Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 910967 Details for
Bug 1024462
IPA admin cert is created with SHA1 signing algorithm, should be SHA256
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch to create admin cert with SHA256 (used in build)
pki-core-9.0.3-bz1024462.patch (text/plain), 8.10 KB, created by
Matthew Harmsen
on 2014-06-21 03:55:55 UTC
(
hide
)
Description:
Patch to create admin cert with SHA256 (used in build)
Filename:
MIME Type:
Creator:
Matthew Harmsen
Created:
2014-06-21 03:55:55 UTC
Size:
8.10 KB
patch
obsolete
>diff -rupN pki-core-9.0.3.orig/base/ca/shared/conf/CS.cfg.in pki-core-9.0.3/base/ca/shared/conf/CS.cfg.in >--- pki-core-9.0.3.orig/base/ca/shared/conf/CS.cfg.in 2014-06-20 18:36:22.000000000 -0700 >+++ pki-core-9.0.3/base/ca/shared/conf/CS.cfg.in 2014-06-20 18:53:27.000000000 -0700 >@@ -646,6 +646,7 @@ ca.notification.requestInQ.senderEmail= > ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] > ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA > ca.ocsp_signing.tokenname=internal >+ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC > ca.publish.createOwnDNEntry=false > ca.publish.queue.enable=true > ca.publish.queue.maxNumberOfThreads=3 >diff -rupN pki-core-9.0.3.orig/base/ca/shared/profiles/ca/caAdminCert.cfg pki-core-9.0.3/base/ca/shared/profiles/ca/caAdminCert.cfg >--- pki-core-9.0.3.orig/base/ca/shared/profiles/ca/caAdminCert.cfg 2011-02-04 08:56:25.000000000 -0800 >+++ pki-core-9.0.3/base/ca/shared/profiles/ca/caAdminCert.cfg 2014-06-20 18:55:31.000000000 -0700 >@@ -81,7 +81,7 @@ policyset.adminCertSet.7.default.params. > policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 > policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl > policyset.adminCertSet.8.constraint.name=No Constraint >-policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC >+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC > policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl > policyset.adminCertSet.8.default.name=Signing Alg > policyset.adminCertSet.8.default.params.signingAlg=- >diff -rupN pki-core-9.0.3.orig/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java pki-core-9.0.3/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java >--- pki-core-9.0.3.orig/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java 2014-06-20 18:36:20.000000000 -0700 >+++ pki-core-9.0.3/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java 2014-06-20 19:02:49.000000000 -0700 >@@ -254,51 +254,85 @@ public class CertUtil { > } > } > >-/** >- * reads from the admin cert profile caAdminCert.profile and takes the first >- * entry in the list of allowed algorithms. Users that wish a different algorithm >- * can specify it in the profile using default.params.signingAlg >- */ >- >- public static String getAdminProfileAlgorithm(IConfigStore config) { >- String algorithm = "SHA256withRSA"; >- try { >- String caSigningKeyType = config.getString("preop.cert.signing.keytype","rsa"); >- String pfile = config.getString("profile.caAdminCert.config"); >- FileInputStream fis = new FileInputStream(pfile); >- DataInputStream in = new DataInputStream(fis); >- BufferedReader br = new BufferedReader(new InputStreamReader(in)); >- >- String strLine; >- while ((strLine = br.readLine()) != null) { >- String marker2 = "default.params.signingAlg="; >- int indx = strLine.indexOf(marker2); >- if (indx != -1) { >- String alg = strLine.substring(indx + marker2.length()); >- if ((alg.length() > 0) && (!alg.equals("-"))) { >- algorithm = alg; >- break; >- }; >- }; >- >- String marker = "signingAlgsAllowed="; >- indx = strLine.indexOf(marker); >- if (indx != -1) { >- String[] algs = strLine.substring(indx + marker.length()).split(","); >- for (int