Add parameter ecdsa_deterministic_signing to x509 sign methods #12796
Conversation
|
Let's separate whether we want this from the specifics of this implementation. I'm not aware of any security reason to not allow deterministic and we can (mostly) reuse existing implementation. While it's a niche requirement and for leaf certificates you can get the same deterministic behavior with ed25519 keys I think I'm fine with supporting it. I do wonder if we want to extend the signing APIs this way or if we want to revisit them entirely. It sure would be nice if we were passing the |
|
Hmm, on the one hand, I don't love the dangling bool. On the other hand, passing a full So all the solutions, short of redo signing, feel wrong. |
|
Yeah it seems like we would need to either do some comical overloading of |
|
Thanks for the replies! Please let me know if you'd like me to do anything here, otherwise I'll wait for y'all to decide how you want to proceed. 🙂 |
Hi! This is a feature I implemented for myself in order to generate reproducible test vectors for W3C Web Authentication (see also the pull request). The feature already exists in the ECDSA layer, so this patch just plumbs it through to the X.509 layer. I named the parameter
ecdsa_deterministic_signingto mirror the correspondingdeterministic_signingparameter in theecmodule, and theecdsa_prefix mirroring its sibling parameterrsa_padding.I tried to get this to work in
PKCS7SignatureBuilder.add_signertoo, since itssign_and_serializeRust implementation also has calls that need a newfalseargument, but didn't manage to getPKCS7SignatureBuilder.sign()to produce reproducible outputs. I think one reason for that is thatsign_and_serializein Rust internally sets the signing time tonow(), but making that injectable as a parameter didn't seem to suffice to make the result deterministic. My experiments are available on mywip/pkcs7-sign-ecdsa-deterministicbranch in case there's interest in it.