openwisp · nemesifier · Jan 30, 2026 · Jan 11, 2026 · Jan 11, 2026 · Jan 11, 2026
diff --git a/django_x509/base/models.py b/django_x509/base/models.py
@@ -19,12 +19,17 @@
 from .. import settings as app_settings
 
 KEY_LENGTH_CHOICES = (
-    ("512", "512"),
-    ("1024", "1024"),
-    ("2048", "2048"),
-    ("4096", "4096"),
+    ("256", "256 (ECDSA)"),
+    ("384", "384 (ECDSA)"),
+    ("521", "521 (ECDSA)"),
+    ("1024", "1024 (RSA)"),
+    ("2048", "2048 (RSA)"),
+    ("4096", "4096 (RSA)"),
 )
 
+RSA_KEY_LENGTHS = ("1024", "2048", "4096")
+EC_KEY_LENGTHS = ("256", "384", "521")
+
 DIGEST_CHOICES = (
     ("sha1", "SHA1"),
     ("sha224", "SHA224"),
@@ -165,6 +170,9 @@ def clean_fields(self, *args, **kwargs):
         super().clean_fields(*args, **kwargs)
 
     def clean(self):
+        if self.serial_number:
+            self._validate_serial_number()
+        self._verify_extension_format()
         # when importing, both public and private must be present
         if (self.certificate and not self.private_key) or (
             self.private_key and not self.certificate
@@ -175,9 +183,11 @@ def clean(self):
                     "keys (private and public) must be present"
                 )
             )
-        if self.serial_number:
-            self._validate_serial_number()
-        self._verify_extension_format()
+        all_supported = list(RSA_KEY_LENGTHS) + list(EC_KEY_LENGTHS)
+        if self.key_length not in all_supported:
+            raise ValidationError(
+                {"key_length": _("Unsupported key length: %s") % self.key_length}
+            )
 
     def save(self, *args, **kwargs):
         if self._state.adding and not self.certificate and not self.private_key:
@@ -280,10 +290,24 @@ def _generate(self):
         for attr in ["x509", "pkey"]:
             if attr in self.__dict__:
                 del self.__dict__[attr]
-        key = rsa.generate_private_key(
-            public_exponent=65537,
-            key_size=int(self.key_length),
-        )
+        is_ec = self.key_length in EC_KEY_LENGTHS
+        if is_ec:
+            curves = {
+                "256": ec.SECP256R1(),
+                "384": ec.SECP384R1(),
+                "521": ec.SECP521R1(),
+            }
+            curve = curves.get(self.key_length)
+            if not curve:
+                raise ValidationError(
+                    _("Unsupported EC key length: %s") % self.key_length
+                )
+            key = ec.generate_private_key(curve)
+        else:
+            key = rsa.generate_private_key(
+                public_exponent=65537,
+                key_size=int(self.key_length),
+            )
         if hasattr(self, "ca"):
             signing_key = self.ca.pkey
             issuer_name = self.ca.x509.subject
@@ -307,7 +331,12 @@ def _generate(self):
             "sha384": hashes.SHA384,
             "sha512": hashes.SHA512,
         }
-        digest_name = self.digest.lower().replace("withrsaencryption", "")
+        digest_name = (
+            self.digest.lower()
+            .replace("withrsaencryption", "")
+            .replace("ecdsa-with-", "")
+            .replace("withsha", "sha")
+        )
         digest_alg = HASH_MAP.get(digest_name, hashes.SHA256)()
         cert = builder.sign(signing_key, digest_alg)
         self.certificate = cert.public_bytes(serialization.Encoding.PEM).decode("utf-8")
@@ -318,7 +347,11 @@ def _generate(self):
         )
         self.private_key = key.private_bytes(
             encoding=serialization.Encoding.PEM,
-            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            format=(
+                serialization.PrivateFormat.PKCS8
+                if is_ec
+                else serialization.PrivateFormat.TraditionalOpenSSL
+            ),
             encryption_algorithm=encryption,
         ).decode("utf-8")
 