i=0; i<algs.length; i++) { >- if ((caSigningKeyType.equals("rsa") && (algs[i].indexOf("RSA") != -1)) || >- (caSigningKeyType.equals("ecc") && (algs[i].indexOf("EC" ) != -1)) ) { >- algorithm = algs[i]; >- break; >- } >- } >- } >- } >- in.close(); >- } catch (Exception e) { >- CMS.debug("getAdminProfleAlgorithm: exception: " + e); >+ /** >+ * reads from the admin cert profile caAdminCert.profile and determines the algorithm as follows: >+ * >+ * 1. First gets list of allowed algorithms from profile (constraint.params.signingAlgsAllowed) >+ * If entry does not exist, uses entry "ca.profiles.defaultSigningAlgsAllowed" from CS.cfg >+ * If that entry does not exist, uses basic default >+ * >+ * 2. Gets default.params.signingAlg from profile. >+ * If entry does not exist or equals "-", selects first algorithm in allowed algorithm list >+ * that matches CA signing key type >+ * Otherwise returns entry if it matches signing CA key type. >+ * >+ * @throws EBaseException >+ * @throws IOException >+ * @throws FileNotFoundException >+ */ >+ >+ public static String getAdminProfileAlgorithm(IConfigStore config) throws EBaseException, FileNotFoundException, >+ IOException { >+ String caSigningKeyType = config.getString("preop.cert.signing.keytype", "rsa"); >+ String pfile = config.getString("profile.caAdminCert.config"); >+ Properties props = new Properties(); >+ props.load(new FileInputStream(pfile)); >+ >+ Set<String> keys = props.stringPropertyNames(); >+ Iterator<String> iter = keys.iterator(); >+ String defaultAlg = null; >+ String[] algsAllowed = null; >+ >+ while (iter.hasNext()) { >+ String key = iter.next(); >+ if (key.endsWith("default.params.signingAlg")) { >+ defaultAlg = props.getProperty(key); >+ } >+ if (key.endsWith("constraint.params.signingAlgsAllowed")) { >+ algsAllowed = props.getProperty(key).split(","); >+ } >+ } >+ >+ if (algsAllowed == null) { //algsAllowed not defined in profile, use a global setting >+ algsAllowed = config.getString("ca.profiles.defaultSigningAlgsAllowed", >+ "SHA256withRSA,SHA256withEC,SHA1withDSA").split(","); >+ } >+ >+ if (algsAllowed.length == 0) { >+ throw new EBaseException("No allowed signing algorithms defined."); > } >- return algorithm; >+ >+ if ((defaultAlg != null) && ! defaultAlg.isEmpty() && !defaultAlg.equals("-")) { >+ // check if the defined default algorithm is valid >+ if (! isAlgorithmValid(caSigningKeyType, defaultAlg)) { >+ throw new EBaseException("Administrator cert cannot be signed by specfied algorithm." + >+ "Algorithm incompatible with signing key"); >+ } >+ >+ for (String alg : algsAllowed) { >+ if (defaultAlg.trim().equals(alg.trim())) { >+ return defaultAlg; >+ } >+ } >+ throw new EBaseException( >+ "Administrator Certificate cannot be signed by the specified algorithm " + >+ "as it is not one of the allowed signing algorithms. Check the admin cert profile."); >+ } >+ >+ // no algorithm specified. Pick the first allowed algorithm. >+ for (String alg : algsAllowed) { >+ if (isAlgorithmValid(caSigningKeyType, alg)) return alg; >+ } >+ >+ throw new EBaseException( >+ "Admin certificate cannot be signed by any of the specified possible algorithms." + >+ "Algorithm is incompatible with the CA signing key type" ); >+ } >+ >+ private static boolean isAlgorithmValid(String signingKeyType, String algorithm) { >+ return ((signingKeyType.equals("rsa") && algorithm.contains("RSA")) || >+ (signingKeyType.equals("ecc") && algorithm.contains("EC")) || >+ (signingKeyType.equals("dsa") && algorithm.contains("DSA"))); > } > > public static X509CertImpl createLocalCert(IConfigStore config, X509Key x509key,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=910967">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1024462
:
818000
| 910967 |
910968