certomancer icon indicating copy to clipboard operation
certomancer copied to clipboard

Published 20 hours ago verified publisher icon MatthiasValvekens

ValueError: Hash algorithm not known for ed25519

Open dotlambda opened this issue 1 year ago • 9 comments
trafficstars

When running the tests with a version of asn1crypto that includes https://github.com/wbond/asn1crypto/pull/265, one of them fails:

________________________ test_keyset_templates_in_arch _________________________

    def test_keyset_templates_in_arch():
        cfg = CertomancerConfig.from_file(
            'tests/data/with-arch-templates.yml', 'tests/data'
        )
        old_arch = cfg.get_pki_arch(ArchLabel('testing-ca'))
        algo = old_arch.get_cert(CertLabel('root')).public_key.algorithm
        assert algo == 'rsa'
    
        new_arch = cfg.get_pki_arch(ArchLabel('testing-ca-2'))
        algo = new_arch.get_cert(CertLabel('root')).public_key.algorithm
        assert algo == 'rsa'
    
        newer_arch = cfg.get_pki_arch(ArchLabel('testing-ca-3'))
>       algo = newer_arch.get_cert(CertLabel('root')).public_key.algorithm

tests/test_certs.py:859: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
certomancer/registry/pki_arch.py:952: in get_cert
    signature = generic_sign(
certomancer/crypto_utils.py:315: in generic_sign
    return CRYPTO_BACKEND.generic_sign(private_key, tbs_bytes, signature_algo)
certomancer/crypto_utils.py:183: in generic_sign
    digest_algorithm = sd_algo.hash_algo
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <asn1crypto.algos.SignedDigestAlgorithm 140737282252816 b'0\x05\x06\x03+ep'>

    @property
    def hash_algo(self):
        """
        :return:
            A unicode string of "md2", "md5", "sha1", "sha224", "sha256",
            "sha384", "sha512", "sha512_224", "sha512_256" or "shake256"
        """
    
        algorithm = self['algorithm'].native
        if algorithm in self._algo_map:
            return self._algo_map[algorithm]
    
        if algorithm == 'rsassa_pss':
            return self['parameters']['hash_algorithm']['algorithm'].native
    
        if algorithm == 'ed25519' or algorithm == 'ed448':
>           raise ValueError(unwrap(
                '''
                Hash algorithm not known for %s - use .cms_hash_algorithm for CMS purposes.
                More info at https://github.com/wbond/asn1crypto/pull/230.
                ''',
                algorithm
            ))
E           ValueError: Hash algorithm not known for ed25519 - use .cms_hash_algorithm for CMS purposes. More info at https://github.com/wbond/asn1crypto/pull/230.

dotlambda avatar Feb 07 '24 07:02 dotlambda

Whoops, quite possible that I forgot to align this change in Certomancer. Will fix, thanks.

MatthiasValvekens avatar Feb 07 '24 10:02 MatthiasValvekens

Btw the pyHanko tests fail for the same reason.

dotlambda avatar Feb 07 '24 15:02 dotlambda

On closer inspection, I now remember why I didn't fix this (yet): it's because there's no numbered release of asn1crypto with those changes yet.

I'll try to rewrite the code more defensively so it's upgradable cleanly, if that doesn't create too much noise. For some reason, I thought the last asn1crypto release was a few months ago, but apparently it's been almost 2 years already... 🙈

Anyway, I need to allocate some time to do that properly.

MatthiasValvekens avatar Feb 08 '24 12:02 MatthiasValvekens

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions!

stale[bot] avatar Apr 11 '24 07:04 stale[bot]

I'd still like this to be fixed because otherwise I can't use Python 3.12. The last released version of asn1crypto only supports Python 3.11.

dotlambda avatar Apr 11 '24 10:04 dotlambda

I believe the following are related to this issue and are also failing on Python 3.12.

       > FAILED tests/test_services.py::test_crl[ed25519] - ValueError: Hash algorithm not known for ed25519 - use .cms_hash_algorithm ...
       > FAILED tests/test_services.py::test_aia_ca_issuers[ed25519] - ValueError: Hash algorithm not known for ed25519 - use .cms_hash_algorithm ...
       > FAILED tests/test_services.py::test_timestamp[ed25519-True] - ValueError: Hash algorithm not known for ed25519 - use .cms_hash_algorithm ...
       > FAILED tests/test_services.py::test_timestamp[ed25519-False] - ValueError: Hash algorithm not known for ed25519 - use .cms_hash_algorithm ...
       > FAILED tests/test_services.py::test_crl[ed448] - ValueError: Hash algorithm not known for ed448 - use .cms_hash_algorithm fo...
       > FAILED tests/test_services.py::test_aia_ca_issuers[ed448] - ValueError: Hash algorithm not known for ed448 - use .cms_hash_algorithm fo...
       > FAILED tests/test_services.py::test_timestamp[ed448-True] - ValueError: Hash algorithm not known for ed448 - use .cms_hash_algorithm fo...
       > FAILED tests/test_services.py::test_timestamp[ed448-False] - ValueError: Hash algorithm not known for ed448 - use .cms_hash_algorithm fo...

djacu avatar Apr 18 '24 05:04 djacu

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions!

stale[bot] avatar Jun 18 '24 05:06 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions!

stale[bot] avatar Aug 18 '24 20:08 stale[bot]