From mharmsen at redhat.com Wed Mar 1 02:46:05 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 28 Feb 2017 19:46:05 -0700 Subject: [Pki-users] Sunset of Fedorahosted.org Resources Message-ID: <2ee5e1e2-3104-886d-185c-16a511744d64@redhat.com> Everyone, February 28, 2017 marked the sunset of fedorahosted.org. As a consequence, many of the various ticketing, repositories, and Wikis were required to be moved. For the Dogtag PKI project and several of the closely associated projects have been relocated, and can be found at the following link: * RELOCATION OF PROJECT ISSUES, REPOSITORIES, AND WIKI INFORMATION -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From techpkiuser at gmail.com Tue Mar 7 06:43:12 2017 From: techpkiuser at gmail.com (Kaamel Periora) Date: Tue, 7 Mar 2017 12:13:12 +0530 Subject: [Pki-users] Padding Scheme used in Fedora Dogtag Message-ID: Dear All, It is required to identify the padding scheme used by the Fedora dogtag system. Appreciate of someone could shed some light on this requirement. Thanks Kaamel -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Tue Mar 7 08:13:17 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 7 Mar 2017 18:13:17 +1000 Subject: [Pki-users] Padding Scheme used in Fedora Dogtag In-Reply-To: References: Message-ID: <20170307081317.GT6697@dhcp-40-8.bne.redhat.com> On Tue, Mar 07, 2017 at 12:13:12PM +0530, Kaamel Periora wrote: > Dear All, > > It is required to identify the padding scheme used by the Fedora dogtag > system. Appreciate of someone could shed some light on this requirement. > > Thanks > Kaamel Hi Kaamel, Padding scheme for what? Dogtag uses or supports various kinds of encryption and encodings with padding schemes. Please be more specific. Cheers, Fraser From techpkiuser at gmail.com Tue Mar 7 08:18:54 2017 From: techpkiuser at gmail.com (Kaamel Periora) Date: Tue, 7 Mar 2017 13:48:54 +0530 Subject: [Pki-users] Padding Scheme used in Fedora Dogtag In-Reply-To: <20170307081317.GT6697@dhcp-40-8.bne.redhat.com> References: <20170307081317.GT6697@dhcp-40-8.bne.redhat.com> Message-ID: Dear Fraser, It is for the encryption process related to RSA. Is there any literature to refer regarding this specific information regarding DogTag? Regards, Kaamel On Tue, Mar 7, 2017 at 1:43 PM, Fraser Tweedale wrote: > On Tue, Mar 07, 2017 at 12:13:12PM +0530, Kaamel Periora wrote: > > Dear All, > > > > It is required to identify the padding scheme used by the Fedora dogtag > > system. Appreciate of someone could shed some light on this requirement. > > > > Thanks > > Kaamel > > Hi Kaamel, > > Padding scheme for what? Dogtag uses or supports various kinds of > encryption and encodings with padding schemes. Please be more > specific. > > Cheers, > Fraser > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cbarrabes at systemonenoc.com Mon Mar 13 15:20:18 2017 From: cbarrabes at systemonenoc.com (Carlos Barrabes) Date: Mon, 13 Mar 2017 16:20:18 +0100 Subject: [Pki-users] restore rootCA Message-ID: Hello, I have a dogtag 10.2.3 acting as a rootCA on a Fedora 21 machine that I want to restore on another machine as part of a disaster recovery procedure. I have read and followed the procedures on migration and recovery described in the following links: http://pki.fedoraproject.org/wiki/Recovery#Overview http://pki.fedoraproject.org/wiki/Migrating_a_CA_using_existing_CA_mechanism http://pki.fedoraproject.org/wiki/Migrating_a_CA_using_general_mechanism I might obviously have been doing something wrong at some point because I end up with a CA that cant issue new certificates or cannot reissue the old certificates from the imported database. Having a DS db dump and the system certificates and keys exported via PKCS12Export, do I need any other elements backed up in order to restore the a root CA? Could someone please point me in the right direction on how to perform the restoration? Thanks in avance. From ftweedal at redhat.com Mon Mar 13 23:54:41 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 14 Mar 2017 09:54:41 +1000 Subject: [Pki-users] Padding Scheme used in Fedora Dogtag In-Reply-To: References: <20170307081317.GT6697@dhcp-40-8.bne.redhat.com> Message-ID: <20170313235440.GG10261@dhcp-40-8.bne.redhat.com> On Tue, Mar 07, 2017 at 01:48:54PM +0530, Kaamel Periora wrote: > Dear Fraser, > > It is for the encryption process related to RSA. > I'm sorry, it is still not entirely clear what you are asking. Could you state from a user perspective the actions you are interested in, so I can identify exactly which operations are involved, and answer your question? Thanks, Fraser > Is there any literature to refer regarding this specific information > regarding DogTag? > > Regards, > Kaamel > > On Tue, Mar 7, 2017 at 1:43 PM, Fraser Tweedale wrote: > > > On Tue, Mar 07, 2017 at 12:13:12PM +0530, Kaamel Periora wrote: > > > Dear All, > > > > > > It is required to identify the padding scheme used by the Fedora dogtag > > > system. Appreciate of someone could shed some light on this requirement. > > > > > > Thanks > > > Kaamel > > > > Hi Kaamel, > > > > Padding scheme for what? Dogtag uses or supports various kinds of > > encryption and encodings with padding schemes. Please be more > > specific. > > > > Cheers, > > Fraser > > From msj at nthpermutation.com Tue Mar 14 00:45:49 2017 From: msj at nthpermutation.com (Michael StJohns) Date: Tue, 14 Mar 2017 00:45:49 +0000 Subject: [Pki-users] Padding Scheme used in Fedora Dogtag In-Reply-To: <20170313235440.GG10261@dhcp-40-8.bne.redhat.com> References: <20170307081317.GT6697@dhcp-40-8.bne.redhat.com> <20170313235440.GG10261@dhcp-40-8.bne.redhat.com> Message-ID: He's asking whether to use PKCS1v1.5 padding or OAEP padding for RSA signatures. The latter is more secure, the former is much more common and implemented. Mike On Mon, Mar 13, 2017 at 17:56 Fraser Tweedale wrote: > On Tue, Mar 07, 2017 at 01:48:54PM +0530, Kaamel Periora wrote: > > Dear Fraser, > > > > It is for the encryption process related to RSA. > > > I'm sorry, it is still not entirely clear what you are asking. > Could you state from a user perspective the actions you are > interested in, so I can identify exactly which operations are > involved, and answer your question? > > Thanks, > Fraser > > > Is there any literature to refer regarding this specific information > > regarding DogTag? > > > > Regards, > > Kaamel > > > > On Tue, Mar 7, 2017 at 1:43 PM, Fraser Tweedale > wrote: > > > > > On Tue, Mar 07, 2017 at 12:13:12PM +0530, Kaamel Periora wrote: > > > > Dear All, > > > > > > > > It is required to identify the padding scheme used by the Fedora > dogtag > > > > system. Appreciate of someone could shed some light on this > requirement. > > > > > > > > Thanks > > > > Kaamel > > > > > > Hi Kaamel, > > > > > > Padding scheme for what? Dogtag uses or supports various kinds of > > > encryption and encodings with padding schemes. Please be more > > > specific. > > > > > > Cheers, > > > Fraser > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Tue Mar 14 03:00:40 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 14 Mar 2017 13:00:40 +1000 Subject: [Pki-users] Padding Scheme used in Fedora Dogtag In-Reply-To: References: <20170307081317.GT6697@dhcp-40-8.bne.redhat.com> <20170313235440.GG10261@dhcp-40-8.bne.redhat.com> Message-ID: <20170314030040.GK10261@dhcp-40-8.bne.redhat.com> On Tue, Mar 14, 2017 at 12:45:49AM +0000, Michael StJohns wrote: > He's asking whether to use PKCS1v1.5 padding or OAEP padding for RSA > signatures. > > The latter is more secure, the former is much more common and implemented. > The default signature algorithm for RSA is sha256WithRSAEncryption (PKCS #1 v1.5 padding). I'd have to check if we support RSASSA-PSS. Cheers, Fraser > > Mike > > > On Mon, Mar 13, 2017 at 17:56 Fraser Tweedale wrote: > > > On Tue, Mar 07, 2017 at 01:48:54PM +0530, Kaamel Periora wrote: > > > Dear Fraser, > > > > > > It is for the encryption process related to RSA. > > > > > I'm sorry, it is still not entirely clear what you are asking. > > Could you state from a user perspective the actions you are > > interested in, so I can identify exactly which operations are > > involved, and answer your question? > > > > Thanks, > > Fraser > > > > > Is there any literature to refer regarding this specific information > > > regarding DogTag? > > > > > > Regards, > > > Kaamel > > > > > > On Tue, Mar 7, 2017 at 1:43 PM, Fraser Tweedale > > wrote: > > > > > > > On Tue, Mar 07, 2017 at 12:13:12PM +0530, Kaamel Periora wrote: > > > > > Dear All, > > > > > > > > > > It is required to identify the padding scheme used by the Fedora > > dogtag > > > > > system. Appreciate of someone could shed some light on this > > requirement. > > > > > > > > > > Thanks > > > > > Kaamel > > > > > > > > Hi Kaamel, > > > > > > > > Padding scheme for what? Dogtag uses or supports various kinds of > > > > encryption and encodings with padding schemes. Please be more > > > > specific. > > > > > > > > Cheers, > > > > Fraser > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > From msj at nthpermutation.com Tue Mar 14 03:35:49 2017 From: msj at nthpermutation.com (Michael StJohns) Date: Tue, 14 Mar 2017 03:35:49 +0000 Subject: [Pki-users] Padding Scheme used in Fedora Dogtag In-Reply-To: <20170314030040.GK10261@dhcp-40-8.bne.redhat.com> References: <20170307081317.GT6697@dhcp-40-8.bne.redhat.com> <20170313235440.GG10261@dhcp-40-8.bne.redhat.com> <20170314030040.GK10261@dhcp-40-8.bne.redhat.com> Message-ID: *beats head against wall*. PSS. Not OAEP. in my defense he did say encryption, but that's not what dogtag does. On Mon, Mar 13, 2017 at 20:00 Fraser Tweedale wrote: > On Tue, Mar 14, 2017 at 12:45:49AM +0000, Michael StJohns wrote: > > He's asking whether to use PKCS1v1.5 padding or OAEP padding for RSA > > signatures. > > > > The latter is more secure, the former is much more common and > implemented. > > > The default signature algorithm for RSA is sha256WithRSAEncryption > (PKCS #1 v1.5 padding). I'd have to check if we support RSASSA-PSS. > > Cheers, > Fraser > > > > > Mike > > > > > > On Mon, Mar 13, 2017 at 17:56 Fraser Tweedale > wrote: > > > > > On Tue, Mar 07, 2017 at 01:48:54PM +0530, Kaamel Periora wrote: > > > > Dear Fraser, > > > > > > > > It is for the encryption process related to RSA. > > > > > > > I'm sorry, it is still not entirely clear what you are asking. > > > Could you state from a user perspective the actions you are > > > interested in, so I can identify exactly which operations are > > > involved, and answer your question? > > > > > > Thanks, > > > Fraser > > > > > > > Is there any literature to refer regarding this specific information > > > > regarding DogTag? > > > > > > > > Regards, > > > > Kaamel > > > > > > > > On Tue, Mar 7, 2017 at 1:43 PM, Fraser Tweedale > > > > wrote: > > > > > > > > > On Tue, Mar 07, 2017 at 12:13:12PM +0530, Kaamel Periora wrote: > > > > > > Dear All, > > > > > > > > > > > > It is required to identify the