Add parameter ecdsa_deterministic to x509 sign methods (#12887)

* Add parameter ecdsa_deterministic_signing to x509 sign methods

* simplify

* Boolean -> boolean

also some whitespace trimming and text rewrap

* also simplify the tests, we don't need to derive keys this way

* simplify even more

* change to ecdsa_deterministic, check if the right key type is used

* Apply suggestions from code review

Co-authored-by: Alex Gaynor <[email protected]>

* format

---------

Co-authored-by: Emil Lundberg <[email protected]>
Co-authored-by: Alex Gaynor <[email protected]>

Author: 3 people

CHANGELOG.rst

@@ -69,6 +69,10 @@ Changelog
   involving small buffers.
 * Added :func:`~cryptography.hazmat.primitives.serialization.ssh_key_fingerprint`
   for computing fingerprints of SSH public keys.
+* Added support for deterministic ECDSA signing via the new keyword-only argument
+  ``ecdsa_deterministic`` in :meth:`~cryptography.x509.CertificateBuilder.sign`,
+  :meth:`~cryptography.x509.CertificateRevocationListBuilder.sign`
+  and :meth:`~cryptography.x509.CertificateSigningRequestBuilder.sign`.
 
 .. _v44-0-3:
 

docs/x509/reference.rst

@@ -885,7 +885,7 @@ X.509 Certificate Builder
     :canonical: cryptography.x509.base.CertificateBuilder
 
     .. versionadded:: 1.0
-    
+
     .. note::
        All methods, except :meth:`sign`, return a **new** CertificateBuilder
        instance with the corresponding updated value. They do not modify the
@@ -936,7 +936,7 @@ X.509 Certificate Builder
 
         :param name: The :class:`~cryptography.x509.Name` that describes the
             issuer (CA).
-        
+
         :return: A new :class:`CertificateBuilder` with the updated issuer name.
 
     .. method:: subject_name(name)
@@ -945,7 +945,7 @@ X.509 Certificate Builder
 
         :param name: The :class:`~cryptography.x509.Name` that describes the
             subject.
-        
+
         :return: A new :class:`CertificateBuilder` with the updated subject name.
 
     .. method:: public_key(public_key)
@@ -954,7 +954,7 @@ X.509 Certificate Builder
 
         :param public_key: The subject's public key. This can be one of
             :data:`~cryptography.hazmat.primitives.asymmetric.types.CertificatePublicKeyTypes`.
-        
+
         :return: A new :class:`CertificateBuilder` with the updated public key.
 
     .. method:: serial_number(serial_number)
@@ -971,7 +971,7 @@ X.509 Certificate Builder
             identify this certificate (most notably during certificate
             revocation checking). Users should consider using
             :func:`~cryptography.x509.random_serial_number` when possible.
-        
+
         :return: A new :class:`CertificateBuilder` with the updated serial number.
 
     .. method:: not_valid_before(time)
@@ -983,7 +983,7 @@ X.509 Certificate Builder
         :param time: The :class:`datetime.datetime` object (in UTC) that marks the
             activation time for the certificate.  The certificate may not be
             trusted clients if it is used before this time.
-        
+
         :return: A new :class:`CertificateBuilder` with the updated activation time.
 
     .. method:: not_valid_after(time)
@@ -995,7 +995,7 @@ X.509 Certificate Builder
         :param time: The :class:`datetime.datetime` object (in UTC) that marks the
             expiration time for the certificate.  The certificate may not be
             trusted clients if it is used after this time.
-        
+
         :return: A new :class:`CertificateBuilder` with the updated expiration time.
 
     .. method:: add_extension(extval, critical)
@@ -1007,10 +1007,10 @@ X.509 Certificate Builder
 
         :param critical: Set to ``True`` if the extension must be understood and
              handled by whoever reads the certificate.
-        
+
         :return: A new :class:`CertificateBuilder` with the additional extension.
 
