[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] Add certutil options for ECC



Please review the attached patch which addresses the following issue:

Tested patch by creating both an RSA CA as well as an ECC CA.

Did a simple successful enrollment for both; checked the Admin cert to verify that it was an RSA admin cert for RSA CA:

Certificate:
        Data:
            Version:  v3
            Serial Number: 0x6
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
            Validity:
                Not Before: Tuesday, July 28, 2015 6:22:41 PM MDT America/Denver
                Not  After: Monday, July 17, 2017 6:22:41 PM MDT America/Denver
            Subject: CN=PKI Administrator,E=caadmin example com,O=example.com Security Domain
            Subject Public Key Info:
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key:
                    Exponent: 65537
                    Public Key Modulus: (2048 bits) :
                        E7:3C:D6:6D:A2:0A:B0:D7:AF:8D:3F:D7:63:69:69:F7:
                        F2:90:A6:AC:2C:9C:63:D0:A7:81:C2:2C:C6:C8:2F:7E:
                        28:A0:69:99:30:3F:8C:F0:F2:D5:1C:19:E0:D8:81:BD:
                        C3:4C:09:89:62:FB:86:63:76:8E:6B:EC:B1:DA:15:CA:
                        B7:27:F1:F4:60:40:E8:F3:9F:39:0F:22:F5:9C:2E:E1:
                        EB:F6:47:CA:01:60:93:6E:D1:30:DD:4A:27:F0:7C:36:
                        93:DB:88:31:38:86:9E:CB:2C:87:02:49:3A:76:22:64:
                        13:B3:F2:62:D8:6A:EA:06:B5:FF:DE:65:C3:FF:2D:33:
                        91:C1:FF:10:DA:DE:80:58:D4:C3:F1:61:4D:3D:8A:05:
                        63:5E:7D:54:DC:FF:18:7E:A9:0C:8D:76:EE:5A:27:42:
                        1B:B0:59:4A:56:0E:3B:66:AD:95:42:F5:3B:5C:EA:71:
                        19:98:02:25:D9:A6:68:7D:02:5F:09:CB:0E:C2:22:9D:
                        9A:04:19:06:F5:7F:98:C6:2E:8F:BB:1A:71:1B:15:0B:
                        E5:E6:3B:75:65:A8:36:20:42:60:52:48:11:77:3D:C7:
                        94:5A:DE:8E:4E:A8:89:BA:B5:00:6A:00:9F:BE:FF:F9:
                        10:52:1F:D6:DC:16:2D:7D:E4:79:6C:4D:87:CC:A0:E9
            Extensions:
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no
                    Key Identifier:
                        C4:08:DF:28:92:11:38:F4:AD:0D:7C:04:4F:3E:17:1F:
                        7D:39:0F:26
                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
                    Critical: no
                    Access Description:
                        Method #0: ocsp
                        Location #0: URIName: http://pki.example.com:8080/ca/ocsp
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes
                    Key Usage:
                        Digital Signature
                        Non Repudiation
                        Key Encipherment
                        Data Encipherment
                Identifier: Extended Key Usage: - 2.5.29.37
                    Critical: no
                    Extended Key Usage:
                        1.3.6.1.5.5.7.3.2
                        1.3.6.1.5.5.7.3.4
        Signature:
            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Signature:
                E0:6A:60:38:3F:D2:B3:C0:D0:D8:0F:01:80:B3:64:FC:
                CE:0F:53:2B:42:21:26:03:CB:55:12:86:48:7D:FF:99:
                C3:7E:BB:32:A2:46:2F:38:D4:E0:C7:FD:38:93:2C:07:
                47:DA:72:AA:36:63:50:CF:8F:95:F3:B7:6C:95:8E:A5:
                89:FB:70:69:8B:37:65:ED:F1:7F:65:5E:E7:89:5C:BF:
                B9:2C:AB:10:77:D1:50:35:AC:88:CB:8B:E1:49:5C:CB:
                E2:6F:0D:25:FD:8B:B5:FD:C5:80:B4:B2:A6:19:19:51:
                CA:3B:9A:45:C2:EC:16:23:F1:94:5B:7B:2C:FC:64:56:
                4E:ED:C8:D0:9A:54:3A:A7:EE:A1:80:18:56:EC:38:79:
                5E:72:6E:7E:E9:40:7B:7F:9C:7C:E5:61:5A:93:B9:70:
                8C:DA:8E:3A:A3:06:C4:04:15:6A:FF:0D:1D:25:D1:FF:
                78:E4:18:AC:88:3F:0A:8F:11:C2:65:3F:BC:0F:B5:06:
