[feature] Added support for ECDSA certificates #118

Closes #118

Author: stktyagi

README.rst

@@ -68,6 +68,8 @@ Current features
 - Possibility to generate and import passphrase protected x509
   certificates/CAs
 - Passphrase protected x509 content will be shown encrypted in the web UI
+- RSA and ECDSA support: generate or import certificates using RSA or
+  ECDSA algorithms.
 
 Project goals
 -------------
@@ -239,10 +241,8 @@ Default key length for new CAs and new certificates.
 
 Must be one of the following values:
 
-- ``512``
-- ``1024``
-- ``2048``
-- ``4096``
+- RSA: ``1024``, ``2048``, ``4096``
+- ECDSA: ``256`` (P-256), ``384`` (P-384), ``521`` (P-521)
 
 ``DJANGO_X509_DEFAULT_DIGEST_ALGORITHM``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

django_x509/base/models.py

@@ -19,12 +19,17 @@
 from .. import settings as app_settings
 
 KEY_LENGTH_CHOICES = (
-    ("512", "512"),
-    ("1024", "1024"),
-    ("2048", "2048"),
-    ("4096", "4096"),
+    ("256", "256 (ECDSA)"),
+    ("384", "384 (ECDSA)"),
+    ("521", "521 (ECDSA)"),
+    ("1024", "1024 (RSA)"),
+    ("2048", "2048 (RSA)"),
+    ("4096", "4096 (RSA)"),
 )
 
+RSA_KEY_LENGTHS = ("1024", "2048", "4096")
+EC_KEY_LENGTHS = ("256", "384", "521")
+
 DIGEST_CHOICES = (
     ("sha1", "SHA1"),
     ("sha224", "SHA224"),
@@ -165,6 +170,9 @@ def clean_fields(self, *args, **kwargs):
         super().clean_fields(*args, **kwargs)
 
     def clean(self):
+        if self.serial_number:
+            self._validate_serial_number()
+        self._verify_extension_format()
         # when importing, both public and private must be present
         if (self.certificate and not self.private_key) or (
             self.private_key and not self.certificate
@@ -175,9 +183,11 @@ def clean(self):
                     "keys (private and public) must be present"
                 )
             )
-        if self.serial_number:
-            self._validate_serial_number()
-        self._verify_extension_format()
+        all_supported = list(RSA_KEY_LENGTHS) + list(EC_KEY_LENGTHS)
+        if self.key_length not in all_supported:
+            raise ValidationError(
+                {"key_length": _("Unsupported key length: %s") % self.key_length}
+            )
 
     def save(self, *args, **kwargs):
         if self._state.adding and not self.certificate and not self.private_key:
@@ -280,10 +290,24 @@ def _generate(self):
         for attr in ["x509", "pkey"]:
             if attr in self.__dict__:
                 del self.__dict__[attr]
-        key = rsa.generate_private_key(
-            public_exponent=65537,
-            key_size=int(self.key_length),
-        )
+        is_ec = self.key_length in EC_KEY_LENGTHS
+        if is_ec:
+            curves = {
+                "256": ec.SECP256R1(),
+                "384": ec.SECP384R1(),
+                "521": ec.SECP521R1(),
+            }
+            curve = curves.get(self.key_length)
+            if not curve:
+                raise ValidationError(
+                    _("Unsupported EC key length: %s") % self.key_length
+                )
+            key = ec.generate_private_key(curve)
+        else:
+            key = rsa.generate_private_key(
+                public_exponent=65537,
+                key_size=int(self.key_length),
+            )
         if hasattr(self, "ca"):
             signing_key = self.ca.pkey
             issuer_name = self.ca.x509.subject
@@ -307,7 +331,12 @@ def _generate(self):
             "sha384": hashes.SHA384,
             "sha512": hashes.SHA512,
         }
-        digest_name = self.digest.lower().replace("withrsaencryption", "")
+        digest_name = (
+            self.digest.lower()
+            .replace("withrsaencryption", "")
+            .replace("ecdsa-with-", "")
+            .replace("withsha", "sha")
+        )
         digest_alg = HASH_MAP.get(digest_name, hashes.SHA256)()
         cert = builder.sign(signing_key, digest_alg)
         self.certificate = cert.public_bytes(serialization.Encoding.PEM).decode("utf-8")
@@ -318,7 +347,11 @@ def _generate(self):
         )
         self.private_key = key.private_bytes(
             encoding=serialization.Encoding.PEM,
-            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            format=(
+                serialization.PrivateFormat.PKCS8
+                if is_ec
+                else serialization.PrivateFormat.TraditionalOpenSSL
+            ),
             encryption_algorithm=encryption,
         ).decode("utf-8")
 
