Add SignatureAlgorithm to template during certificate creation #1161

haydentherapper · 2023-05-08T21:11:33Z

Description

This is necessary to specify a non-default hash algorithm - See https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1412 for more information. Otherwise, only SHA-256 will be used for RSA.

We need a table from signer-hash to SignatureAlgorithm, https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L215-L233. There might be something else we can reuse from x509.go or maybe smallstep/crypto.

FYI @codysoyland @malancas

haydentherapper · 2023-05-08T21:28:27Z

Something like:

func ToSignatureAlgorithm(signer crypto.Signer, hash crypto.Hash) (x509.SignatureAlgorithm, error) {
  pub := signer.Public()
  switch pub := pub.(type) {
    // only supports pkcs1.5, not PSS
    case *rsa.PublicKey:
      if hash == crypto.SHA256 {
        return x509.SHA256WithRSA, nil 
     }  
     // etc
    case *ecdsa.PublicKey:
    case ed25519.PublicKey:
      return x509.PureEd25519, nil
    default:
      return x509.UnknownSignatureAlgorithm, errors.New("unknown signer")
  }
}

haydentherapper added the enhancement New feature or request label May 8, 2023

haydentherapper mentioned this issue May 8, 2023

Azure KMS: Infer hash function from key sigstore/sigstore#1149

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add SignatureAlgorithm to template during certificate creation #1161

Add SignatureAlgorithm to template during certificate creation #1161

haydentherapper commented May 8, 2023

haydentherapper commented May 8, 2023

Add SignatureAlgorithm to template during certificate creation #1161

Add SignatureAlgorithm to template during certificate creation #1161

Comments

haydentherapper commented May 8, 2023

haydentherapper commented May 8, 2023