padding scheme used by the Fedora > > > dogtag > > > > > > system. Appreciate of someone could shed some light on this > > > requirement. > > > > > > > > > > > > Thanks > > > > > > Kaamel > > > > > > > > > > Hi Kaamel, > > > > > > > > > > Padding scheme for what? Dogtag uses or supports various kinds of > > > > > encryption and encodings with padding schemes. Please be more > > > > > specific. > > > > > > > > > > Cheers, > > > > > Fraser > > > > > > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Tue Mar 14 04:03:20 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 14 Mar 2017 14:03:20 +1000 Subject: [Pki-users] Padding Scheme used in Fedora Dogtag In-Reply-To: References: <20170307081317.GT6697@dhcp-40-8.bne.redhat.com> <20170313235440.GG10261@dhcp-40-8.bne.redhat.com> <20170314030040.GK10261@dhcp-40-8.bne.redhat.com> Message-ID: <20170314040320.GL10261@dhcp-40-8.bne.redhat.com> On Tue, Mar 14, 2017 at 03:35:49AM +0000, Michael StJohns wrote: > *beats head against wall*. PSS. Not OAEP. in my defense he did say > encryption, but that's not what dogtag does. > No worries. I checked codebase; no mention of PSS or MGF so I conclude that we do support only PKCS #1 v1.5 padding with RSA signatures. Cheers, Fraser > > On Mon, Mar 13, 2017 at 20:00 Fraser Tweedale wrote: > > > On Tue, Mar 14, 2017 at 12:45:49AM +0000, Michael StJohns wrote: > > > He's asking whether to use PKCS1v1.5 padding or OAEP padding for RSA > > > signatures. > > > > > > The latter is more secure, the former is much more common and > > implemented. > > > > > The default signature algorithm for RSA is sha256WithRSAEncryption > > (PKCS #1 v1.5 padding). I'd have to check if we support RSASSA-PSS. > > > > Cheers, > > Fraser > > > > > > > > Mike > > > > > > > > > On Mon, Mar 13, 2017 at 17:56 Fraser Tweedale > > wrote: > > > > > > > On Tue, Mar 07, 2017 at 01:48:54PM +0530, Kaamel Periora wrote: > > > > > Dear Fraser, > > > > > > > > > > It is for the encryption process related to RSA. > > > > > > > > > I'm sorry, it is still not entirely clear what you are asking. > > > > Could you state from a user perspective the actions you are > > > > interested in, so I can identify exactly which operations are > > > > involved, and answer your question? > > > > > > > > Thanks, > > > > Fraser > > > > > > > > > Is there any literature to refer regarding this specific information > > > > > regarding DogTag? > > > > > > > > > > Regards, > > > > > Kaamel > > > > > > > > > > On Tue, Mar 7, 2017 at 1:43 PM, Fraser Tweedale > > > > > > wrote: > > > > > > > > > > > On Tue, Mar 07, 2017 at 12:13:12PM +0530, Kaamel Periora wrote: > > > > > > > Dear All, > > > > > > > > > > > > > > It is required to identify the padding scheme used by the Fedora > > > > dogtag > > > > > > > system. Appreciate of someone could shed some light on this > > > > requirement. > > > > > > > > > > > > > > Thanks > > > > > > > Kaamel > > > > > > > > > > > > Hi Kaamel, > > > > > > > > > > > > Padding scheme for what? Dogtag uses or supports various kinds of > > > > > > encryption and encodings with padding schemes. Please be more > > > > > > specific. > > > > > > > > > > > > Cheers, > > > > > > Fraser > > > > > > > > > > > > > > _______________________________________________ > > > > Pki-users mailing list > > > > Pki-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > From georgewash87 at gmail.com Tue Mar 14 21:31:39 2017 From: georgewash87 at gmail.com (George Wash) Date: Tue, 14 Mar 2017 17:31:39 -0400 Subject: [Pki-users] SubjectAltNameExt limited to 4 SANS? Message-ID: Using CS 9.1 I'm sending SAN nametypes and values in my HTTP requests to the CA inspired by Section A.1.14 below https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Administration_Guide/CertProfileReference.html In general this is working, but I seem to be limited to 4 SANs maximum. The CA seems to only process $request_req_san_pattern_<0-3>$ Here's my setup and some logs #### SAN Profile Configuration - 10 SANs #### ... policyset.MySet.SAN.constraint.class_id=noConstraintImpl policyset.MySet.SAN.constraint.name=No Constraint policyset.MySet.SAN.default.class_id=subjectAltNameExtDefaultImpl policyset.MySet.SAN.default.name=Subject Alt Name Extension Default policyset.MySet.SAN.default.params.subjAltNameExtCritical=false policyset.MySet.SAN.default.params.subjAltNameNumGNs=10 policyset.MySet.SAN.default.params.subjAltExtGNEnable_0=true policyset.MySet.SAN.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ policyset.MySet.SAN.default.params.subjAltExtType_0=$request.req_san_type_0$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_1=true policyset.MySet.SAN.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ policyset.MySet.SAN.default.params.subjAltExtType_1=$request.req_san_type_1$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_2=true policyset.MySet.SAN.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ policyset.MySet.SAN.default.params.subjAltExtType_2=$request.req_san_type_2$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_3=true policyset.MySet.SAN.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$ policyset.MySet.SAN.default.params.subjAltExtType_3=$request.req_san_type_3$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_4=true policyset.MySet.SAN.