Skip to content

Add support for more digest algorithms#188

Draft
KiOui wants to merge 3 commits into
openwisp:masterfrom
KiOui:feature/add-support-for-more-digest-algorithms
Draft

Add support for more digest algorithms#188
KiOui wants to merge 3 commits into
openwisp:masterfrom
KiOui:feature/add-support-for-more-digest-algorithms

Conversation

@KiOui

@KiOui KiOui commented Oct 4, 2025

Copy link
Copy Markdown

Checklist

  • I have read the OpenWISP Contributing Guidelines.
  • I have manually tested the changes proposed in this pull request.
  • I have written new test cases for new code and/or updated existing tests for changes to existing code.
  • I have updated the documentation.

Reference to Existing Issue

Closes #118.

Please open a new issue if there isn't an existing issue yet.

Description of Changes

This PR add support for more digest algorithms (other than RSA). It also switches most cryptographic operations to the cryptography library (instead of OpenSSL).

Please describe these changes.

Screenshot

Please include any relevant screenshots.

@KiOui KiOui marked this pull request as draft October 4, 2025 07:45
@KiOui

KiOui commented Oct 4, 2025
edited
Loading

Copy link
Copy Markdown
Author

Still TODO:

  • Check non-touched code whether changes are necessary.
  • Fix the test cases.
  • Add new test cases for testing the other digest algorithms.
  • Add a migration for migrating from the old digest format to the new format.

@KiOui KiOui force-pushed the feature/add-support-for-more-digest-algorithms branch 2 times, most recently from 243e772 to 89fa2e1 Compare October 6, 2025 07:24
[certificates] Added support for more digest algorithms
2f38880 
This commit adds support for more digest algorithms including
ECDSA, DSA, and Edwards-curves. It also switches the crypto
library used from OpenSSL to cryptography.

Fixes openwisp#118
@KiOui KiOui force-pushed the feature/add-support-for-more-digest-algorithms branch from 89fa2e1 to db92060 Compare October 6, 2025 08:13
@KiOui KiOui force-pushed the feature/add-support-for-more-digest-algorithms branch from db92060 to 6609a74 Compare October 6, 2025 08:26
nemesifier
nemesifier reviewed Feb 2, 2026
View reviewed changes

@nemesifier nemesifier left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We recently added support for ECDSA in #201 thanks for the great work done by @stktyagi, I think we could implement a few more modern algos.

Comment thread django_x509/migrations/0012_alter_ca_digest_alter_cert_digest.py
("dsaWithSHA256", "SHA256 with DSA signature"),
(
"Ed25519",
"Edwards-Curve Digital Signature Algorithm with 25519 curve",

@nemesifier nemesifier Feb 2, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stktyagi what do you think of adding support for these 2?

Any other modern algo mentioned here that we're not supporting and would be good to have?

@stktyagi stktyagi Feb 3, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I researched Ed25519 and it offers better security and performance than RSA or ECDSA curves. Its also resilient against side-channel attacks. The only issue is legacy operating systems (like Windows Server 2012 or older) may not recognize Ed25519 certificates but I don't think that's a deal breaker. What do you think?
As you mentioned in the chat, DSA is deprecated but it sits in a bit of a gray area as it improves upon the original DSA by swapping out the broken SHA1 for the secure SHA256 but overall I won't prefer it.
So, overall Ed25519 would be a good addition and also RSASSA-PSS as it fixes traditional RSA's weakness of being deterministic making it vulnerable to certain padding oracle attacks.

@nemesifier nemesifier Feb 3, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stktyagi yeah I think supporting one or both shouldn't change much, it would be great to support more options and help more users use this reusable app

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nemesifier nemesifier nemesifier left review comments

@stktyagi stktyagi stktyagi left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[feature] Importing existing CA: KeyError: 'ecdsa-with-SHA384'

3 participants

@KiOui @nemesifier @stktyagi