Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support additional public key algorithms #82

Closed
adamkaplan opened this issue Jan 12, 2017 · 6 comments
Closed

Support additional public key algorithms #82

adamkaplan opened this issue Jan 12, 2017 · 6 comments
Milestone
1.4.1

Comments

@adamkaplan
Copy link
Contributor

I have some certificates that use public key algorithms that aren’t supported by TrustKit. Specifically, Yahoo has 3 certs that fail pin generation: one future-proof SHA384 and two older SHA1. Ideally TrustKit can support these formats as well (and then might as support SHA512 and SHA224).

It looks like they can be supported by adding the appropriate asn1 headers, and patching the python pin generator.

Is there any reason why these other algorithms can not or should not be supported by TrustKit?
@nabla-c0d3
Copy link
Member

The signature algorithms (SHA1, etc.) are all supported so it should not matter. Do you know what the public key algorithms are (RSA, ECDSA, etc.) ? Can I have a look at these certificates?
We support the main algorithms (RSA 2048, RSA 4096 and ECDSA P256) but adding new ones should be straightfoward.

@adamkaplan
Copy link
Contributor Author

adamkaplan commented Jan 12, 2017
edited

For sure. I believe they are all ECDSA:

SHA1
GeoTrust_Primary_CA_G2_ECC.pem
VeriSign-Class-2-Public-Primary-Certification-Authority-G2.pem

SHA384
VeriSign-Class-3-Public-Primary-Certification-Authority-G4.pem

Appreciate you bearing with me. I’m just coming up to speed on the internal formats and low-level crypto.

@nabla-c0d3
Copy link
Member

No problem - so from looking at the certificates:

  • The GeoTrust and Verisign G4 roots use ECDSA secp384r1 - I will add support for this.
  • The VeriSign G2 uses RSA 1024 - this is a very old certificate and algorithm, I'd rather avoid supporting RSA 1024. Also, it seems like this is a legacy root: "It is intended to be the primary root used for these products until Q4 2010 when VeriSign transitions to using a 2048 bit root." ( https://www.symantec.com/theme/roots )

@nabla-c0d3 nabla-c0d3 changed the title Support additional hashing algorithms Support additional public key algorithms Jan 12, 2017
@nabla-c0d3 nabla-c0d3 added this to the 1.4.1 milestone Jan 12, 2017
@adamkaplan
Copy link
Contributor Author

adamkaplan commented Jan 12, 2017
edited

Thanks for checking into that @nabla-c0d3. I agree with view on 1024/legacy, we’re still discussing it. I’ll relay this back to the Paranoids, but sometimes things aren’t as clean when you run with well over 6,000 certs.

@nabla-c0d3
Copy link
Member

Sure - we are directly in touch with the Paranoids too (we've worked with them for the past three years =) - some of the Yahoo Apps are already using TrustKit) so feel free to open an email thread or we can have a quick call with everyone if that helps.

@adamkaplan
Copy link
Contributor Author

Moved that discussion to ✉️

@adamkaplan adamkaplan mentioned this issue Jan 13, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.4.1
Development

No branches or pull requests
2 participants
@adamkaplan @nabla-c0d3