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$ policyset.MySet.SAN.default.params.subjAltExtType_4=$request.req_san_type_4$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_5=true policyset.MySet.SAN.default.params.subjAltExtPattern_5=$request.req_san_pattern_5$ policyset.MySet.SAN.default.params.subjAltExtType_5=$request.req_san_type_5$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_6=true policyset.MySet.SAN.default.params.subjAltExtPattern_6=$request.req_san_pattern_6$ policyset.MySet.SAN.default.params.subjAltExtType_6=$request.req_san_type_6$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_7=true policyset.MySet.SAN.default.params.subjAltExtPattern_7=$request.req_san_pattern_7$ policyset.MySet.SAN.default.params.subjAltExtType_7=$request.req_san_type_7$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_8=true policyset.MySet.SAN.default.params.subjAltExtPattern_8=$request.req_san_pattern_8$ policyset.MySet.SAN.default.params.subjAltExtType_8=$request.req_san_type_8$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_9=true policyset.MySet.SAN.default.params.subjAltExtPattern_9=$request.req_san_pattern_9$ policyset.MySet.SAN.default.params.subjAltExtType_9=$request.req_san_type_9$ #### Parsing from HTTP Request - SAN0 to SAN4 are received at the CA from client ##### ... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_0' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_0' value='myserver0.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_1' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_1' value='myserver1.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_2' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_2' value='myserver2.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_3' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_3' value='myserver3.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_4' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_4' value='myserver4.example.com' ### CAProcessor Has Dropped SAN4 #### [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:261:printParameterValues() CAProcessor: Input Parameters: .... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_0: DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_3: DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_1: DNSName ... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_2: DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_3: myserver3.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_1: myserver1.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_2: myserver2.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_0: myserver0.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - cert_request_type: pkcs10 ... ### SubjectAltNameExtDefault - no SAN4 - gname is empty as indicated previously in processing #### ... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: EnrollDefault.java:220:populate() SubjectAltNameExtDefault: populate start [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=0 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_0$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver0.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver0.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=1 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_1$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver1.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver1.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=2 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_2$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver2.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver2.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=3 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_3$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver3.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver3.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=4 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_4$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=5 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_5$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=6 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_6$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=7 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_7$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=8 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_8$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=9 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_9$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. What's interesting is the SubjectAltNameExtDefault can take several extra hardcoded nametypes and values from the profile and populate them in the enrolled certificate. Any thoughts? Thanks GW -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Tue Mar 14 23:37:52 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 15 Mar 2017 09:37:52 +1000 Subject: [Pki-users] SubjectAltNameExt limited to 4 SANS? In-Reply-To: References: Message-ID: <20170314233752.GN10261@dhcp-40-8.bne.redhat.com> On Tue, Mar 14, 2017 at 05:31:39PM -0400, George Wash wrote: > Using CS 9.1 > I'm sending SAN nametypes and values in my HTTP requests to the CA inspired > by Section A.1.14 below > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Administration_Guide/CertProfileReference.html > > In general this is working, but I seem to be limited to 4 SANs maximum. The > CA seems to only process $request_req_san_pattern_<0-3>$ > > Here's my setup and some logs > > > #### SAN Profile Configuration - 10 SANs #### > ... > policyset.MySet.SAN.constraint.class_id=noConstraintImpl > policyset.MySet.SAN.constraint.name=No Constraint > policyset.MySet.SAN.default.class_id=subjectAltNameExtDefaultImpl > policyset.MySet.SAN.default.name=Subject Alt Name Extension Default > policyset.MySet.SAN.default.params.subjAltNameExtCritical=false > policyset.MySet.SAN.default.params.subjAltNameNumGNs=10 > policyset.MySet.SAN.default.params.subjAltExtGNEnable_0=true > policyset.MySet.SAN.