[Pki-devel] [PATCH] Add certutil options for ECC
Matthew Harmsen
mharmsen at redhat.com
Wed Jul 29 02:03:47 UTC 2015
Per discussions on IRC with cfu and jmagne, it was determined that
besides cfu's suggestion below, the function would also need to supply a
valid key type to reduce the possibility of errors.
The revised patch is attached to this email (although I have not
re-tested it).
Please ACK.
Thanks,
-- Matt
On 07/28/15 19:55, Christina Fu wrote:
> looks good. The only thing I think we should have is if the key type
> is specified to be ecc but key size is not specified, please make sure
> we give a default curve (e.g. nistp256).
> Conditional ACK.
>
> thanks,
> Christina
>
> On 07/28/2015 05:52 PM, Matthew Harmsen wrote:
>> Please review the attached patch which addresses the following issue:
>>
>> * PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for
>> creating ecc admin certificate
>> <https://fedorahosted.org/pki/ticket/1524>
>>
>> Tested patch by creating both an RSA CA as well as an ECC CA.
>>
>> Did a simple successful enrollment for both; checked the Admin cert
>> to verify that it was an RSA admin cert for RSA CA:
>>
>> Certificate:
>> Data:
>> Version: v3
>> Serial Number: 0x6
>> Signature Algorithm: SHA256withRSA -
>> 1.2.840.113549.1.1.11
>> Issuer: CN=CA Signing Certificate,O=example.com
>> Security Domain
>> Validity:
>> Not Before: Tuesday, July 28, 2015 6:22:41 PM MDT
>> America/Denver
>> Not After: Monday, July 17, 2017 6:22:41 PM MDT
>> America/Denver
>> Subject: CN=PKI
>> Administrator,E=caadmin at example.com,O=example.com Security Domain
>> Subject Public Key Info:
>> *Algorithm: RSA - 1.2.840.113549.1.1.1*
>> Public Key:
>> Exponent: 65537
>> Public Key Modulus: (2048 bits) :
>> E7:3C:D6:6D:A2:0A:B0:D7:AF:8D:3F:D7:63:69:69:F7:
>> F2:90:A6:AC:2C:9C:63:D0:A7:81:C2:2C:C6:C8:2F:7E:
>> 28:A0:69:99:30:3F:8C:F0:F2:D5:1C:19:E0:D8:81:BD:
>> C3:4C:09:89:62:FB:86:63:76:8E:6B:EC:B1:DA:15:CA:
>> B7:27:F1:F4:60:40:E8:F3:9F:39:0F:22:F5:9C:2E:E1:
>> EB:F6:47:CA:01:60:93:6E:D1:30:DD:4A:27:F0:7C:36:
>> 93:DB:88:31:38:86:9E:CB:2C:87:02:49:3A:76:22:64:
>> 13:B3:F2:62:D8:6A:EA:06:B5:FF:DE:65:C3:FF:2D:33:
>> 91:C1:FF:10:DA:DE:80:58:D4:C3:F1:61:4D:3D:8A:05:
>> 63:5E:7D:54:DC:FF:18:7E:A9:0C:8D:76:EE:5A:27:42:
>> 1B:B0:59:4A:56:0E:3B:66:AD:95:42:F5:3B:5C:EA:71:
>> 19:98:02:25:D9:A6:68:7D:02:5F:09:CB:0E:C2:22:9D:
>> 9A:04:19:06:F5:7F:98:C6:2E:8F:BB:1A:71:1B:15:0B:
