Support safecurves

markokr · Aug 9, 2019 · 8cad309 · 8cad309
1 parent 7ce4391
commit 8cad309
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/README.rst b/README.rst
@@ -86,7 +86,7 @@ or ``rsa:<bits>``.  Shortcuts: ``ec`` is ``ec:secp256r1``,
 ``rsa`` is ``rsa:2048``.  Default: ``ec``.
 
 Available curves for EC: ``secp256r1``, ``secp384r1``,
-``secp521r1``, ``secp224r1``, ``secp192r1``.
+``secp521r1``, ``secp224r1``, ``secp192r1``, ``ed25519``.
 
 Options:
 

diff --git a/sysca.py b/sysca.py
@@ -22,10 +22,18 @@
     BestAvailableEncryption, NoEncryption, load_pem_private_key)
 
 from cryptography import x509
+from cryptography import __version__ as crypto_version
 from cryptography.x509.oid import (
     NameOID, ExtendedKeyUsageOID, CRLEntryExtensionOID,
     ExtensionOID, AuthorityInformationAccessOID)
 
+try:
+    from cryptography.hazmat.primitives.asymmetric import ed25519, ed448
+    if '.'.join(crypto_version.split('.')[:2]) in ('2.6', '2.7'):
+        ed25519 = ed448 = None
+except ImportError:
+    ed25519 = ed448 = None
+
 
 __version__ = '1.1'
 
@@ -343,6 +351,10 @@ def get_backend():
 def new_ec_key(name='secp256r1'):
     """New Elliptic Curve key
     """
+    if name == 'ed25519' and ed25519 is not None:
+        return ed25519.Ed25519PrivateKey.generate()
+    if name == 'ed448' and ed448 is not None:
+        return ed448.Ed448PrivateKey.generate()
     if name not in EC_CURVES:
         raise ValueError('Unknown curve')
     return ec.generate_private_key(curve=EC_CURVES[name], backend=get_backend())

diff --git a/tests/test_sysca.py b/tests/test_sysca.py
@@ -193,3 +193,23 @@ def test_crl_passthrough():
     assert lst1 == lst2
 
 
+def test_safecurves():
+    if sysca.ed25519 is None:
+        return
+
+    # create ca key and cert
+    ca_key = sysca.new_ec_key('ed25519')
+    ca_pub_key = ca_key.public_key()
+    ca_info = sysca.CertInfo(subject={'CN': 'TestCA'}, ca=True)
+    ca_cert = sysca.create_x509_cert(ca_key, ca_pub_key, ca_info, ca_info, 365)
+
+    # srv key
+    srv_key = sysca.new_ec_key('ed25519')
+    srv_info = sysca.CertInfo(subject={'CN': 'Server1'})
+    srv_req = sysca.create_x509_req(srv_key, srv_info)
+
+    # ca signs
+    srv_info2 = sysca.CertInfo(load=srv_req)
+    srv_cert = sysca.create_x509_cert(ca_key, srv_req.public_key(), srv_info2, ca_info, 365)
+
+