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ > policyset.MySet.SAN.default.params.subjAltExtType_0=$request.req_san_type_0$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_1=true > policyset.MySet.SAN.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ > policyset.MySet.SAN.default.params.subjAltExtType_1=$request.req_san_type_1$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_2=true > policyset.MySet.SAN.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ > policyset.MySet.SAN.default.params.subjAltExtType_2=$request.req_san_type_2$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_3=true > policyset.MySet.SAN.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$ > policyset.MySet.SAN.default.params.subjAltExtType_3=$request.req_san_type_3$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_4=true > policyset.MySet.SAN.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$ > policyset.MySet.SAN.default.params.subjAltExtType_4=$request.req_san_type_4$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_5=true > policyset.MySet.SAN.default.params.subjAltExtPattern_5=$request.req_san_pattern_5$ > policyset.MySet.SAN.default.params.subjAltExtType_5=$request.req_san_type_5$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_6=true > policyset.MySet.SAN.default.params.subjAltExtPattern_6=$request.req_san_pattern_6$ > policyset.MySet.SAN.default.params.subjAltExtType_6=$request.req_san_type_6$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_7=true > policyset.MySet.SAN.default.params.subjAltExtPattern_7=$request.req_san_pattern_7$ > policyset.MySet.SAN.default.params.subjAltExtType_7=$request.req_san_type_7$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_8=true > policyset.MySet.SAN.default.params.subjAltExtPattern_8=$request.req_san_pattern_8$ > policyset.MySet.SAN.default.params.subjAltExtType_8=$request.req_san_type_8$ > policyset.MySet.SAN.default.params.subjAltExtGNEnable_9=true > policyset.MySet.SAN.default.params.subjAltExtPattern_9=$request.req_san_pattern_9$ > policyset.MySet.SAN.default.params.subjAltExtType_9=$request.req_san_type_9$ > > > #### Parsing from HTTP Request - SAN0 to SAN4 are received at the CA from > client ##### > ... > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_type_0' value='DNSName' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_pattern_0' value='myserver0.example.com' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_type_1' value='DNSName' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_pattern_1' value='myserver1.example.com' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_type_2' value='DNSName' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_pattern_2' value='myserver2.example.com' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_type_3' value='DNSName' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_pattern_3' value='myserver3.example.com' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_type_4' value='DNSName' > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param > name='req_san_pattern_4' value='myserver4.example.com' > > > ### CAProcessor Has Dropped SAN4 #### > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:261:printParameterValues() CAProcessor: Input Parameters: > .... > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_0: > DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_3: > DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_1: > DNSName > ... > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_2: > DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - > req_san_pattern_3: myserver3.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - > req_san_pattern_1: myserver1.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - > req_san_pattern_2: myserver2.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - > req_san_pattern_0: myserver0.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > CAProcessor.java:286:printParameterValues() CAProcessor: - > cert_request_type: pkcs10 > ... > > > ### SubjectAltNameExtDefault - no SAN4 - gname is empty as indicated > previously in processing #### > ... > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > EnrollDefault.java:220:populate() SubjectAltNameExtDefault: populate start > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=0 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_0$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:492:createExtension() > SubjectAltNameExtDefault: createExtension got gname=myserver0.example.com > with type=DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:496:createExtension() adding gname: > myserver0.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:498:createExtension() > SubjectAlternativeNameExtension: n not null > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=1 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_1$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:492:createExtension() > SubjectAltNameExtDefault: createExtension got gname=myserver1.example.com > with type=DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:496:createExtension() adding gname: > myserver1.