-    .. method:: sign(private_key, algorithm, *, rsa_padding=None)
+    .. method:: sign(private_key, algorithm, *, rsa_padding=None, ecdsa_deterministic=None)
 
         Sign the certificate using the CA's private key.
 
@@ -1045,6 +1045,20 @@ X.509 Certificate Builder
             :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`,
             or :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`
 
+        :param ecdsa_deterministic:
+
+            .. versionadded:: 45.0.0
+
+            This is a keyword-only argument. If ``private_key`` is an
+            ``EllipticCurvePrivateKey`` then this can be set to true to
+            use deterministic signing, as defined in :rfc:`6979`. This only
+            impacts the signing process, verification is not affected
+            (the verification process is the same for both
+            deterministic and non-deterministic signed messages). All other
+            key types **must** not pass a value other than ``None``.
+
+        :type ecdsa_deterministic: ``None``, ``bool``
+
         :returns: :class:`~cryptography.x509.Certificate`
 
 
@@ -1285,7 +1299,7 @@ X.509 Certificate Revocation List Builder
             obtained from an existing CRL or created with
             :class:`~cryptography.x509.RevokedCertificateBuilder`.
 
-    .. method:: sign(private_key, algorithm, *, rsa_padding=None)
+    .. method:: sign(private_key, algorithm, *, rsa_padding=None, ecdsa_deterministic=None)
 
         Sign this CRL using the CA's private key.
 
@@ -1320,6 +1334,20 @@ X.509 Certificate Revocation List Builder
             :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`,
             or :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`
 
+        :param ecdsa_deterministic:
+
+            .. versionadded:: 45.0.0
+
+            This is a keyword-only argument. If ``private_key`` is an
+            ``EllipticCurvePrivateKey`` then this can be set to true to
+            use deterministic signing, as defined in :rfc:`6979`. This only
+            impacts the signing process, verification is not affected
+            (the verification process is the same for both
+            deterministic and non-deterministic signed messages). All other
+            key types **must** not pass a value other than ``None``.
+
+        :type ecdsa_deterministic: ``None``, ``bool``
+
         :returns: :class:`~cryptography.x509.CertificateRevocationList`
 
 X.509 Revoked Certificate Object
@@ -1498,7 +1526,7 @@ X.509 CSR (Certificate Signing Request) Builder Object
         :returns: A new
             :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
 
-    .. method:: sign(private_key, algorithm, *, rsa_padding=None)
+    .. method:: sign(private_key, algorithm, *, rsa_padding=None, ecdsa_deterministic=None)
 
         :param private_key: The private key
             that will be used to sign the request.  When the request is
@@ -1533,6 +1561,20 @@ X.509 CSR (Certificate Signing Request) Builder Object
             :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`,
             or :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`
 
+        :param ecdsa_deterministic:
+
+            .. versionadded:: 45.0.0
+
+            This is a keyword-only argument. If ``private_key`` is an
+            ``EllipticCurvePrivateKey`` then this can be set to true to
+            use deterministic signing, as defined in :rfc:`6979`. This only
+            impacts the signing process, verification is not affected
+            (the verification process is the same for both
+            deterministic and non-deterministic signed messages). All other
+            key types **must** not pass a value other than ``None``.
+
+        :type ecdsa_deterministic: ``None``, ``bool``
+
         :returns: A new
             :class:`~cryptography.x509.CertificateSigningRequest`.
 
@@ -2541,7 +2583,7 @@ X.509 Extensions
       :return: A ``bytes`` object containing the encoded extension.
 