@@ -352,6 +385,36 @@ def _import(self):
         imports existing x509 certificates
         """
         cert = self.x509
+        public_key = cert.public_key()
+        if isinstance(public_key, rsa.RSAPublicKey):
+            actual_length = str(public_key.key_size)
+            actual_is_ec = False
+        elif isinstance(public_key, ec.EllipticCurvePublicKey):
+            actual_length = str(public_key.curve.key_size)
+            actual_is_ec = True
+        else:
+            raise ValidationError(
+                _(
+                    "Unsupported key type in certificate. "
+                    "Only RSA and EC keys are supported."
+                )
+            )
+        selected_is_ec = self.key_length in EC_KEY_LENGTHS
+        if selected_is_ec != actual_is_ec:
+            algorithm_expected = "ECDSA" if selected_is_ec else "RSA"
+            algorithm_provided = "ECDSA" if actual_is_ec else "RSA"
+            raise ValidationError(
+                {
+                    "key_length": _(
+                        "Algorithm mismatch: You selected a length for %s, "
+                        "but the provided certificate contains an %s key."
+                    )
+                    % (algorithm_expected, algorithm_provided)
+                }
+            )
+        if actual_is_ec and actual_length not in EC_KEY_LENGTHS:
+            raise ValidationError(_("Unsupported EC curve size: %s") % actual_length)
+        self.key_length = actual_length
         # when importing an end entity certificate
         if hasattr(self, "ca"):
             self._verify_ca()
@@ -366,7 +429,6 @@ def _import(self):
             email = str(attrs[0].value) if attrs else ""
 
         self.email = email
-        self.key_length = str(cert.public_key().key_size)
         self.digest = cert.signature_hash_algorithm.name.lower()
         self.validity_start = cert.not_valid_before_utc
         self.validity_end = cert.not_valid_after_utc

django_x509/migrations/0010_alter_ca_key_length_alter_cert_key_length.py

@@ -0,0 +1,50 @@
+# Generated by Django 6.0.1 on 2026-01-30 18:18
+
+import django_x509.base.models
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("django_x509", "0009_alter_ca_digest_alter_ca_key_length_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="ca",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("256", "256 (ECDSA)"),
+                    ("384", "384 (ECDSA)"),
+                    ("521", "521 (ECDSA)"),
+                    ("1024", "1024 (RSA)"),
+                    ("2048", "2048 (RSA)"),
+                    ("4096", "4096 (RSA)"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="cert",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("256", "256 (ECDSA)"),
+                    ("384", "384 (ECDSA)"),
+                    ("521", "521 (ECDSA)"),
+                    ("1024", "1024 (RSA)"),
+                    ("2048", "2048 (RSA)"),
+                    ("4096", "4096 (RSA)"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+    ]

django_x509/tests/test_ca.py

@@ -2,7 +2,8 @@
 from datetime import timezone as dt_timezone
 
 from cryptography import x509
-from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import ec, rsa
 from cryptography.x509.oid import NameOID
 from django.core.exceptions import ValidationError
 from django.test import TestCase
@@ -34,29 +35,56 @@ def _prepare_revoked(self):
         return (ca, cert)
 