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:498:createExtension() > SubjectAlternativeNameExtension: n not null > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=2 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_2$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:492:createExtension() > SubjectAltNameExtDefault: createExtension got gname=myserver2.example.com > with type=DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:496:createExtension() adding gname: > myserver2.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:498:createExtension() > SubjectAlternativeNameExtension: n not null > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=3 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_3$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:492:createExtension() > SubjectAltNameExtDefault: createExtension got gname=myserver3.example.com > with type=DNSName > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:496:createExtension() adding gname: > myserver3.example.com > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:498:createExtension() > SubjectAlternativeNameExtension: n not null > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=4 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_4$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=5 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_5$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=6 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_6$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=7 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_7$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=8 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_8$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:443:createExtension() > SubjectAltNameExtDefault: createExtension i=9 > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:451:createExtension() > SubjectAltNameExtDefault: createExtension() > pattern=$request.req_san_pattern_9$ > [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: > SubjectAltNameExtDefault.java:489:createExtension() > SubjectAltNameExtDefault: gname is empty,not added. > > > What's interesting is the SubjectAltNameExtDefault can take several extra > hardcoded nametypes and values from the profile and populate them in the > enrolled certificate. > > Any thoughts? > > Thanks > GW > Hi George, Looking at the code, while the SubjectAltNameExtDefault class can handle up to 100 altnames, the SubjectAltNameExtInput class, which stores user-submitted altname values into the request context, has a hardcoded limit of 4. If your use case requires handling more than 4 explicitly submitted altnames, please file a ticket at https://pagure.io/dogtagpki/new_issue. Thanks, Fraser From techpkiuser at gmail.com Wed Mar 15 07:31:10 2017 From: techpkiuser at gmail.com (Kaamel Periora) Date: Wed, 15 Mar 2017 13:01:10 +0530 Subject: [Pki-users] Padding Scheme used in Fedora Dogtag In-Reply-To: <20170314040320.GL10261@dhcp-40-8.bne.redhat.com> References: <20170307081317.GT6697@dhcp-40-8.bne.redhat.com> <20170313235440.GG10261@dhcp-40-8.bne.redhat.com> <20170314030040.GK10261@dhcp-40-8.bne.redhat.com> <20170314040320.GL10261@dhcp-40-8.bne.redhat.com> Message-ID: thanks all, So DogTag supports only PKCS #1 v1.5 padding. Is there a way to identify this setting via any admin interface? On Tue, Mar 14, 2017 at 9:33 AM, Fraser Tweedale wrote: > On Tue, Mar 14, 2017 at 03:35:49AM +0000, Michael StJohns wrote: > > *beats head against wall*. PSS. Not OAEP. in my defense he did say > > encryption, but that's not what dogtag does. > > > No worries. > > I checked codebase; no mention of PSS or MGF so I conclude that we > do support only PKCS #1 v1.5 padding with RSA signatures. > > Cheers, > Fraser > > > > > On Mon, Mar 13, 2017 at 20:00 Fraser Tweedale > wrote: > > > > > On Tue, Mar 14, 2017 at 12:45:49AM +0000, Michael StJohns wrote: > > > > He's asking whether to use PKCS1v1.5 padding or OAEP padding for RSA > > > > signatures. > > > > > > > > The latter is more secure, the former is much more common and > > > implemented. > > > > > > > The default signature algorithm for RSA is sha256WithRSAEncryption > > > (PKCS #1 v1.5 padding). I'd have to check if we support RSASSA-PSS. > > > > > > Cheers, > > > Fraser > > > > > > > > > > > Mike > > > > > > > > > > > > On Mon, Mar 13, 2017 at 17:56 Fraser Tweedale > > > wrote: > > > > > > > > > On Tue, Mar 07, 2017 at 01:48:54PM +0530, Kaamel Periora wrote: > > > > > > Dear Fraser, > > > > > > > > > > > > It is for the encryption process related to RSA. > > > > > > > > > > > I'm sorry, it is still not entirely clear what you are asking. > > > > > Could you state from a user perspective the actions you are > > > > > interested in, so I can identify exactly which operations are > > > > > involved, and answer your question? > > > > > > > > > > Thanks, > > > > > Fraser > > > > > > > > > > > Is there any literature to refer regarding this specific > information > > > > > > regarding DogTag? > > > > > > > > > > > > Regards, > > > > > > Kaamel > > > > > > > > > > > > On Tue, Mar 7, 2017 at 1:43 PM, Fraser Tweedale < > ftweedal at redhat.com > > > > > > > > > wrote: > > > > > > > > > > > > > On Tue, Mar 07, 2017 at 12:13:12PM +0530, Kaamel Periora wrote: > > > > > > > > Dear All, > > > > > > > > > > > > > > > > It is required to identify the padding scheme used by the > Fedora > > > > > dogtag > > > > > > > > system. Appreciate of