>> E5:E6:3B:75:65:A8:36:20:42:60:52:48:11:77:3D:C7:
>> 94:5A:DE:8E:4E:A8:89:BA:B5:00:6A:00:9F:BE:FF:F9:
>> 10:52:1F:D6:DC:16:2D:7D:E4:79:6C:4D:87:CC:A0:E9
>> Extensions:
>> Identifier: Authority Key Identifier - 2.5.29.35
>> Critical: no
>> Key Identifier:
>> C4:08:DF:28:92:11:38:F4:AD:0D:7C:04:4F:3E:17:1F:
>> 7D:39:0F:26
>> Identifier: Authority Info Access: -
>> 1.3.6.1.5.5.7.1.1
>> Critical: no
>> Access Description:
>> Method #0: ocsp
>> Location #0: URIName:
>> http://pki.example.com:8080/ca/ocsp
>> Identifier: Key Usage: - 2.5.29.15
>> Critical: yes
>> Key Usage:
>> Digital Signature
>> Non Repudiation
>> Key Encipherment
>> Data Encipherment
>> Identifier: Extended Key Usage: - 2.5.29.37
>> Critical: no
>> Extended Key Usage:
>> 1.3.6.1.5.5.7.3.2
>> 1.3.6.1.5.5.7.3.4
>> Signature:
>> Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
>> Signature:
>> E0:6A:60:38:3F:D2:B3:C0:D0:D8:0F:01:80:B3:64:FC:
>> CE:0F:53:2B:42:21:26:03:CB:55:12:86:48:7D:FF:99:
>> C3:7E:BB:32:A2:46:2F:38:D4:E0:C7:FD:38:93:2C:07:
>> 47:DA:72:AA:36:63:50:CF:8F:95:F3:B7:6C:95:8E:A5:
>> 89:FB:70:69:8B:37:65:ED:F1:7F:65:5E:E7:89:5C:BF:
>> B9:2C:AB:10:77:D1:50:35:AC:88:CB:8B:E1:49:5C:CB:
>> E2:6F:0D:25:FD:8B:B5:FD:C5:80:B4:B2:A6:19:19:51:
>> CA:3B:9A:45:C2:EC:16:23:F1:94:5B:7B:2C:FC:64:56:
>> 4E:ED:C8:D0:9A:54:3A:A7:EE:A1:80:18:56:EC:38:79:
>> 5E:72:6E:7E:E9:40:7B:7F:9C:7C:E5:61:5A:93:B9:70:
>> 8C:DA:8E:3A:A3:06:C4:04:15:6A:FF:0D:1D:25:D1:FF:
>> 78:E4:18:AC:88:3F:0A:8F:11:C2:65:3F:BC:0F:B5:06:
>> CF:41:37:57:34:76:4B:85:9A:C2:DE:94:AA:E4:94:28:
>> CC:12:87:E4:FE:53:8F:DD:9E:2F:7F:6D:15:78:68:B5:
>> 06:B9:A3:4A:67:CF:E5:CC:27:46:B0:FB:12:99:78:6C:
>> 28:A9:63:7F:82:8E:01:2A:53:F5:35:6A:53:AF:B6:D0
>> FingerPrint
>> MD2:
>> EE:AD:F2:AD:6B:9B:0C:B1:79:EA:04:75:65:30:79:7D
>> MD5:
>> FE:8B:68:52:E6:D4:56:ED:BD:12:2F:76:04:09:31:D5
>> SHA-1:
>> DE:6D:08:9C:3D:FC:D1:21:9D:69:70:7E:0D:0D:9A:6E:
>> B2:DD:13:3F
>> SHA-256:
>> 62:D8:A2:F6:D7:E5:80:76:AB:BE:09:2E:70:9E:E3:88:
>> 26:3A:8D:60:E0:F2:75:E8:36:1B:15:27:08:56:3A:21
>> SHA-512:
>> 86:E7:26:A3:DB:92:51:F2:85:FA:E9:A1:2C:D4:43:0D:
>> 98:78:91:4C:53:AF:3D:0F:C3:9D:F3:98:9E:95:DE:CA:
>> 6C:16:C8:0F:6F:A5:F6:97:11:6F:08:63:EC:35:38:AB:
>> CD:4B:9A:82:17:27:0D:5B:D2:8C:6D:05:D5:E1:BE:06
>>
>> and an ECC admin cert for the ECC CA:
>>
>> Certificate:
>> Data:
>> Version: v3
>> Serial Number: 0x6
>> Signature Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