     .. attribute:: oid
-        
+
         :type: :class:`ObjectIdentifier`
 
         Returns

src/cryptography/hazmat/bindings/_rust/x509.pyi

@@ -45,18 +45,21 @@ def create_x509_certificate(
     private_key: PrivateKeyTypes,
     hash_algorithm: hashes.HashAlgorithm | None,
     rsa_padding: PKCS1v15 | PSS | None,
+    ecdsa_deterministic: bool | None,
 ) -> x509.Certificate: ...
 def create_x509_csr(
     builder: x509.CertificateSigningRequestBuilder,
     private_key: PrivateKeyTypes,
     hash_algorithm: hashes.HashAlgorithm | None,
     rsa_padding: PKCS1v15 | PSS | None,
+    ecdsa_deterministic: bool | None,
 ) -> x509.CertificateSigningRequest: ...
 def create_x509_crl(
     builder: x509.CertificateRevocationListBuilder,
     private_key: PrivateKeyTypes,
     hash_algorithm: hashes.HashAlgorithm | None,
     rsa_padding: PKCS1v15 | PSS | None,
+    ecdsa_deterministic: bool | None,
 ) -> x509.CertificateRevocationList: ...
 
 class Sct:

src/cryptography/x509/base.py

@@ -331,6 +331,7 @@ def sign(
         backend: typing.Any = None,
         *,
         rsa_padding: padding.PSS | padding.PKCS1v15 | None = None,
+        ecdsa_deterministic: bool | None = None,
     ) -> CertificateSigningRequest:
         """
         Signs the request using the requestor's private key.
@@ -344,8 +345,18 @@ def sign(
             if not isinstance(private_key, rsa.RSAPrivateKey):
                 raise TypeError("Padding is only supported for RSA keys")
 
+        if ecdsa_deterministic is not None:
+            if not isinstance(private_key, ec.EllipticCurvePrivateKey):
+                raise TypeError(
+                    "Deterministic ECDSA is only supported for EC keys"
+                )
+
         return rust_x509.create_x509_csr(
-            self, private_key, algorithm, rsa_padding
+            self,
+            private_key,
+            algorithm,
+            rsa_padding,
+            ecdsa_deterministic,
         )
 
 
@@ -560,6 +571,7 @@ def sign(
         backend: typing.Any = None,
         *,
         rsa_padding: padding.PSS | padding.PKCS1v15 | None = None,
+        ecdsa_deterministic: bool | None = None,
     ) -> Certificate:
         """
         Signs the certificate using the CA's private key.
@@ -588,8 +600,18 @@ def sign(
             if not isinstance(private_key, rsa.RSAPrivateKey):
                 raise TypeError("Padding is only supported for RSA keys")
 
+        if ecdsa_deterministic is not None:
+            if not isinstance(private_key, ec.EllipticCurvePrivateKey):
+                raise TypeError(
+                    "Deterministic ECDSA is only supported for EC keys"
+                )
+
         return rust_x509.create_x509_certificate(
-            self, private_key, algorithm, rsa_padding
+            self,
+            private_key,
+            algorithm,
+            rsa_padding,
+            ecdsa_deterministic,
         )
 
 
@@ -717,6 +739,7 @@ def sign(
         backend: typing.Any = None,
         *,
         rsa_padding: padding.PSS | padding.PKCS1v15 | None = None,
+        ecdsa_deterministic: bool | None = None,
     ) -> CertificateRevocationList:
         if self._issuer_name is None:
             raise ValueError("A CRL must have an issuer name")
@@ -733,8 +756,18 @@ def sign(
             if not isinstance(private_key, rsa.RSAPrivateKey):
                 raise TypeError("Padding is only supported for RSA keys")
 
+        if ecdsa_deterministic is not None:
+            if not isinstance(private_key, ec.EllipticCurvePrivateKey):
+                raise TypeError(
+                    "Deterministic ECDSA is only supported for EC keys"
+                )
+
         return rust_x509.create_x509_crl(
-            self, private_key, algorithm, rsa_padding
+            self,
+            private_key,
+            algorithm,
+            rsa_padding,
+            ecdsa_deterministic,
         )
 
