Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature digest for CSR should be based on signature algorithm #1945

Open
Tracked by #974
haydentherapper opened this issue Feb 14, 2025 · 0 comments
Open
Tracked by #974

Signature digest for CSR should be based on signature algorithm #1945

haydentherapper opened this issue Feb 14, 2025 · 0 comments
Labels
enhancement New feature or request v2

Comments

@haydentherapper
Copy link
Contributor

haydentherapper commented Feb 14, 2025
edited
Loading

Description

Currently, the signature digest algorithm for CSRs is hardcoded to SHA-256. This introduces challenges for clients that support ECDSA-P384 or -P521 where the digest algorithms are SHA-384/512 respectively, since most signing libraries will automatically select the digest based on the signature algorithm.

In Fulcio v2, we should remove this hardcoded digest algorithm and select the digest based on the signature algorithm. This would be a breaking change to do this now in Fulcio v1, since clients may already handle this for non-SHA256 signature algorithms.

Discussion in #1938 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request v2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@haydentherapper