@@ -352,6 +385,36 @@ def _import(self):
         imports existing x509 certificates
         """
         cert = self.x509
+        public_key = cert.public_key()
+        if isinstance(public_key, rsa.RSAPublicKey):
+            actual_length = str(public_key.key_size)
+            actual_is_ec = False
+        elif isinstance(public_key, ec.EllipticCurvePublicKey):
+            actual_length = str(public_key.curve.key_size)
+            actual_is_ec = True
+        else:
+            raise ValidationError(
+                _(
+                    "Unsupported key type in certificate. "
+                    "Only RSA and EC keys are supported."
+                )
+            )
+        selected_is_ec = self.key_length in EC_KEY_LENGTHS
+        if selected_is_ec != actual_is_ec:
+            algorithm_expected = "ECDSA" if selected_is_ec else "RSA"
+            algorithm_provided = "ECDSA" if actual_is_ec else "RSA"
+            raise ValidationError(
+                {
+                    "key_length": _(
+                        "Algorithm mismatch: You selected a length for %s, "
+                        "but the provided certificate contains an %s key."
+                    )
+                    % (algorithm_expected, algorithm_provided)
+                }
+            )
+        if actual_is_ec and actual_length not in EC_KEY_LENGTHS:
+            raise ValidationError(_("Unsupported EC curve size: %s") % actual_length)
+        self.key_length = actual_length
         # when importing an end entity certificate
         if hasattr(self, "ca"):
             self._verify_ca()
@@ -366,7 +429,6 @@ def _import(self):
             email = str(attrs[0].value) if attrs else ""
 
         self.email = email
-        self.key_length = str(cert.public_key().key_size)
         self.digest = cert.signature_hash_algorithm.name.lower()
         self.validity_start = cert.not_valid_before_utc
         self.validity_end = cert.not_valid_after_utc

diff --git a/django_x509/migrations/0010_alter_ca_key_length_alter_cert_key_length.py b/django_x509/migrations/0010_alter_ca_key_length_alter_cert_key_length.py
@@ -0,0 +1,52 @@
+# Generated by Django 6.0.1 on 2026-01-16 21:41
+
+import django_x509.base.models
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("django_x509", "0009_alter_ca_digest_alter_ca_key_length_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="ca",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("256", "256 (ECDSA)"),
+                    ("384", "384 (ECDSA)"),
+                    ("521", "521 (ECDSA)"),
+                    ("512", "512 (RSA)"),
+                    ("1024", "1024 (RSA)"),
+                    ("2048", "2048 (RSA)"),
+                    ("4096", "4096 (RSA)"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="cert",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("256", "256 (ECDSA)"),
+                    ("384", "384 (ECDSA)"),
+                    ("521", "521 (ECDSA)"),
+                    ("512", "512 (RSA)"),
+                    ("1024", "1024 (RSA)"),
+                    ("2048", "2048 (RSA)"),
+                    ("4096", "4096 (RSA)"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+    ]
diff --git a/django_x509/migrations/0011_alter_ca_key_length_alter_cert_key_length.py b/django_x509/migrations/0011_alter_ca_key_length_alter_cert_key_length.py
@@ -0,0 +1,50 @@
+# Generated by Django 6.0.1 on 2026-01-17 15:58
+
+import django_x509.base.models
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("django_x509", "0010_alter_ca_key_length_alter_cert_key_length"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="ca",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("256", "256 (ECDSA)"),
+                    ("384", "384 (ECDSA)"),
+                    ("521", "521 (ECDSA)"),
+                    ("1024", "1024 (RSA)"),
+                    ("2048", "2048 (RSA)"),
+                    ("4096", "4096 (RSA)"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="cert",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("256", "256 (ECDSA)"),
+                    ("384", "384 (ECDSA)"),
+                    ("521", "521 (ECDSA)"),
+                    ("1024", "1024 (RSA)"),
+                    ("2048", "2048 (RSA)"),
+                    ("4096", "4096 (RSA)"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+    ]