                CF:41:37:57:34:76:4B:85:9A:C2:DE:94:AA:E4:94:28:
                CC:12:87:E4:FE:53:8F:DD:9E:2F:7F:6D:15:78:68:B5:
                06:B9:A3:4A:67:CF:E5:CC:27:46:B0:FB:12:99:78:6C:
                28:A9:63:7F:82:8E:01:2A:53:F5:35:6A:53:AF:B6:D0
        FingerPrint
            MD2:
                EE:AD:F2:AD:6B:9B:0C:B1:79:EA:04:75:65:30:79:7D
            MD5:
                FE:8B:68:52:E6:D4:56:ED:BD:12:2F:76:04:09:31:D5
            SHA-1:
                DE:6D:08:9C:3D:FC:D1:21:9D:69:70:7E:0D:0D:9A:6E:
                B2:DD:13:3F
            SHA-256:
                62:D8:A2:F6:D7:E5:80:76:AB:BE:09:2E:70:9E:E3:88:
                26:3A:8D:60:E0:F2:75:E8:36:1B:15:27:08:56:3A:21
            SHA-512:
                86:E7:26:A3:DB:92:51:F2:85:FA:E9:A1:2C:D4:43:0D:
                98:78:91:4C:53:AF:3D:0F:C3:9D:F3:98:9E:95:DE:CA:
                6C:16:C8:0F:6F:A5:F6:97:11:6F:08:63:EC:35:38:AB:
                CD:4B:9A:82:17:27:0D:5B:D2:8C:6D:05:D5:E1:BE:06
and an ECC admin cert for the ECC CA:
Certificate:
        Data:
            Version:  v3
            Serial Number: 0x6
            Signature Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
            Validity:
                Not Before: Tuesday, July 28, 2015 6:35:44 PM MDT America/Denver
                Not  After: Monday, July 17, 2017 6:35:44 PM MDT America/Denver
            Subject: CN=PKI Administrator,E=caadmin example com,O=example.com Security Domain
            Subject Public Key Info:
                Algorithm: EC - 1.2.840.10045.2.1
                Public Key:
                    04:F6:A6:B3:82:E4:5A:04:75:BC:F0:8F:30:44:20:34:
                    CC:4C:2D:D2:3C:51:16:C6:C6:7B:F4:89:91:C8:BD:B6:
                    29:4B:B7:99:27:B9:D8:0C:F2:C9:4F:5A:C3:89:81:EC:
                    7A:EC:3E:83:07:5D:46:F3:23:AF:96:D7:E4:4F:89:C8:
                    FA
            Extensions:
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no
                    Key Identifier:
                        D7:D9:BD:50:7F:63:ED:D3:0B:DA:79:13:CC:6C:B0:B0:
                        21:71:CF:6C
                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
                    Critical: no
                    Access Description:
                        Method #0: ocsp
                        Location #0: URIName: http://pki.example.com:8080/ca/ocsp
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes
                    Key Usage:
                        Digital Signature
                        Non Repudiation
                        Key Encipherment
                        Data Encipherment
                Identifier: Extended Key Usage: - 2.5.29.37
                    Critical: no
                    Extended Key Usage:
                        1.3.6.1.5.5.7.3.2
                        1.3.6.1.5.5.7.3.4
        Signature:
            Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
            Signature:
                30:44:02:20:63:0B:65:D6:46:54:04:44:5F:6B:EE:96:
                CA:39:5F:ED:1A:69:D3:95:02:73:E2:C4:28:E7:C6:8C:
                B2:C5:55:3D:02:20:21:13:02:F8:10:B8:08:B9:1D:98:
                FB:18:FC:B4:F5:34:80:D9:C4:89:E8:F9:6E:63:29:9E:
                E9:67:D7:3E:AB:C2
        FingerPrint
            MD2:
                34:F9:08:E4:4E:62:D8:45:2E:12:58:E1:77:2C:DA:0F
            MD5:
                6B:E8:3C:5C:67:E0:67:FE:6D:E3:D4:E1:F6:6C:35:5E
            SHA-1:
                2D:A5:92:BA:8A:F7:A2:41:54:46:C9:2C:C7:FB:C2:E0:
                EC:06:E3:DC
            SHA-256:
                28:4F:EC:64:4B:67:44:1A:10:35:3F:DE:A8:AD:EF:B7:
                C2:22:0C:FE:E7:94:EA:B4:6E:4A:32:45:AE:FC:CE:E1
            SHA-512:
                8F:3E:F9:8B:A5:AC:3E:9E:2A:94:ED:5B:EC:EB:3F:19:
                2F:CE:62:E5:8D:72:6A:D8:B8:C0:81:9B:9E:60:CE:9F:
                B7:8D:35:E5:F5:A2:8B:34:BD:EB:FD:B3:12:41:20:FB:
                07:81:3D:42:52:9A:50:3F:8A:19:B3:5B:A1:EF:1D:15

