Skip to content

Commit

Permalink
Add EdDSA for SPKI and signature algorithms (#5)
Browse files Browse the repository at this point in the history 
* Add EdDSA to allowed SPKI and signature algorithms

* Remove errant period

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
  • Loading branch information
@CBonnell
CBonnell and CBonnell committed Jul 4, 2021
1 parent 283cb25 commit 03ea4d1
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 0 deletions.
22 changes: 22 additions & 0 deletions SBR.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -685,6 +685,20 @@ When encoded, the `AlgorithmIdentifier` for ECDSA keys MUST be byte-for-byte ide
* For P-384 keys, `301006072a8648ce3d020106052b81040022`.
* For P-521 keys, `301006072a8648ce3d020106052b81040023`.

##### 7.1.3.1.3 EdDSA

The CA SHALL indicate an EdDSA key using one of the following algorithm identifiers below:

* For curve25519 keys, the `algorithm` MUST be id-Ed25519 (OID: 1.3.101.112).
* For curve448 keys, the `algorithm` MUST be id-Ed448 (OID: 1.3.101.113).

The parameters for EdDSA keys MUST be absent.

When encoded, the `AlgorithmIdentifier` for EdDSA keys MUST be byte-for-byte identical with the following hex-encoded bytes:

* For Curve25519 keys, `300506032b6570`.
* For Curve448 keys, `300506032b6571`.

#### 7.1.3.2 Signature AlgorithmIdentifier

All objects signed by a CA Private Key MUST conform to these requirements on the use of the `AlgorithmIdentifier` or `AlgorithmIdentifier`-derived type in the context of signatures.
Expand Down Expand Up @@ -758,6 +772,14 @@ If the signing key is P-384, the signature MUST use ECDSA with SHA-384. When enc

If the signing key is P-521, the signature MUST use ECDSA with SHA-512. When encoded, the `AlgorithmIdentifier` MUST be byte-for-byte identical with the following hex-encoded bytes: `300a06082a8648ce3d040304`.

##### 7.1.3.2.3 EdDSA

The CA SHALL use the appropriate signature algorithm and encoding based upon the signing key used.

If the signing key is Curve25519, the signature algorithm MUST be id-Ed25519 (OID: 1.3.101.112). When encoded, the `AlgorithmIdentifier` MUST be byte-for-byte identical with the following hex-encoded bytes: `300506032b6570`.

If the signing key is Curve448, the signature algorithm MUST be id-Ed448 (OID: 1.3.101.113). When encoded, the `AlgorithmIdentifier` MUST be byte-for-byte identical with the following hex-encoded bytes: `300506032b6571`.

### 7.1.4 Name forms

### 7.1.5 Name constraints
Expand Down
1 change: 1 addition & 0 deletions src/requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
pyasn1-alt-modules
20 changes: 20 additions & 0 deletions src/rfc8410_oids.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
import binascii

from pyasn1.codec.der.encoder import encode
from pyasn1_alt_modules import rfc8410, rfc5280


def print_hexstr_algid_for_oid(oid):
algid = rfc5280.AlgorithmIdentifier()
algid['algorithm'] = oid

print(algid.prettyPrint())

encoded = encode(algid)

print(binascii.b2a_hex(encoded).decode('us-ascii'))
print('=' * 50)


print_hexstr_algid_for_oid(rfc8410.id_Ed25519)
print_hexstr_algid_for_oid(rfc8410.id_Ed448)

0 comments on commit 03ea4d1

Please sign in to comment.