diff --git a/pinecrypt/server/api/bootstrap.py b/pinecrypt/server/api/bootstrap.py index b498468..013ffb2 100644 --- a/pinecrypt/server/api/bootstrap.py +++ b/pinecrypt/server/api/bootstrap.py @@ -6,6 +6,17 @@ from pinecrypt.server.mongolog import LogHandler logger = LogHandler() +# Algorithm mappings for pki.js +SIGNATURE_ALGO_MAPPING = { + "rsassa_pkcs1v15": "RSASSA-PKCS1-v1_5", + "ecdsa": "ECDSA", +} + +HASH_ALGO_MAPPING = { + "sha256": "SHA-256", + "sha384": "SHA-384", + "sha512": "SHA-512", +} class BootstrapResource(object): @serialize @@ -33,8 +44,8 @@ class BootstrapResource(object): certificate=dict( key_size=const.KEY_SIZE, curve=const.CURVE_NAME, - hash_algorithm=const.CERTIFICATE_HASH_ALGORITHM, - key_type_specific = const.KEY_TYPE_SPECIFIC, + hash_algorithm=HASH_ALGO_MAPPING[authority.certificate.hash_algo], + signature_algorithm=SIGNATURE_ALGO_MAPPING[authority.certificate.signature_algo], algorithm=authority.public_key.algorithm, common_name=authority.certificate.subject.native["common_name"], distinguished_name=cert_to_dn(authority.certificate), diff --git a/pinecrypt/server/authority.py b/pinecrypt/server/authority.py index 009b299..2f1aab2 100644 --- a/pinecrypt/server/authority.py +++ b/pinecrypt/server/authority.py @@ -55,7 +55,7 @@ def self_enroll(skip_notify=False): return builder = CSRBuilder({"common_name": common_name}, self_public_key) - builder.hash_algo = const.CERTIFICATE_HASH_ALGORITHM + builder.hash_algo = certificate.hash_algo # Copy from CA cert request = builder.build(private_key) now = datetime.utcnow().replace(tzinfo=pytz.UTC) @@ -390,9 +390,7 @@ def sign(profile, skip_notify=False, overwrite=False, signer=None, namespace=con builder = CertificateBuilder(cn_to_dn(common_name, ou=profile["ou"]), csr_pubkey) builder.serial_number = generate_serial() - - if csr["signature_algorithm"].hash_algo == const.CERTIFICATE_HASH_ALGORITHM: - builder.hash_algo = const.CERTIFICATE_HASH_ALGORITHM + builder.hash_algo = certificate.hash_algo # Copy hash algorithm from CA cert now = datetime.utcnow().replace(tzinfo=pytz.UTC) builder.begin_date = now - const.CLOCK_SKEW_TOLERANCE diff --git a/pinecrypt/server/const.py b/pinecrypt/server/const.py index 7c95035..76a6394 100644 --- a/pinecrypt/server/const.py +++ b/pinecrypt/server/const.py @@ -35,14 +35,6 @@ REPLICAS = [j for j in os.getenv("REPLICAS", "").split(",") if j] if not MONGO_URI: MONGO_URI = "mongodb://127.0.0.1:27017/default?replicaSet=rs0" -# Are set later, based on key type -KEY_SIZE = None -CURVE_NAME = None -KEY_TYPE_CLIENTS = None - -# python CSRbuilder supports right now sha1, sha256 sha512 -CERTIFICATE_HASH_ALGORITHM = "sha512" - # Kerberos-like clock skew tolerance CLOCK_SKEW_TOLERANCE = timedelta(minutes=5) @@ -105,14 +97,12 @@ AUTHORITY_OCSP_URL = "http://%s/api/ocsp/" % AUTHORITY_NAMESPACE AUTHORITY_OCSP_DISABLED = os.getenv("AUTHORITY_OCSP_DISABLED", False) AUTHORITY_KEYTYPE = getenv_in("AUTHORITY_KEYTYPE", "rsa", "ec") -if AUTHORITY_KEYTYPE == "rsa": - KEY_SIZE = 4096 - # Keytype for web JS pki.js wants specific key type - KEY_TYPE_SPECIFIC = "RSASSA-PKCS1-v1_5" -if AUTHORITY_KEYTYPE == "ec": - CURVE_NAME = "secp384r1" - KEY_TYPE_SPECIFIC = "ECDSA" +# Key parameter defaults for now +# Subject to change in future, make sure changing these won't break any existing deployments! +KEY_SIZE = 4096 # Key size for RSA based certificates +CURVE_NAME = "secp384r1" # Curve name for EC based certificates +CERTIFICATE_HASH_ALGORITHM = "sha512" # Certificate hashing algorithm # Tokens TOKEN_URL = "https://%(authority_name)s/#action=enroll&title=dev.lan&token=%(token)s&subject=%(subject_username)s&protocols=%(protocols)s"