someone could shed some light on this > > > > > requirement. > > > > > > > > > > > > > > > > Thanks > > > > > > > > Kaamel > > > > > > > > > > > > > > Hi Kaamel, > > > > > > > > > > > > > > Padding scheme for what? Dogtag uses or supports various > kinds of > > > > > > > encryption and encodings with padding schemes. Please be more > > > > > > > specific. > > > > > > > > > > > > > > Cheers, > > > > > > > Fraser > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Pki-users mailing list > > > > > Pki-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Wed Mar 15 10:39:24 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 15 Mar 2017 20:39:24 +1000 Subject: [Pki-users] Padding Scheme used in Fedora Dogtag In-Reply-To: References: <20170307081317.GT6697@dhcp-40-8.bne.redhat.com> <20170313235440.GG10261@dhcp-40-8.bne.redhat.com> <20170314030040.GK10261@dhcp-40-8.bne.redhat.com> <20170314040320.GL10261@dhcp-40-8.bne.redhat.com> Message-ID: <20170315103924.GQ10261@dhcp-40-8.bne.redhat.com> On Wed, Mar 15, 2017 at 01:01:10PM +0530, Kaamel Periora wrote: > thanks all, > > So DogTag supports only PKCS #1 v1.5 padding. Is there a way to identify > this setting via any admin interface? > There is no setting to control this; it's just how the software is currently implemented. If you require support for PSS please file a ticket: https://pagure.io/dogtagpki/new_issue Cheers, Fraser > > > On Tue, Mar 14, 2017 at 9:33 AM, Fraser Tweedale > wrote: > > > On Tue, Mar 14, 2017 at 03:35:49AM +0000, Michael StJohns wrote: > > > *beats head against wall*. PSS. Not OAEP. in my defense he did say > > > encryption, but that's not what dogtag does. > > > > > No worries. > > > > I checked codebase; no mention of PSS or MGF so I conclude that we > > do support only PKCS #1 v1.5 padding with RSA signatures. > > > > Cheers, > > Fraser > > > > > > > > On Mon, Mar 13, 2017 at 20:00 Fraser Tweedale > > wrote: > > > > > > > On Tue, Mar 14, 2017 at 12:45:49AM +0000, Michael StJohns wrote: > > > > > He's asking whether to use PKCS1v1.5 padding or OAEP padding for RSA > > > > > signatures. > > > > > > > > > > The latter is more secure, the former is much more common and > > > > implemented. > > > > > > > > > The default signature algorithm for RSA is sha256WithRSAEncryption > > > > (PKCS #1 v1.5 padding). I'd have to check if we support RSASSA-PSS. > > > > > > > > Cheers, > > > > Fraser > > > > > > > > > > > > > > Mike > > > > > > > > > > > > > > > On Mon, Mar 13, 2017 at 17:56 Fraser Tweedale > > > > wrote: > > > > > > > > > > > On Tue, Mar 07, 2017 at 01:48:54PM +0530, Kaamel Periora wrote: > > > > > > > Dear Fraser, > > > > > > > > > > > > > > It is for the encryption process related to RSA. > > > > > > > > > > > > > I'm sorry, it is still not entirely clear what you are asking. > > > > > > Could you state from a user perspective the actions you are > > > > > > interested in, so I can identify exactly which operations are > > > > > > involved, and answer your question? > > > > > > > > > > > > Thanks, > > > > > > Fraser > > > > > > > > > > > > > Is there any literature to refer regarding this specific > > information > > > > > > > regarding DogTag? > > > > > > > > > > > > > > Regards, > > > > > > > Kaamel > > > > > > > > > > > > > > On Tue, Mar 7, 2017 at 1:43 PM, Fraser Tweedale < > > ftweedal at redhat.com > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > On Tue, Mar 07, 2017 at 12:13:12PM +0530, Kaamel Periora wrote: > > > > > > > > > Dear All, > > > > > > > > > > > > > > > > > > It is required to identify the padding scheme used by the > > Fedora > > > > > > dogtag > > > > > > > > > system. Appreciate of someone could shed some light on this > > > > > > requirement. > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > Kaamel > > > > > > > > > > > > > > > > Hi Kaamel, > > > > > > > > > > > > > > > > Padding scheme for what? Dogtag uses or supports various > > kinds of > > > > > > > > encryption and encodings with padding schemes. Please be more > > > > > > > > specific. > > > > > > > > > > > > > > > > Cheers, > > > > > > > > Fraser > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > Pki-users mailing list > > > > > > Pki-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > From techpkiuser at gmail.com Wed Mar 15 11:37:58 2017 From: techpkiuser at gmail.com (Kaamel Periora) Date: Wed, 15 Mar 2017 17:07:58 +0530 Subject: [Pki-users] Padding Scheme used in Fedora Dogtag In-Reply-To: <20170315103924.GQ10261@dhcp-40-8.bne.redhat.com> References: <20170307081317.GT6697@dhcp-40-8.bne.redhat.com> <20170313235440.GG10261@dhcp-40-8.bne.redhat.com> <20170314030040.GK10261@dhcp-40-8.bne.redhat.com> <20170314040320.GL10261@dhcp-40-8.bne.redhat.com> <20170315103924.GQ10261@dhcp-40-8.bne.redhat.com> Message-ID: Thanks Fraser! appreciate your support! Thanks Michael for the clarifications! On Wed, Mar 15, 2017 at 4:09 PM, Fraser Tweedale wrote: > On Wed, Mar 15, 2017 at 01:01:10PM +0530, Kaamel Periora wrote: > > thanks all, > > > > So DogTag supports only PKCS #1 v1.5 padding. Is there a way to identify > > this setting via any admin interface? > > > There is no setting to control this; it's just how the software is > currently implemented. > > If you require support for PSS please file a ticket: > https://pagure.io/dogtagpki/new_issue > > Cheers, > Fraser > > > > > > > On Tue, Mar 14, 2017 at 9:33 AM, Fraser Tweedale > > wrote: > > > > > On Tue, Mar 14, 2017 at 03:35:49AM +0000, Michael StJohns wrote: > > > > *beats head