[Pki-devel] [PATCH] Add certutil options for ECC
Christina Fu
cfu at redhat.com
Wed Jul 29 01:55:32 UTC 2015
looks good. The only thing I think we should have is if the key type is
specified to be ecc but key size is not specified, please make sure we
give a default curve (e.g. nistp256).
Conditional ACK.
thanks,
Christina
On 07/28/2015 05:52 PM, Matthew Harmsen wrote:
> Please review the attached patch which addresses the following issue:
>
> * PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for
> creating ecc admin certificate
> <https://fedorahosted.org/pki/ticket/1524>
>
> Tested patch by creating both an RSA CA as well as an ECC CA.
>
> Did a simple successful enrollment for both; checked the Admin cert to
> verify that it was an RSA admin cert for RSA CA:
>
> Certificate:
> Data:
> Version: v3
> Serial Number: 0x6
> Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
> Issuer: CN=CA Signing Certificate,O=example.com
> Security Domain
> Validity:
> Not Before: Tuesday, July 28, 2015 6:22:41 PM MDT
> America/Denver
> Not After: Monday, July 17, 2017 6:22:41 PM MDT
> America/Denver
> Subject: CN=PKI
> Administrator,E=caadmin at example.com,O=example.com Security Domain
> Subject Public Key Info:
> *Algorithm: RSA - 1.2.840.113549.1.1.1*
> Public Key:
> Exponent: 65537
> Public Key Modulus: (2048 bits) :
> E7:3C:D6:6D:A2:0A:B0:D7:AF:8D:3F:D7:63:69:69:F7:
> F2:90:A6:AC:2C:9C:63:D0:A7:81:C2:2C:C6:C8:2F:7E:
> 28:A0:69:99:30:3F:8C:F0:F2:D5:1C:19:E0:D8:81:BD:
> C3:4C:09:89:62:FB:86:63:76:8E:6B:EC:B1:DA:15:CA:
> B7:27:F1:F4:60:40:E8:F3:9F:39:0F:22:F5:9C:2E:E1:
> EB:F6:47:CA:01:60:93:6E:D1:30:DD:4A:27:F0:7C:36:
> 93:DB:88:31:38:86:9E:CB:2C:87:02:49:3A:76:22:64:
> 13:B3:F2:62:D8:6A:EA:06:B5:FF:DE:65:C3:FF:2D:33:
> 91:C1:FF:10:DA:DE:80:58:D4:C3:F1:61:4D:3D:8A:05:
> 63:5E:7D:54:DC:FF:18:7E:A9:0C:8D:76:EE:5A:27:42:
> 1B:B0:59:4A:56:0E:3B:66:AD:95:42:F5:3B:5C:EA:71:
> 19:98:02:25:D9:A6:68:7D:02:5F:09:CB:0E:C2:22:9D:
> 9A:04:19:06:F5:7F:98:C6:2E:8F:BB:1A:71:1B:15:0B:
> E5:E6:3B:75:65:A8:36:20:42:60:52:48:11:77:3D:C7:
> 94:5A:DE:8E:4E:A8:89:BA:B5:00:6A:00:9F:BE:FF:F9:
> 10:52:1F:D6:DC:16:2D:7D:E4:79:6C:4D:87:CC:A0:E9
> Extensions:
> Identifier: Authority Key Identifier - 2.5.29.35
> Critical: no
> Key Identifier:
> C4:08:DF:28:92:11:38:F4:AD:0D:7C:04:4F:3E:17:1F:
> 7D:39:0F:26
> Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
> Critical: no
> Access Description:
> Method #0: ocsp
> Location #0: URIName:
> http://pki.example.com:8080/ca/ocsp
> Identifier: Key Usage: - 2.5.29.15
> Critical: yes
> Key Usage:
> Digital Signature
> Non Repudiation
> Key Encipherment
> Data Encipherment
> Identifier: Extended Key Usage: - 2.5.29.37
> Critical: no
> Extended Key Usage:
> 1.3.6.1.5.5.7.3.2
> 1.3.6.1.5.5.7.3.4
> Signature:
> Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
> Signature:
> E0:6A:60:38:3F:D2:B3:C0:D0:D8:0F:01:80:B3:64:FC:
> CE:0F:53:2B:42:21:26:03:CB:55:12:86:48:7D:FF:99:
> C3:7E:BB:32:A2:46:2F:38:D4:E0:C7:FD:38:93:2C:07:
> 47:DA:72:AA:36:63:50:CF:8F:95:F3:B7:6C:95:8E:A5:
> 89:FB:70:69:8B:37:65:ED:F1:7F:65:5E:E7:89:5C:BF:
> B9:2C:AB:10:77:D1:50:35:AC:88:CB:8B:E1:49:5C:CB:
> E2:6F:0D:25:FD:8B:B5:FD:C5:80:B4:B2:A6:19:19:51:
> CA:3B:9A:45:C2:EC:16:23:F1:94:5B:7B:2C:FC:64:56:
