Bug 504061

Summary: ECC: unable to install subsystems (sub-CA, DRM, TKS, etc.) for an ECC CA
Product: [Retired] Dogtag Certificate System Reporter: Christina Fu <cfu>
Component: ECCAssignee: Christina Fu <cfu>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: alee, awnuk, benl, dlackey, mharmsen, msauton, rrelyea, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-04 19:55:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 445047    
Attachments:
Description Flags
fix - phase 1 none

Description Christina Fu 2009-06-04 01:34:40 UTC 
When an ECC CA is set up (with the bug fix from https://bugzilla.redhat.com/show_bug.cgi?id=455305), no subsystems can be hook onto the same security domain.

The reason is because all the certs on the same system share the same key type.  so, during the installation of a CA, if you select "ECC" then all the system certs (Ca signing, SSL server, OCSP signing, subsystem, etc.) are all ECC certs.

With an ECC ssl server cert, only ECC-aware clients can establish connection with it.  So, in the case when one tries to install a subordinate CA for example, the connection to the security domain (admin port) will fail because it tries to use SSL server auth.
Comment 28 Kashyap Chamarthy 2011-01-24 17:41:46 UTC 
VERIFIED for other subsystems like OCSP, KRA succesfully.

1/ successful ECC OCSP installation and OCSP signing cert in EC

#############################################
[root@beta ~]# certutil -L -d /var/lib/pki-ocsp-in1/alias/ -h nethsm2k -n "nethsm2k:ocspSigningCert cert-pki-ocsp-in1"
Enter Password or Pin for "nethsm2k":
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm: X9.62 ECDSA signature with SHA256
        Issuer: "CN=Certificate Authority,OU=pki-ca-in1,O=DsdevSjcRedhat Doma
            in in1"
        Validity:
            Not Before: Mon Jan 24 13:26:46 2011
            Not After : Sun Jan 13 13:26:46 2013
        Subject: "CN=OCSP Signing Certificate,OU=pki-ocsp-in1,O=DsdevSjcRedha
            t Domain in1"
        Subject Public Key Info:
            Public Key Algorithm: X9.62 elliptic curve public key
                Args:
                    06:05:2b:81:04:00:26
            EC Public Key:
                PublicValue:
                    04:01:cd:69:4a:23:fc:b4:51:0b:0d:17:3d:ff:ef:fb:
                    6c:7d:3d:f1:20:58:04:98:e8:f6:18:ac:c5:9f:96:d2:
                    b4:62:c3:cb:66:57:f7:dc:9d:39:1c:98:bf:83:cc:3a:
                    f5:d1:9d:e9:c6:d7:a2:83:19:12:48:02:cc:9b:18:1e:
                    d5:53:c9:fb:a4:0f:ea:06:0a:05:1a:e3:35:15:b3:7c:
                    5b:14:77:b4:8c:cd:1e:52:22:49:34:ae:b9:cd:1e:5a:
                    cd:e8:c7:b0:09:20:30:85:9e:3e:ef:ba:48:e0:af:47:
                    0b:73:71:d0:b9:da:88:92:34:77:9c:87:4e:cf:a2:ba:
                    95:d1:47:34:43:39:62:56:d2:b0:bf:5b:57:7a:77:27:
                    07
                Curve: SECG elliptic curve sect571k1 (aka NIST K-571)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                ec:0c:f6:06:f0:58:5d:12:d3:60:94:c6:15:f6:d2:82:
                f4:9c:d8:6d

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://beta.dsdev.sjc.redhat.com:51380/ca/ocsp"

            Name: Extended Key Usage
                OCSP Responder Certificate

            Name: OCSP No Check Extension
            Data: NULL

    Signature Algorithm: X9.62 ECDSA signature with SHA256
    Signature:
        30:81:87:02:41:63:f6:64:86:5c:38:c4:2b:c8:34:f4:
        ab:5a:32:b9:1b:dc:e3:46:99:c1:ef:0c:6e:ad:0c:44:
        bf:ec:7c:3a:ea:0f:af:d4:3d:bb:6f:8d:d1:b1:3b:87:
        a4:cb:f1:f5:84:17:09:0a:cd:71:4d:60:46:2d:f6:59:
        3a:55:f7:29:5e:7a:02:42:01:76:14:14:17:c5:f7:26:
        b5:82:ec:48:f0:0a:fd:64:ce:e5:d7:d0:e8:4d:a5:a3:
        44:e6:71:7f:5c:8c:7d:18:88:83:80:4b:92:5e:ae:f7:
        02:37:94:0c:ce:71:da:38:49:52:a5:68:49:94:65:0e:
        61:4b:99:51:2f:0a:9e:31:cc:74
    Fingerprint (MD5):
        40:90:23:8A:BB:26:EF:82:82:15:C0:11:AF:61:F1:EC
    Fingerprint (SHA1):
        5C:AA:E6:CE:C7:FC:C8:62:6A:0C:8E:A5:C4:FF:49:51:3F:07:EE:B3

    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

#############################################

2/ Successful ECC DRM (storage cert)

#############################################
[root@beta alias]# certutil -L -d /var/lib/pki-kraink1/alias/ -h nethsm2k -n "nethsm2k:storageCert cert-pki-kraink1"
Enter Password or Pin for "nethsm2k":
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16 (0x10)
        Signature Algorithm: X9.62 ECDSA signature with SHA256
        Issuer: "CN=Certificate Authority,OU=pki-ca-in1,O=DsdevSjcRedhat Doma
            in in1"
        Validity:
            Not Before: Mon Jan 24 15:45:23 2011
            Not After : Sun Jan 13 15:45:23 2013
        Subject: "CN=DRM Storage Certificate,OU=pki-kraink1,O=DsdevSjcRedhat 
            Domain in1"
        Subject Public Key Info:
            Public Key Algorithm: X9.62 elliptic curve public key
                Args:
                    06:05:2b:81:04:00:23
            EC Public Key:
                PublicValue:
                    04:01:1a:df:7d:2e:4b:54:ee:e2:0c:e4:11:72:73:a2:
                    1d:f6:0f:e3:8d:36:1d:60:5f:d0:80:f2:12:cb:8b:b7:
                    01:51:bc:94:38:eb:2e:03:fe:b7:38:0c:e9:60:72:52:
                    70:88:90:67:b0:65:03:42:79:c5:25:b8:79:67:59:bf:
                    44:2e:76:00:26:e1:4e:67:86:62:8e:9b:8a:e9:c9:b2:
                    5f:f1:c0:f5:f5:0e:ea:c9:48:a4:11:dd:19:00:fa:a1:
                    1c:d4:ee:59:5c:d4:fb:0a:56:7f:90:b7:4f:68:e0:7b:
                    44:c7:34:0e:1d:f3:9a:b1:3e:d8:5c:c8:f6:3b:f5:f6:
                    27:94:0d:81:71
                Curve: SECG elliptic curve secp521r1 (aka NIST P-521)

#####################################################