against wall*. PSS. Not OAEP. in my defense he did say > > > > encryption, but that's not what dogtag does. > > > > > > > No worries. > > > > > > I checked codebase; no mention of PSS or MGF so I conclude that we > > > do support only PKCS #1 v1.5 padding with RSA signatures. > > > > > > Cheers, > > > Fraser > > > > > > > > > > > On Mon, Mar 13, 2017 at 20:00 Fraser Tweedale > > > wrote: > > > > > > > > > On Tue, Mar 14, 2017 at 12:45:49AM +0000, Michael StJohns wrote: > > > > > > He's asking whether to use PKCS1v1.5 padding or OAEP padding for > RSA > > > > > > signatures. > > > > > > > > > > > > The latter is more secure, the former is much more common and > > > > > implemented. > > > > > > > > > > > The default signature algorithm for RSA is sha256WithRSAEncryption > > > > > (PKCS #1 v1.5 padding). I'd have to check if we support > RSASSA-PSS. > > > > > > > > > > Cheers, > > > > > Fraser > > > > > > > > > > > > > > > > > Mike > > > > > > > > > > > > > > > > > > On Mon, Mar 13, 2017 at 17:56 Fraser Tweedale < > ftweedal at redhat.com> > > > > > wrote: > > > > > > > > > > > > > On Tue, Mar 07, 2017 at 01:48:54PM +0530, Kaamel Periora wrote: > > > > > > > > Dear Fraser, > > > > > > > > > > > > > > > > It is for the encryption process related to RSA. > > > > > > > > > > > > > > > I'm sorry, it is still not entirely clear what you are asking. > > > > > > > Could you state from a user perspective the actions you are > > > > > > > interested in, so I can identify exactly which operations are > > > > > > > involved, and answer your question? > > > > > > > > > > > > > > Thanks, > > > > > > > Fraser > > > > > > > > > > > > > > > Is there any literature to refer regarding this specific > > > information > > > > > > > > regarding DogTag? > > > > > > > > > > > > > > > > Regards, > > > > > > > > Kaamel > > > > > > > > > > > > > > > > On Tue, Mar 7, 2017 at 1:43 PM, Fraser Tweedale < > > > ftweedal at redhat.com > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > On Tue, Mar 07, 2017 at 12:13:12PM +0530, Kaamel Periora > wrote: > > > > > > > > > > Dear All, > > > > > > > > > > > > > > > > > > > > It is required to identify the padding scheme used by the > > > Fedora > > > > > > > dogtag > > > > > > > > > > system. Appreciate of someone could shed some light on > this > > > > > > > requirement. > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > Kaamel > > > > > > > > > > > > > > > > > > Hi Kaamel, > > > > > > > > > > > > > > > > > > Padding scheme for what? Dogtag uses or supports various > > > kinds of > > > > > > > > > encryption and encodings with padding schemes. Please be > more > > > > > > > > > specific. > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > Fraser > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Pki-users mailing list > > > > > > > Pki-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From turbo at bayour.com Mon Mar 27 10:32:33 2017 From: turbo at bayour.com (Turbo Fredriksson) Date: Mon, 27 Mar 2017 11:32:33 +0100 Subject: [Pki-users] Dogtag behind load balancer? In-Reply-To: <3FBF116A-63EA-46FA-9EF5-AA4460BDD11A@bayour.com> References: <3FBF116A-63EA-46FA-9EF5-AA4460BDD11A@bayour.com> Message-ID: <9A908C67-08EE-4E1D-BF72-399BEA63BFE6@bayour.com> I'm looking into setting up DogTag in my infrastructure, and I was wondering if it?s possible to scale it (for redundancy) behind a load balancer? I?m looking at implementing the CA and the RA. Possibly the OCSP and DRM as well, but I?m not sure I need them - loose the private key, create a new is the base I?m working from at the moment. About the OCSP it say ?which takes the load of CAs?, which seems roughly what I need, although the ?load? part isn?t really what I?m after. There will be very little load, but redundancy is a huge issue? I?m trying to understand the architecture of Dogtag, but I haven?t seen any architecture drawings or design document as of yet. From alee at redhat.com Tue Mar 28 14:46:48 2017 From: alee at redhat.com (Ade Lee) Date: Tue, 28 Mar 2017 10:46:48 -0400 Subject: [Pki-users] Dogtag behind load balancer? In-Reply-To: <9A908C67-08EE-4E1D-BF72-399BEA63BFE6@bayour.com> References: <3FBF116A-63EA-46FA-9EF5-AA4460BDD11A@bayour.com> <9A908C67-08EE-4E1D-BF72-399BEA63BFE6@bayour.com> Message-ID: <1490712408.4569.2.camel@redhat.com> On Mon, 2017-03-27 at 11:32 +0100, Turbo Fredriksson wrote: > I'm looking into setting up DogTag in my infrastructure, and I was > wondering if it?s > possible to scale it (for redundancy) behind a load balancer? > > > I?m looking at implementing the CA and the RA. Possibly the OCSP and > DRM > as well, but I?m not sure I need them - loose the private key, create > a new is > the base I?m working from at the moment. > > About the OCSP it say ?which takes the load of CAs?, which seems > roughly what > I need, although the ?load? part isn?t really what I?m after. There > will be very little > load, but redundancy is a huge issue? > > I?m trying to understand the architecture of Dogtag, but I haven?t > seen any architecture > drawings or design document as of yet. > A good place to start to answer these questions is by looking at thee ?Deployment Guide for Red Hat Certificate System. https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_Syste m/9/html/Planning_Installation_and_Deployment_Guide/index.html RHCS is essentially Dogtag plus a subscription for support. ?The main redundancy mechanism is cloning. Ade > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users