[Pki-devel] [PATCH] Add certutil options for ECC
Matthew Harmsen
mharmsen at redhat.com
Wed Jul 29 00:52:52 UTC 2015
Please review the attached patch which addresses the following issue:
* PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for
creating ecc admin certificate
<https://fedorahosted.org/pki/ticket/1524>
Tested patch by creating both an RSA CA as well as an ECC CA.
Did a simple successful enrollment for both; checked the Admin cert to
verify that it was an RSA admin cert for RSA CA:
Certificate:
Data:
Version: v3
Serial Number: 0x6
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=CA Signing Certificate,O=example.com
Security Domain
Validity:
Not Before: Tuesday, July 28, 2015 6:22:41 PM MDT
America/Denver
Not After: Monday, July 17, 2017 6:22:41 PM MDT
America/Denver
Subject: CN=PKI
Administrator,E=caadmin at example.com,O=example.com Security Domain
Subject Public Key Info:
*Algorithm: RSA - 1.2.840.113549.1.1.1*
Public Key:
Exponent: 65537
Public Key Modulus: (2048 bits) :
E7:3C:D6:6D:A2:0A:B0:D7:AF:8D:3F:D7:63:69:69:F7:
F2:90:A6:AC:2C:9C:63:D0:A7:81:C2:2C:C6:C8:2F:7E:
28:A0:69:99:30:3F:8C:F0:F2:D5:1C:19:E0:D8:81:BD:
C3:4C:09:89:62:FB:86:63:76:8E:6B:EC:B1:DA:15:CA:
B7:27:F1:F4:60:40:E8:F3:9F:39:0F:22:F5:9C:2E:E1:
EB:F6:47:CA:01:60:93:6E:D1:30:DD:4A:27:F0:7C:36:
93:DB:88:31:38:86:9E:CB:2C:87:02:49:3A:76:22:64:
13:B3:F2:62:D8:6A:EA:06:B5:FF:DE:65:C3:FF:2D:33:
91:C1:FF:10:DA:DE:80:58:D4:C3:F1:61:4D:3D:8A:05:
63:5E:7D:54:DC:FF:18:7E:A9:0C:8D:76:EE:5A:27:42:
1B:B0:59:4A:56:0E:3B:66:AD:95:42:F5:3B:5C:EA:71:
19:98:02:25:D9:A6:68:7D:02:5F:09:CB:0E:C2:22:9D:
9A:04:19:06:F5:7F:98:C6:2E:8F:BB:1A:71:1B:15:0B:
E5:E6:3B:75:65:A8:36:20:42:60:52:48:11:77:3D:C7:
94:5A:DE:8E:4E:A8:89:BA:B5:00:6A:00:9F:BE:FF:F9:
10:52:1F:D6:DC:16:2D:7D:E4:79:6C:4D:87:CC:A0:E9
Extensions:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
C4:08:DF:28:92:11:38:F4:AD:0D:7C:04:4F:3E:17:1F:
7D:39:0F:26
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName:
http://pki.example.com:8080/ca/ocsp
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Non Repudiation
Key Encipherment
Data Encipherment
Identifier: Extended Key Usage: - 2.5.29.37
Critical: no
Extended Key Usage:
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.4
Signature:
Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Signature:
E0:6A:60:38:3F:D2:B3:C0:D0:D8:0F:01:80:B3:64:FC:
CE:0F:53:2B:42:21:26:03:CB:55:12:86:48:7D:FF:99:
C3:7E:BB:32:A2:46:2F:38:D4:E0:C7:FD:38:93:2C:07:
47:DA:72:AA:36:63:50:CF:8F:95:F3:B7:6C:95:8E:A5:
89:FB:70:69:8B:37:65:ED:F1:7F:65:5E:E7:89:5C:BF:
B9:2C:AB:10:77:D1:50:35:AC:88:CB:8B:E1:49:5C:CB:
E2:6F:0D:25:FD:8B:B5:FD:C5:80:B4:B2:A6:19:19:51:
CA:3B:9A:45:C2:EC:16:23:F1:94:5B:7B:2C:FC:64:56:
4E:ED:C8:D0:9A:54:3A:A7:EE:A1:80:18:56:EC:38:79:
5E:72:6E:7E:E9:40:7B:7F:9C:7C:E5:61:5A:93:B9:70:
8C:DA:8E:3A:A3:06:C4:04:15:6A:FF:0D:1D:25:D1:FF:
78:E4:18:AC:88:3F:0A:8F:11:C2:65:3F:BC:0F:B5:06:
CF:41:37:57:34:76:4B:85:9A:C2:DE:94:AA:E4:94:28:
