From 8cad30943d42cc881cb1368bb5421b48718dcf47 Mon Sep 17 00:00:00 2001
From: Marko Kreen <markokr@gmail.com>
Date: Fri, 9 Aug 2019 10:11:09 +0300
Subject: [PATCH] Support safecurves

---
 README.rst          |  2 +-
 sysca.py            | 12 ++++++++++++
 tests/test_sysca.py | 20 ++++++++++++++++++++
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/README.rst b/README.rst
index 8a8dc47..463b26f 100644
--- a/README.rst
+++ b/README.rst
@@ -86,7 +86,7 @@ or ``rsa:<bits>``.  Shortcuts: ``ec`` is ``ec:secp256r1``,
 ``rsa`` is ``rsa:2048``.  Default: ``ec``.
 
 Available curves for EC: ``secp256r1``, ``secp384r1``,
-``secp521r1``, ``secp224r1``, ``secp192r1``.
+``secp521r1``, ``secp224r1``, ``secp192r1``, ``ed25519``.
 
 Options:
 
diff --git a/sysca.py b/sysca.py
index bcb8c13..bc4cda2 100755
--- a/sysca.py
+++ b/sysca.py
@@ -22,10 +22,18 @@
     BestAvailableEncryption, NoEncryption, load_pem_private_key)
 
 from cryptography import x509
+from cryptography import __version__ as crypto_version
 from cryptography.x509.oid import (
     NameOID, ExtendedKeyUsageOID, CRLEntryExtensionOID,
     ExtensionOID, AuthorityInformationAccessOID)
 
+try:
+    from cryptography.hazmat.primitives.asymmetric import ed25519, ed448
+    if '.'.join(crypto_version.split('.')[:2]) in ('2.6', '2.7'):
+        ed25519 = ed448 = None
+except ImportError:
+    ed25519 = ed448 = None
+
 
 __version__ = '1.1'
 
@@ -343,6 +351,10 @@ def get_backend():
 def new_ec_key(name='secp256r1'):
     """New Elliptic Curve key
     """
+    if name == 'ed25519' and ed25519 is not None:
+        return ed25519.Ed25519PrivateKey.generate()
+    if name == 'ed448' and ed448 is not None:
+        return ed448.Ed448PrivateKey.generate()
     if name not in EC_CURVES:
         raise ValueError('Unknown curve')
     return ec.generate_private_key(curve=EC_CURVES[name], backend=get_backend())
diff --git a/tests/test_sysca.py b/tests/test_sysca.py
index 264cbf8..f36d228 100644
--- a/tests/test_sysca.py
+++ b/tests/test_sysca.py
@@ -193,3 +193,23 @@ def test_crl_passthrough():
     assert lst1 == lst2
 
 
+def test_safecurves():
+    if sysca.ed25519 is None:
+        return
+
+    # create ca key and cert
+    ca_key = sysca.new_ec_key('ed25519')
+    ca_pub_key = ca_key.public_key()
+    ca_info = sysca.CertInfo(subject={'CN': 'TestCA'}, ca=True)
+    ca_cert = sysca.create_x509_cert(ca_key, ca_pub_key, ca_info, ca_info, 365)
+
+    # srv key
+    srv_key = sysca.new_ec_key('ed25519')
+    srv_info = sysca.CertInfo(subject={'CN': 'Server1'})
+    srv_req = sysca.create_x509_req(srv_key, srv_info)
+
+    # ca signs
+    srv_info2 = sysca.CertInfo(load=srv_req)
+    srv_cert = sysca.create_x509_cert(ca_key, srv_req.public_key(), srv_info2, ca_info, 365)
+
+