>> Issuer: CN=CA Signing Certificate,O=example.com
>> Security Domain
>> Validity:
>> Not Before: Tuesday, July 28, 2015 6:35:44 PM MDT
>> America/Denver
>> Not After: Monday, July 17, 2017 6:35:44 PM MDT
>> America/Denver
>> Subject: CN=PKI
>> Administrator,E=caadmin at example.com,O=example.com Security Domain
>> Subject Public Key Info:
>> * Algorithm: EC - 1.2.840.10045.2.1*
>> Public Key:
>> 04:F6:A6:B3:82:E4:5A:04:75:BC:F0:8F:30:44:20:34:
>> CC:4C:2D:D2:3C:51:16:C6:C6:7B:F4:89:91:C8:BD:B6:
>> 29:4B:B7:99:27:B9:D8:0C:F2:C9:4F:5A:C3:89:81:EC:
>> 7A:EC:3E:83:07:5D:46:F3:23:AF:96:D7:E4:4F:89:C8:
>> FA
>> Extensions:
>> Identifier: Authority Key Identifier - 2.5.29.35
>> Critical: no
>> Key Identifier:
>> D7:D9:BD:50:7F:63:ED:D3:0B:DA:79:13:CC:6C:B0:B0:
>> 21:71:CF:6C
>> Identifier: Authority Info Access: -
>> 1.3.6.1.5.5.7.1.1
>> Critical: no
>> Access Description:
>> Method #0: ocsp
>> Location #0: URIName:
>> http://pki.example.com:8080/ca/ocsp
>> Identifier: Key Usage: - 2.5.29.15
>> Critical: yes
>> Key Usage:
>> Digital Signature
>> Non Repudiation
>> Key Encipherment
>> Data Encipherment
>> Identifier: Extended Key Usage: - 2.5.29.37
>> Critical: no
>> Extended Key Usage:
>> 1.3.6.1.5.5.7.3.2
>> 1.3.6.1.5.5.7.3.4
>> Signature:
>> Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
>> Signature:
>> 30:44:02:20:63:0B:65:D6:46:54:04:44:5F:6B:EE:96:
>> CA:39:5F:ED:1A:69:D3:95:02:73:E2:C4:28:E7:C6:8C:
>> B2:C5:55:3D:02:20:21:13:02:F8:10:B8:08:B9:1D:98:
>> FB:18:FC:B4:F5:34:80:D9:C4:89:E8:F9:6E:63:29:9E:
>> E9:67:D7:3E:AB:C2
>> FingerPrint
>> MD2:
>> 34:F9:08:E4:4E:62:D8:45:2E:12:58:E1:77:2C:DA:0F
>> MD5:
>> 6B:E8:3C:5C:67:E0:67:FE:6D:E3:D4:E1:F6:6C:35:5E
>> SHA-1:
>> 2D:A5:92:BA:8A:F7:A2:41:54:46:C9:2C:C7:FB:C2:E0:
>> EC:06:E3:DC
>> SHA-256:
>> 28:4F:EC:64:4B:67:44:1A:10:35:3F:DE:A8:AD:EF:B7:
>> C2:22:0C:FE:E7:94:EA:B4:6E:4A:32:45:AE:FC:CE:E1
>> SHA-512:
>> 8F:3E:F9:8B:A5:AC:3E:9E:2A:94:ED:5B:EC:EB:3F:19:
>> 2F:CE:62:E5:8D:72:6A:D8:B8:C0:81:9B:9E:60:CE:9F:
>> B7:8D:35:E5:F5:A2:8B:34:BD:EB:FD:B3:12:41:20:FB:
>> 07:81:3D:42:52:9A:50:3F:8A:19:B3:5B:A1:EF:1D:15
>>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150728/52097483/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20150728-Add-certutil-options-for-ECC.patch
Type: text/x-patch
Size: 6743 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150728/52097483/attachment.bin>
More information about the Pki-devel
mailing list