CC:12:87:E4:FE:53:8F:DD:9E:2F:7F:6D:15:78:68:B5:
06:B9:A3:4A:67:CF:E5:CC:27:46:B0:FB:12:99:78:6C:
28:A9:63:7F:82:8E:01:2A:53:F5:35:6A:53:AF:B6:D0
FingerPrint
MD2:
EE:AD:F2:AD:6B:9B:0C:B1:79:EA:04:75:65:30:79:7D
MD5:
FE:8B:68:52:E6:D4:56:ED:BD:12:2F:76:04:09:31:D5
SHA-1:
DE:6D:08:9C:3D:FC:D1:21:9D:69:70:7E:0D:0D:9A:6E:
B2:DD:13:3F
SHA-256:
62:D8:A2:F6:D7:E5:80:76:AB:BE:09:2E:70:9E:E3:88:
26:3A:8D:60:E0:F2:75:E8:36:1B:15:27:08:56:3A:21
SHA-512:
86:E7:26:A3:DB:92:51:F2:85:FA:E9:A1:2C:D4:43:0D:
98:78:91:4C:53:AF:3D:0F:C3:9D:F3:98:9E:95:DE:CA:
6C:16:C8:0F:6F:A5:F6:97:11:6F:08:63:EC:35:38:AB:
CD:4B:9A:82:17:27:0D:5B:D2:8C:6D:05:D5:E1:BE:06
and an ECC admin cert for the ECC CA:
Certificate:
Data:
Version: v3
Serial Number: 0x6
Signature Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
Issuer: CN=CA Signing Certificate,O=example.com
Security Domain
Validity:
Not Before: Tuesday, July 28, 2015 6:35:44 PM MDT
America/Denver
Not After: Monday, July 17, 2017 6:35:44 PM MDT
America/Denver
Subject: CN=PKI
Administrator,E=caadmin at example.com,O=example.com Security Domain
Subject Public Key Info:
* Algorithm: EC - 1.2.840.10045.2.1*
Public Key:
04:F6:A6:B3:82:E4:5A:04:75:BC:F0:8F:30:44:20:34:
CC:4C:2D:D2:3C:51:16:C6:C6:7B:F4:89:91:C8:BD:B6:
29:4B:B7:99:27:B9:D8:0C:F2:C9:4F:5A:C3:89:81:EC:
7A:EC:3E:83:07:5D:46:F3:23:AF:96:D7:E4:4F:89:C8:
FA
Extensions:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
D7:D9:BD:50:7F:63:ED:D3:0B:DA:79:13:CC:6C:B0:B0:
21:71:CF:6C
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName:
http://pki.example.com:8080/ca/ocsp
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Non Repudiation
Key Encipherment
Data Encipherment
Identifier: Extended Key Usage: - 2.5.29.37
Critical: no
Extended Key Usage:
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.4
Signature:
Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
Signature:
30:44:02:20:63:0B:65:D6:46:54:04:44:5F:6B:EE:96:
CA:39:5F:ED:1A:69:D3:95:02:73:E2:C4:28:E7:C6:8C:
B2:C5:55:3D:02:20:21:13:02:F8:10:B8:08:B9:1D:98:
FB:18:FC:B4:F5:34:80:D9:C4:89:E8:F9:6E:63:29:9E:
E9:67:D7:3E:AB:C2
FingerPrint
MD2:
34:F9:08:E4:4E:62:D8:45:2E:12:58:E1:77:2C:DA:0F
MD5:
6B:E8:3C:5C:67:E0:67:FE:6D:E3:D4:E1:F6:6C:35:5E
SHA-1:
2D:A5:92:BA:8A:F7:A2:41:54:46:C9:2C:C7:FB:C2:E0:
EC:06:E3:DC
SHA-256:
28:4F:EC:64:4B:67:44:1A:10:35:3F:DE:A8:AD:EF:B7:
C2:22:0C:FE:E7:94:EA:B4:6E:4A:32:45:AE:FC:CE:E1
SHA-512:
8F:3E:F9:8B:A5:AC:3E:9E:2A:94:ED:5B:EC:EB:3F:19:
2F:CE:62:E5:8D:72:6A:D8:B8:C0:81:9B:9E:60:CE:9F:
B7:8D:35:E5:F5:A2:8B:34:BD:EB:FD:B3:12:41:20:FB:
07:81:3D:42:52:9A:50:3F:8A:19:B3:5B:A1:EF:1D:15
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150728/a8eaec91/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20150728-Add-certutil-options-for-ECC.patch
Type: text/x-patch
Size: 4822 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150728/a8eaec91/attachment.bin>
More information about the Pki-devel
mailing list