorithm for certificates signed
with an ECDSA private key.

The algorithm is selected based on the curve:

- P-256 -> x509.ECDSAWithSHA256
- P-384 -> x509.ECDSAWithSHA384
- P-521 -> x509.ECDSAWithSHA512
- Other -> x509.ECDSAWithSHA256

fixes #11006
This commit is contained in:
Dominik Roos
2021-11-04 21:33:01 +01:00
committed by GitHub
parent d6f90e2814
commit 1869a6984b
2 changed files with 32 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/11216.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:improvement
secrets/pki: select appropriate signature algorithm for ECDSA signature on certificates.
```

45
sdk/helper/certutil/helpers.go
View File

@@ -655,14 +655,7 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB
case Ed25519PrivateKey: case Ed25519PrivateKey:
certTemplate.SignatureAlgorithm = x509.PureEd25519 certTemplate.SignatureAlgorithm = x509.PureEd25519
case ECPrivateKey: case ECPrivateKey:
switch data.Params.SignatureBits { certTemplate.SignatureAlgorithm = selectSignatureAlgorithmForECDSA(data.SigningBundle.PrivateKey.Public(), data.Params.SignatureBits)
case 256:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256
case 384:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA384
case 512:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA512
}
} }
caCert := data.SigningBundle.Certificate caCert := data.SigningBundle.Certificate
@@ -691,14 +684,7 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB
case "ed25519": case "ed25519":
certTemplate.SignatureAlgorithm = x509.PureEd25519 certTemplate.SignatureAlgorithm = x509.PureEd25519
case "ec": case "ec":
switch data.Params.SignatureBits { certTemplate.SignatureAlgorithm = selectSignatureAlgorithmForECDSA(result.PrivateKey.Public(), data.Params.SignatureBits)
case 256:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256
case 384:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA384
case 512:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA512
}
} }
certTemplate.AuthorityKeyId = subjKeyID certTemplate.AuthorityKeyId = subjKeyID
@@ -733,6 +719,33 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB
return result, nil return result, nil
} }
func selectSignatureAlgorithmForECDSA(pub crypto.PublicKey, signatureBits int) x509.SignatureAlgorithm {
// If signature bits are configured, prefer them to the default choice.
switch signatureBits {
case 256:
return x509.ECDSAWithSHA256
case 384:
return x509.ECDSAWithSHA384
case 512:
return x509.ECDSAWithSHA512
}
key, ok := pub.(*ecdsa.PublicKey)
if !ok {
return x509.ECDSAWithSHA256
}
switch key.Curve {
case elliptic.P224(), elliptic.P256():
return x509.ECDSAWithSHA256
case elliptic.P384():
return x509.ECDSAWithSHA384
case elliptic.P521():
return x509.ECDSAWithSHA512
default:
return x509.ECDSAWithSHA256
}
}
var oidExtensionBasicConstraints = []int{2, 5, 29, 19} var oidExtensionBasicConstraints = []int{2, 5, 29, 19}
// CreateCSR creates a CSR with the default rand.Reader to // CreateCSR creates a CSR with the default rand.Reader to