     import_certificate = """-----BEGIN CERTIFICATE-----
-MIICNDCCAd6gAwIBAgIDAeJAMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNVBAYTAlVT
-MQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwE
-QUNNRTETMBEGA1UEAwwKaW1wb3J0dGVzdDEfMB0GCSqGSIb3DQEJARYQY29udGFj
-dEBhY21lLmNvbTAeFw0yNTEyMjUwOTIwNTZaFw0yNjEyMjUwOTIwNTZaMHcxCzAJ
-BgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN
-MAsGA1UECgwEQUNNRTETMBEGA1UEAwwKaW1wb3J0dGVzdDEfMB0GCSqGSIb3DQEJ
-ARYQY29udGFjdEBhY21lLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDHAPm2
-hfj7hkbrXAy+Cw2XbyUXFqvUpP7fJPcTXIBTqKknTiFslf4XYzMkMK4v+xT/aHrI
-AKB/oN+p7sDa44dFAgMBAAGjUzBRMB0GA1UdDgQWBBQgNew7Ykf+970QpbdN2hsg
-YHhUCDAfBgNVHSMEGDAWgBQgNew7Ykf+970QpbdN2hsgYHhUCDAPBgNVHRMBAf8E
-BTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAj2EzamJKyBjGNEDEvOY4Gyh+kD2843Ay
-qtOGFGIC2GdT3K2ewBfITTWzecqaSLcQ2PeJcLLg0i3ra5nXAAZBeg==
+MIIDzzCCAregAwIBAgIUQSTDetixAO35vLfJ7jlCH7/UpUcwDQYJKoZIhvcNAQEL
+BQAwdzETMBEGA1UEAwwKaW1wb3J0dGVzdDELMAkGA1UEBhMCVVMxCzAJBgNVBAgM
+AkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARBQ01FMR8wHQYJ
+KoZIhvcNAQkBFhBjb250YWN0QGFjbWUuY29tMB4XDTI2MDExNzA3NDEwNVoXDTM2
+MDExNTA3NDEwNVowdzETMBEGA1UEAwwKaW1wb3J0dGVzdDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARB
+Q01FMR8wHQYJKoZIhvcNAQkBFhBjb250YWN0QGFjbWUuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkyNsaGZatFTvlPQ2Soj4g5kzalPmrLkKEXxY
+kNvICJ430Pob1J0N+R5VdhNuwuSaCc4bj5lzyHCvScSZBaTyThXX6deRUW1uk8Ss
+8fG+E8JCrAHzKWQVUe7uZJTgKtI6hNBfNzmVHVXvWiFBQRMO4OXOW92hKKPhOIcc
+T99QcelNrO1TKT937cngKaSb+0ZcoAspKWfFb0y62XxxArHC/f5nN2p1I8+6h9gQ
+26+MRXmxwlvT9qX2TMRBCj36D0jgsCgJ10C7iQjZu3d5FtmbU7dS4DvlCj8pNXcn
+S4RxXHrmZKeY3UVk9TNRYyMOd2cHm7FQdrGYWO4xT+5LtPkLcQIDAQABo1MwUTAd
+BgNVHQ4EFgQUrnxElH6h9VmQZYHG+aGHSuhDayMwHwYDVR0jBBgwFoAUrnxElH6h
+9VmQZYHG+aGHSuhDayMwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEACshO+uDpXE779/5zrm6w83IKJHqYnX2pdFMJM1WuJBXlo0r+WMrwDTarQc+I
+NhuL60bnoYrmrja8o5cOuBBMqpIn2ct1H7xE4C0t6BY4+khmEBLM700oxKWhOThG
+IKAcdLrbqGECQdbttMS5kiMhlH5mQANtnPQFHZgua/kPrBjIeeOzK0Wt+2Lnd3/o
+q24y18BVEbJAZxTsEberrvrSAxrdSNk9A4nMrz5UpjOxJ4QWKJctGjUjZrCtpLqP
+/fPO6RV+C1jIBYvP2NduuCiQgCqfRArPqhqqWbQodUCwBL8mTu/piL5e1dIotYwH
+EQZrw8bbikXRSH3D31NVroN7fw==
 -----END CERTIFICATE-----"""
 