> 4E:ED:C8:D0:9A:54:3A:A7:EE:A1:80:18:56:EC:38:79:
> 5E:72:6E:7E:E9:40:7B:7F:9C:7C:E5:61:5A:93:B9:70:
> 8C:DA:8E:3A:A3:06:C4:04:15:6A:FF:0D:1D:25:D1:FF:
> 78:E4:18:AC:88:3F:0A:8F:11:C2:65:3F:BC:0F:B5:06:
> CF:41:37:57:34:76:4B:85:9A:C2:DE:94:AA:E4:94:28:
> CC:12:87:E4:FE:53:8F:DD:9E:2F:7F:6D:15:78:68:B5:
> 06:B9:A3:4A:67:CF:E5:CC:27:46:B0:FB:12:99:78:6C:
> 28:A9:63:7F:82:8E:01:2A:53:F5:35:6A:53:AF:B6:D0
> FingerPrint
> MD2:
> EE:AD:F2:AD:6B:9B:0C:B1:79:EA:04:75:65:30:79:7D
> MD5:
> FE:8B:68:52:E6:D4:56:ED:BD:12:2F:76:04:09:31:D5
> SHA-1:
> DE:6D:08:9C:3D:FC:D1:21:9D:69:70:7E:0D:0D:9A:6E:
> B2:DD:13:3F
> SHA-256:
> 62:D8:A2:F6:D7:E5:80:76:AB:BE:09:2E:70:9E:E3:88:
> 26:3A:8D:60:E0:F2:75:E8:36:1B:15:27:08:56:3A:21
> SHA-512:
> 86:E7:26:A3:DB:92:51:F2:85:FA:E9:A1:2C:D4:43:0D:
> 98:78:91:4C:53:AF:3D:0F:C3:9D:F3:98:9E:95:DE:CA:
> 6C:16:C8:0F:6F:A5:F6:97:11:6F:08:63:EC:35:38:AB:
> CD:4B:9A:82:17:27:0D:5B:D2:8C:6D:05:D5:E1:BE:06
>
> and an ECC admin cert for the ECC CA:
>
> Certificate:
> Data:
> Version: v3
> Serial Number: 0x6
> Signature Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
> Issuer: CN=CA Signing Certificate,O=example.com
> Security Domain
> Validity:
> Not Before: Tuesday, July 28, 2015 6:35:44 PM MDT
> America/Denver
> Not After: Monday, July 17, 2017 6:35:44 PM MDT
> America/Denver
> Subject: CN=PKI
> Administrator,E=caadmin at example.com,O=example.com Security Domain
> Subject Public Key Info:
> * Algorithm: EC - 1.2.840.10045.2.1*
> Public Key:
> 04:F6:A6:B3:82:E4:5A:04:75:BC:F0:8F:30:44:20:34:
> CC:4C:2D:D2:3C:51:16:C6:C6:7B:F4:89:91:C8:BD:B6:
> 29:4B:B7:99:27:B9:D8:0C:F2:C9:4F:5A:C3:89:81:EC:
> 7A:EC:3E:83:07:5D:46:F3:23:AF:96:D7:E4:4F:89:C8:
> FA
> Extensions:
> Identifier: Authority Key Identifier - 2.5.29.35
> Critical: no
> Key Identifier:
> D7:D9:BD:50:7F:63:ED:D3:0B:DA:79:13:CC:6C:B0:B0:
> 21:71:CF:6C
> Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
> Critical: no
> Access Description:
> Method #0: ocsp
> Location #0: URIName:
> http://pki.example.com:8080/ca/ocsp
> Identifier: Key Usage: - 2.5.29.15
> Critical: yes
> Key Usage:
> Digital Signature
> Non Repudiation
> Key Encipherment
> Data Encipherment
> Identifier: Extended Key Usage: - 2.5.29.37
> Critical: no
> Extended Key Usage:
> 1.3.6.1.5.5.7.3.2
> 1.3.6.1.5.5.7.3.4
> Signature:
> Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
> Signature:
> 30:44:02:20:63:0B:65:D6:46:54:04:44:5F:6B:EE:96:
> CA:39:5F:ED:1A:69:D3:95:02:73:E2:C4:28:E7:C6:8C:
> B2:C5:55:3D:02:20:21:13:02:F8:10:B8:08:B9:1D:98:
> FB:18:FC:B4:F5:34:80:D9:C4:89:E8:F9:6E:63:29:9E:
> E9:67:D7:3E:AB:C2
> FingerPrint
> MD2:
> 34:F9:08:E4:4E:62:D8:45:2E:12:58:E1:77:2C:DA:0F
> MD5:
> 6B:E8:3C:5C:67:E0:67:FE:6D:E3:D4:E1:F6:6C:35:5E
> SHA-1:
> 2D:A5:92:BA:8A:F7:A2:41:54:46:C9:2C:C7:FB:C2:E0:
> EC:06:E3:DC
> SHA-256:
> 28:4F:EC:64:4B:67:44:1A:10:35:3F:DE:A8:AD:EF:B7:
> C2:22:0C:FE:E7:94:EA:B4:6E:4A:32:45:AE:FC:CE:E1
> SHA-512:
> 8F:3E:F9:8B:A5:AC:3E:9E:2A:94:ED:5B:EC:EB:3F:19:
> 2F:CE:62:E5:8D:72:6A:D8:B8:C0:81:9B:9E:60:CE:9F:
> B7:8D:35:E5:F5:A2:8B:34:BD:EB:FD:B3:12:41:20:FB:
> 07:81:3D:42:52:9A:50:3F:8A:19:B3:5B:A1:EF:1D:15
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150728/5117fae7/attachment.htm>
More information about the Pki-devel
mailing list