Merge pull request #4521 from skorobkov/acme_clinet_sign_alg

Set sign algo acording to key type
Netflix · Oct 2, 2023 · 6732fec · 6732fec
2 parents b6d3531 + a68c4d0
commit 6732fec
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/lemur/common/utils.py b/lemur/common/utils.py
@@ -25,6 +25,7 @@
 from cryptography.hazmat.primitives.serialization import load_pem_private_key, Encoding, pkcs7
 from flask_restful.reqparse import RequestParser
 from sqlalchemy import and_, func
+import josepy as jose
 
 from certbot.crypto_util import CERT_PEM_REGEX
 from lemur.constants import CERTIFICATE_KEY_TYPES
@@ -245,6 +246,23 @@ def generate_private_key(key_type):
         )
 
 
+def key_to_alg(key):
+    algorithm = jose.RS256
+    # Determine alg with kty (and crv).
+    if key.typ == "EC":
+        crv = key.fields_to_partial_json().get("crv", None)
+        if crv == "P-256" or not crv:
+            algorithm = jose.ES256
+        elif crv == "P-384":
+            algorithm = jose.ES384
+        elif crv == "P-521":
+            algorithm = jose.ES512
+    elif key.typ == "oct":
+        algorithm = jose.HS256
+
+    return algorithm
+
+
 def check_cert_signature(cert, issuer_public_key):
     """
     Check a certificate's signature against an issuer public key.

diff --git a/lemur/plugins/lemur_acme/acme_handlers.py b/lemur/plugins/lemur_acme/acme_handlers.py
@@ -27,7 +27,7 @@
 from flask import current_app
 from sentry_sdk import capture_exception
 
-from lemur.common.utils import generate_private_key
+from lemur.common.utils import generate_private_key, key_to_alg
 from lemur.dns_providers import service as dns_provider_service
 from lemur.exceptions import InvalidAuthority, UnknownProvider, InvalidConfiguration
 from lemur.extensions import metrics
@@ -183,7 +183,7 @@ def setup_acme_client(self, authority):
             current_app.logger.debug(
                 "Connecting with directory at {0}".format(directory_url)
             )
-            net = ClientNetwork(key, account=regr)
+            net = ClientNetwork(key, account=regr, alg=key_to_alg(key))
             directory = ClientV2.get_directory(directory_url, net)
             client = ClientV2(directory, net=net)
             return client, {}
@@ -196,7 +196,7 @@ def setup_acme_client(self, authority):
                 "Connecting with directory at {0}".format(directory_url)
             )
 
-            net = ClientNetwork(key, account=None, timeout=3600)
+            net = ClientNetwork(key, account=None, timeout=3600, alg=key_to_alg(key))
             directory = ClientV2.get_directory(directory_url, net)
             client = ClientV2(directory, net=net)
             if eab_kid and eab_hmac_key: