cryptography icon indicating copy to clipboard operation
cryptography copied to clipboard
verified publisher icon pyca

`permitted_public_key_algorithms` and `permitted_signature_algorithms` are not exposed when verifying a x509 certificate

Open twilleke opened this issue 3 months ago • 2 comments

I am trying to verify a certificate that has a ED25519 key and the certificate authority also has a ED25519 key. But even when the certificate is valid I get the error:

cryptography.hazmat.bindings._rust.x509.VerificationError: validation failed: candidates exhausted: Forbidden public key algorithm: AlgorithmIdentifier { oid: DefinedByMarker(PhantomData<asn1::object_identifier::ObjectIdentifier>), params: Ed25519 }

This seems to occur because when the Policy is create, the WebPKI defaults are selected and the WebPKI does not allow ED25519 keys. https://github.com/pyca/cryptography/blob/1a952fc144b74c6e09577865184ad3fc8ad24b15/src/rust/cryptography-x509-verification/src/policy/mod.rs#L257-L258 I have found no way to set these parameters on the python side. Is this an oversight or is it meant that way ?

twilleke avatar Sep 03 '25 11:09 twilleke

That's correct that there's currently no API for setting allowed signature or public key algorithms.

alex avatar Sep 03 '25 11:09 alex

I think in principle we'd be ok with an API for this, if someone was interested in figuring out how it should work and proposing something.

alex avatar Sep 03 '25 11:09 alex