From 96d25952b14bea94a08fca50ef66538e1e629a4c Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen redhat com>
Date: Tue, 28 Jul 2015 18:40:22 -0600
Subject: [PATCH] Add certutil options for ECC

- PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating
  ecc admin certificate
---
 base/server/etc/default.cfg                           |  1 +
 base/server/man/man5/pki_default.cfg.5                |  2 +-
 base/server/man/man8/pkispawn.8                       |  4 +++-
 base/server/python/pki/server/deployment/pkihelper.py | 15 +++++++++++++--
 4 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 58f3386..26ffd0d 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -66,6 +66,7 @@ pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
 pki_admin_cert_request_type=pkcs10
 pki_admin_dualkey=False
 pki_admin_keysize=2048
+pki_admin_key_type=rsa
 pki_admin_password=
 pki_audit_group=pkiaudit
 pki_audit_signing_key_algorithm=SHA256withRSA
diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5
index df4f944..17130ae 100644
--- a/base/server/man/man5/pki_default.cfg.5
+++ b/base/server/man/man5/pki_default.cfg.5
@@ -125,7 +125,7 @@ Password for the admin user.  This password is used to log into the pki-console
 .IP
 Email address for the admin user.
 .TP
-.B pki_admin_dualkey, pki_admin_keysize, pki_admin_keytype
+.B pki_admin_dualkey, pki_admin_keysize, pki_admin_key_type
 .IP
 Settings for the administrator certificate and keys.
 .TP
diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
index 8d8a4ff..411d93f 100644
--- a/base/server/man/man8/pkispawn.8
+++ b/base/server/man/man8/pkispawn.8
@@ -265,6 +265,8 @@ where \fImyconfig.txt\fP contains the following text:
 .nf
 [DEFAULT]
 pki_admin_password=\fISecret123\fP
+pki_admin_keysize=nistp256
+pki_admin_key_type=ecc
 pki_client_pkcs12_password=\fISecret123\fP
 pki_ds_password=\fISecret123\fP
 pki_ssl_server_key_algorithm=SHA256withEC
@@ -286,7 +288,7 @@ pki_ocsp_signing_signing_algorithm=SHA256withEC
 .fi
 
 .PP
-In order to utilize ECC, the SSL Server and Subsystem key algorithm, key size, and key type should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, and rsa --> ecc, respectively.
+In order to utilize ECC, the SSL Server and Subsystem key algorithm, key size, and key type should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, and rsa --> ecc, respectively.  To use an ECC admin key size and key type, the values should also be changed from 2048 --> nistp256, and rsa --> ecc.
 
 .PP
 Additionally, for a CA subsystem, both the CA and OCSP Signing key algorithm, key size, key type, and signing algorithm should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, rsa --> ecc, and SHA256withRSA --> SHA256withEC,respectively.
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index b02333d..1f55fb5 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -2539,7 +2539,7 @@ class Certutil:
                 raise
         return
 
-    def generate_certificate_request(self, subject, key_size,
+    def generate_certificate_request(self, subject, key_type, key_size,
                                      password_file, noise_file,
                                      output_file=None, path=None,
                                      ascii_format=None, token=None,
@@ -2562,8 +2562,18 @@ class Certutil:
                     extra=config.PKI_INDENTATION_LEVEL_2)
                 raise Exception(log.PKIHELPER_CERTUTIL_MISSING_SUBJECT)
 
+            if key_type:
+                if key_type == "ecc":
+                    command.extend(["-k", "ec"])
+                else:
+                    command.extend(["-k", str(key_type)])
+
             if key_size:
-                command.extend(["-g", str(key_size)])
+                if key_type == "ecc":
+                    # For ECC, the key_size will actually contain the key curve
+                    command.extend(["-q", str(key_size)])
+                else:
+                    command.extend(["-g", str(key_size)])
 
             if noise_file:
                 command.extend(["-z", noise_file])
@@ -4369,6 +4379,7 @@ class ConfigClient:
 
                 self.deployer.certutil.generate_certificate_request(
                     self.mdict['pki_admin_subject_dn'],
+                    self.mdict['pki_admin_key_type'],
                     self.mdict['pki_admin_keysize'],
                     self.mdict['pki_client_password_conf'],
                     noise_file,
-- 
1.8.3.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]