     import_private_key = """-----BEGIN PRIVATE KEY-----
-MIIBVgIBADANBgkqhkiG9w0BAQEFAASCAUAwggE8AgEAAkEAxwD5toX4+4ZG61wM
-vgsNl28lFxar1KT+3yT3E1yAU6ipJ04hbJX+F2MzJDCuL/sU/2h6yACgf6Dfqe7A
-2uOHRQIDAQABAkEAwQApLuPv/cDUtx6nHQkLPXsFtca/D5SVu0TWe2iS7I5IQuXN
-XIwUScvp9rd/GnSuphyMXrgE8XI3nn1baTS7AQIhAO6eXAYz4cQHWPWoMS75S6O/
-uE/ZJVCfBUonFfmS2ELpAiEA1X/mNy4pacJSJLpGv1vajOIzXR76W9ud5lHh23U3
-z/0CIBj7ES1BDzijgEevhP6i8K1C6/vIAuUO0NHzh5RqMCPJAiEAzBJjyCzMkvWW
-NNsE0taGsZFpjUIWBoWGiWeNHosNnTUCIQC1wzMjWku4OXk030WC4fFeJwU060WT
-9iuP3scMQKQZdg==
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCTI2xoZlq0VO+U
+9DZKiPiDmTNqU+asuQoRfFiQ28gInjfQ+hvUnQ35HlV2E27C5JoJzhuPmXPIcK9J
+xJkFpPJOFdfp15FRbW6TxKzx8b4TwkKsAfMpZBVR7u5klOAq0jqE0F83OZUdVe9a
+IUFBEw7g5c5b3aEoo+E4hxxP31Bx6U2s7VMpP3ftyeAppJv7RlygCykpZ8VvTLrZ
+fHECscL9/mc3anUjz7qH2BDbr4xFebHCW9P2pfZMxEEKPfoPSOCwKAnXQLuJCNm7
+d3kW2ZtTt1LgO+UKPyk1dydLhHFceuZkp5jdRWT1M1FjIw53ZwebsVB2sZhY7jFP
+7ku0+QtxAgMBAAECggEANH9kE4/JdyQC41uK72cVfCayMJLE8AWJcRmzo+O26FRD
+R/2k5mQu8x5+kYV3dHQJ/cubC85NgEusTx6lFl120qN6iQWP5MStum1m42BEWFps
+XWDIuJDsBnLAfgScQssFdBPAlTynVnMt1jOdS7GYEmgMC7z03kIyfm++i0T7N9ji
+fyN2CFOXgevgHK5EtTSrBTzg8JkFnhNZKjHPU9IkRyaN8KtOwKrEgxh0glvNM6yp
+cmU8PE+DPK4TSQGsIO4X4Z19wKv7O8x6CYLos8w2Yh9jwMHaGeDnv68RVFoY1vgH
+q/PJcWylRanDeyoShIm3v2qBCQcBtUqDUqdTotww7QKBgQDH2LeZ4rn7SUuRkt7l
+YeM4YtlbWSlycTh1KphqkM3UW0MQA/HcJKgFacbxdEj9hV0Ol/l76qQv39V1Ts3X
+Zsf1eSGLdrvi2JYrlh0WYhFco/g7Cqt43dNfqSAnNKb8ihRq3X8zsQ7nTDU3wWoK
+fYjeHyYRFYPi7jQF3sYcmrM5OwKBgQC8e1KPKQ2eIJNC5rYbolxRgrSOMxr+AxgD
+iiNdhPT0lpeYEPW65z/pbdiiehXt8zrrJhtfDDe7f0dHaYkbSJWq5dzjAqnfwNGO
++gr5+skTL5nkimjbinGHN8+2134eMxh4WmsyQvkY23wk8SJlC9/57/TQvjRNZUAw
+nmBmQdojQwKBgQCWFXl9RjqqLxdjkkt3NRZxyDq4UbPA0Kq3w2+HyIvryUYKBwxi
+ad0Ng6z2tIAEdV23kga5OzRnB9DFMpOACx5sibXZiSf9au8MeMYLg0bKrhHENXUl
+ZmJR2y/cgbxOuFwxDXt0FKq+pgrpfoXmrvRU7EuoVOIhUQccyXs7DCtA9QKBgEoS
+vVN98tgePUGhohgiKt3t3D+2XflOBfX+J//s7MfjFxiwMaKOl1OJ1AWmrU+is5kO
+lNs51f1d/AlYtIWAdTGAvNqKhXBmOvVR11Z+9N8Rag2jR6pgMlXN3VgiQHJl6kwC
+XPaX04WtXJC4I6hKjm+PmksfNTblf+CbnY8SekQ5AoGBALvK6n2UGG+0fKtUFM+M
+0enYrqW065OsDOIXo7roOVZjBhul+vilk7xJ85fhtDD0zll/4OoJ1BG9IN0rUUJh
+eMIi3AQRO060kYejKGC2ls5hMxjdhxB/bUGrwXkMxZQPfjBkcP3JqaZkwcFBKq5N
+tsND+97h9r73S+UTOhepQTDB
 -----END PRIVATE KEY-----"""
 