 

src/rust/src/pkcs7.rs

@@ -517,6 +517,7 @@ fn sign_and_serialize<'p>(
                         py_private_key.clone(),
                         py_hash_alg.clone(),
                         rsa_padding.clone(),
+                        None,
                         &data_with_header,
                     )?,
                 )
@@ -566,6 +567,7 @@ fn sign_and_serialize<'p>(
                         py_private_key.clone(),
                         py_hash_alg.clone(),
                         rsa_padding.clone(),
+                        None,
                         &signed_data,
                     )?,
                 )

src/rust/src/x509/certificate.rs

@@ -1003,6 +1003,7 @@ pub(crate) fn create_x509_certificate(
     private_key: &pyo3::Bound<'_, pyo3::PyAny>,
     hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>,
     rsa_padding: &pyo3::Bound<'_, pyo3::PyAny>,
+    ecdsa_deterministic: Option<bool>,
 ) -> CryptographyResult<Certificate> {
     let sigalg = x509::sign::compute_signature_algorithm(
         py,
@@ -1065,6 +1066,7 @@ pub(crate) fn create_x509_certificate(
         private_key.clone(),
         hash_algorithm.clone(),
         rsa_padding.clone(),
+        ecdsa_deterministic,
         &tbs_bytes,
     )?;
     let data = asn1::write_single(&cryptography_x509::certificate::Certificate {

src/rust/src/x509/crl.rs

@@ -629,6 +629,7 @@ pub(crate) fn create_x509_crl(
     private_key: &pyo3::Bound<'_, pyo3::PyAny>,
     hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>,
     rsa_padding: &pyo3::Bound<'_, pyo3::PyAny>,
+    ecdsa_deterministic: Option<bool>,
 ) -> CryptographyResult<CertificateRevocationList> {
     let sigalg = x509::sign::compute_signature_algorithm(
         py,
@@ -696,6 +697,7 @@ pub(crate) fn create_x509_crl(
         private_key.clone(),
         hash_algorithm.clone(),
         rsa_padding.clone(),
+        ecdsa_deterministic,
         &tbs_bytes,
     )?;
     let data = asn1::write_single(&crl::CertificateRevocationList {

src/rust/src/x509/csr.rs

@@ -292,6 +292,7 @@ pub(crate) fn create_x509_csr(
     private_key: &pyo3::Bound<'_, pyo3::PyAny>,
     hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>,
     rsa_padding: &pyo3::Bound<'_, pyo3::PyAny>,
+    ecdsa_deterministic: Option<bool>,
 ) -> CryptographyResult<CertificateSigningRequest> {
     let sigalg = x509::sign::compute_signature_algorithm(
         py,
@@ -381,6 +382,7 @@ pub(crate) fn create_x509_csr(
         private_key.clone(),
         hash_algorithm.clone(),
         rsa_padding.clone(),
+        ecdsa_deterministic,
         &tbs_bytes,
     )?;
     let data = asn1::write_single(&Csr {

src/rust/src/x509/ocsp_resp.rs

@@ -834,6 +834,7 @@ pub(crate) fn create_ocsp_response(
         private_key.clone(),
         hash_algorithm.clone(),
         py.None().into_bound(py),
+        None,
         &tbs_bytes,
     )?;
 

src/rust/src/x509/sign.rs

@@ -285,6 +285,7 @@ pub(crate) fn sign_data<'p>(
     private_key: pyo3::Bound<'p, pyo3::PyAny>,
     hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>,
     rsa_padding: pyo3::Bound<'p, pyo3::PyAny>,
+    ecdsa_deterministic: Option<bool>,
     data: &[u8],
 ) -> pyo3::PyResult<PyBackedBytes> {
     let key_type = identify_key_type(py, private_key.clone())?;
@@ -294,7 +295,9 @@ pub(crate) fn sign_data<'p>(
             private_key.call_method1(pyo3::intern!(py, "sign"), (data,))?
         }
         KeyType::Ec => {
-            let ecdsa = types::ECDSA.get(py)?.call1((hash_algorithm,))?;
+            let ecdsa = types::ECDSA
+                .get(py)?
+                .call1((hash_algorithm, ecdsa_deterministic.unwrap_or(false)))?;
             private_key.call_method1(pyo3::intern!(py, "sign"), (data, ecdsa))?
         }
         KeyType::Rsa => {