     def test_new(self):
@@ -132,7 +160,8 @@ def test_import_ca(self):
         ca.save()
         cert = ca.x509
         # verify attributes
-        self.assertEqual(cert.serial_number, 123456)
+        serial = 371904255628934431598705194442539630076148098375
+        self.assertEqual(cert.serial_number, serial)
         subject = cert.subject
         self.assertEqual(
             subject.get_attributes_for_oid(NameOID.COUNTRY_NAME)[0].value, "US"
@@ -157,18 +186,18 @@ def test_import_ca(self):
         )
         self.assertEqual(cert.issuer, cert.subject)
         # verify field attribtues
-        self.assertEqual(ca.key_length, "512")
-        self.assertEqual(ca.digest, "sha1")
+        self.assertEqual(ca.key_length, "2048")
+        self.assertEqual(ca.digest, "sha256")
         self.assertEqual(ca.country_code, "US")
         self.assertEqual(ca.state, "CA")
         self.assertEqual(ca.city, "San Francisco")
         self.assertEqual(ca.organization_name, "ACME")
         self.assertEqual(ca.email, "[email protected]")
         self.assertEqual(ca.common_name, "importtest")
-        self.assertEqual(int(ca.serial_number), 123456)
+        self.assertEqual(int(ca.serial_number), serial)
         self.assertEqual(ca.name, "ImportTest")
-        start = datetime(2025, 12, 25, 9, 20, 56, tzinfo=dt_timezone.utc)
-        end = datetime(2026, 12, 25, 9, 20, 56, tzinfo=dt_timezone.utc)
+        start = datetime(2026, 1, 17, 7, 41, 5, tzinfo=dt_timezone.utc)
+        end = datetime(2036, 1, 15, 7, 41, 5, tzinfo=dt_timezone.utc)
         self.assertEqual(ca.validity_start, start)
         self.assertEqual(ca.validity_end, end)
         #  ensure version is 3
@@ -684,3 +713,57 @@ def test_renewal_serial_sync(self):
         cert_obj = x509.load_pem_x509_certificate(cert.certificate.encode())
         pem_serial = cert_obj.serial_number
         self.assertEqual(int(cert.serial_number), pem_serial)
+
+    def test_ca_ecdsa_full_lifecycle(self):
+        curves_to_test = [
+            ("256", ec.SECP256R1, hashes.SHA256()),
+            ("384", ec.SECP384R1, hashes.SHA384()),
+            ("521", ec.SECP521R1, hashes.SHA512()),
+        ]
+        for length, curve_class, digest in curves_to_test:
+            with self.subTest(key_length=length):
+                priv_key = ec.generate_private_key(curve_class())
+                key_pem = priv_key.private_bytes(
+                    encoding=serialization.Encoding.PEM,
+                    format=serialization.PrivateFormat.PKCS8,
+                    encryption_algorithm=serialization.NoEncryption(),
+                ).decode("utf-8")
+                now = datetime.now(dt_timezone.utc)
+                subject = issuer = x509.Name(
+                    [x509.NameAttribute(NameOID.COMMON_NAME, "test")]
+                )
+                cert = (
+                    x509.CertificateBuilder()
+                    .subject_name(subject)
+                    .issuer_name(issuer)
+                    .public_key(priv_key.public_key())
+                    .serial_number(x509.random_serial_number())
+                    .not_valid_before(now)
+                    .not_valid_after(now + timedelta(days=10))
+                    .sign(priv_key, digest)
+                )
+                cert_pem = cert.public_bytes(serialization.Encoding.PEM).decode("utf-8")
+                ca = Ca(
+                    name=f"EC-{length}",
+                    certificate=cert_pem,
+                    private_key=key_pem,
+                    key_length=length,
+                )
+                ca.full_clean()
+                ca.save()
+                self.assertEqual(ca.key_length, length)
+                self.assertIsInstance(ca.pkey, ec.EllipticCurvePrivateKey)
+                gen_ca = Ca(
+                    name=f"Gen-EC-{length}",
+                    key_length=length,
+                )
+                gen_ca.full_clean()
+                gen_ca.save()
+                self.assertIsInstance(gen_ca.pkey, ec.EllipticCurvePrivateKey)
+                original_cert = gen_ca.certificate
+                original_key = gen_ca.private_key
+                gen_ca.renew()
+                gen_ca.refresh_from_db()
+                self.assertEqual(gen_ca.key_length, length)
+                self.assertNotEqual(gen_ca.private_key, original_key)
+                self.assertNotEqual(original_cert, gen_ca.certificate)