Description of problem: This is split off from the original bug to add these features to the installation wizard. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 472892 [details] patch to fix This patch fixes this bug and the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=658641
Doc/ QE: It is now possible to specify key type, size (for RSA), curvename (ECC), signing algorithm (for selected CA, OSCP, KRA certs), key algorithm (what the CA cert is signed with) - as is available in the install wizard. Most folks will not specify all these things and so all these parameters are optional. For the purposes of documentation, the following parameters have been added/changed on the pkisilent invocation. CA: -key_type <string> Key type [RSA,ECC] (optional, default is RSA) -key_size <string> Key Size (optional, for RSA default is 2048) -key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -key_algorithm <string> Key algorithm of the CA certificate (optional, default is SHA256withRSA for RSA and SHA256withEC for ECC) -signing_algorithm <string> Signing algorithm (optional, default is key_algorithm) -signing_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -signing_key_size <string> Key Size (optional, for RSA default is 2048) -signing_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -signing_signingalgorithm <string> Algorithm used be CA cert to sign objects (optional, default is signing_algorithm) -ocsp_signing_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -ocsp_signing_key_size <string> Key Size (optional, for RSA default is 2048) -ocsp_signing_key_curvename <string> Key Curve Name (optional, for ECC default is nisp) -ocsp_signing_signingalgorithm <string> Algorithm used by the OCSP signing cert to sign objects (optional, default is signing_algorithm) -audit_signing_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -audit_signing_key_size <string> Key Size (optional, for RSA default is 2048) -audit_signing_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -subsystem_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -subsystem_key_size <string> Key Size (optional, for RSA default is 2048) -subsystem_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -sslserver_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -sslserver_key_size <string> Key Size (optional, for RSA default is 2048) -sslserver_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) Note that key_type and key_size are now optional. DRM: -key_type <string> Key type [RSA,ECC] (optional, default is RSA) -key_size <string> Key Size (optional, for RSA default is 2048) -key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -signing_algorithm <string> Signing algorithm (optional, default is SHA256withRSA for RSA and SHA256withEC for ECC) -transport_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -transport_key_size <string> Key Size (optional, for RSA default is 2048) -transport_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -transport_signingalgorithm <string> Algorithm used by the transport cert to sign objects (optional, default is signing_algorithm) -storage_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -storage_key_size <string> Key Size (optional, for RSA default is 2048) -storage_key_curvename <string> Key Curve Name (optional, for ECC default is nisp) -audit_signing_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -audit_signing_key_size <string> Key Size (optional, for RSA default is 2048) -audit_signing_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -subsystem_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -subsystem_key_size <string> Key Size (optional, for RSA default is 2048) -subsystem_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -sslserver_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -sslserver_key_size <string> Key Size (optional, for RSA default is 2048) -sslserver_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) TKS: -key_type <string> Key type [RSA,ECC] (optional, default is RSA) -key_size <string> Key Size (optional, for RSA default is 2048) -key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -audit_signing_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -audit_signing_key_size <string> Key Size (optional, for RSA default is 2048) -audit_signing_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -subsystem_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -subsystem_key_size <string> Key Size (optional, for RSA default is 2048) -subsystem_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -sslserver_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -sslserver_key_size <string> Key Size (optional, for RSA default is 2048) -sslserver_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) OCSP: -key_type <string> Key type [RSA,ECC] (optional, default is RSA) -key_size <string> Key Size (optional, for RSA default is 2048) -key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -signing_algorithm <string> Signing algorithm (optional, default is SHA256withRSA for RSA and SHA256withEC for ECC) -signing_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -signing_key_size <string> Key Size (optional, for RSA default is 2048) -signing_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -signing_signingalgorithm <string> Algorithm used be ocsp signing cert to sign objects (optional, default is signing_algorithm) -audit_signing_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -audit_signing_key_size <string> Key Size (optional, for RSA default is 2048) -audit_signing_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -subsystem_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -subsystem_key_size <string> Key Size (optional, for RSA default is 2048) -subsystem_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -sslserver_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -sslserver_key_size <string> Key Size (optional, for RSA default is 2048) -sslserver_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) subCA: -key_type <string> Key type [RSA,ECC] (optional, default is RSA) -key_size <string> Key Size (optional, for RSA default is 2048) -key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -key_algorithm <string> Key algorithm of the CA certificate (optional, default is SHA256withRSA for RSA and SHA256withEC for ECC) -signing_algorithm <string> Signing algorithm (optional, default is key_algorithm) -signing_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -signing_key_size <string> Key Size (optional, for RSA default is 2048) -signing_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -signing_signingalgorithm <string> Algorithm used be CA cert to sign objects (optional, default is signing_algorithm) -ocsp_signing_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -ocsp_signing_key_size <string> Key Size (optional, for RSA default is 2048) -ocsp_signing_key_curvename <string> Key Curve Name (optional, for ECC default is nisp) -ocsp_signing_signingalgorithm <string> Algorithm used by the OCSP signing cert to sign objects (optional, default is signing_algorithm) -audit_signing_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -audit_signing_key_size <string> Key Size (optional, for RSA default is 2048) -audit_signing_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -subsystem_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -subsystem_key_size <string> Key Size (optional, for RSA default is 2048) -subsystem_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -sslserver_key_type <string> Key type [RSA,ECC] (optional, default is RSA) -sslserver_key_size <string> Key Size (optional, for RSA default is 2048) -sslserver_key_curvename <string> Key Curve Name (optional, for ECC default is nistp256)
8.1: -bash-3.2$ svn ci -m "Bugzilla BZ645895 and 658641: ECC curves and passwords with special chars" Sending silent/src/ca/ConfigureCA.java Sending silent/src/drm/ConfigureDRM.java Sending silent/src/ocsp/ConfigureOCSP.java Sending silent/src/ra/ConfigureRA.java Sending silent/src/subca/ConfigureSubCA.java Sending silent/src/tks/ConfigureTKS.java Sending silent/src/tps/ConfigureTPS.java Transmitting file data ....... Committed revision 1725. tip: [vakwetu@dhcp231-121 silent]$ svn ci -m "Bugzilla BZ645895 and 658641: ECC curves and passwords with special chars" Sending silent/src/ca/ConfigureCA.java Sending silent/src/drm/ConfigureDRM.java Sending silent/src/ocsp/ConfigureOCSP.java Sending silent/src/ra/ConfigureRA.java Sending silent/src/subca/ConfigureSubCA.java Sending silent/src/tks/ConfigureTKS.java Sending silent/src/tps/ConfigureTPS.java Transmitting file data ....... Committed revision 1726.
Note to docs/ QE: The defaults are slightly different than previously posted. I will post only CA below, but the same applies to the other subsystems. To get an up-to-date usage, do pkisilent ConfigureCA -help -key_type <string> Key type [RSA,ECC] (optional, default is RSA) -key_size <string> Key Size (optional, for RSA default is 2048) -key_curvename <string> Key Curve Name (optional, for ECC default is nistp256) -key_algorithm <string> Key algorithm of the CA certificate (optional, default is SHA256withRSA for RSA and SHA256withEC for ECC) -signing_algorithm <string> Signing algorithm (optional, default is key_algorithm) -signing_key_type <string> Key type [RSA,ECC] (optional, default is key_type) -signing_key_size <string> Key Size (optional, for RSA default is key_size) -signing_key_curvename <string> Key Curve Name (optional, for ECC default is key_curvename) -signing_signingalgorithm <string> Algorithm used be CA cert to sign objects (optional, default is signing_algorithm) -ocsp_signing_key_type <string> Key type [RSA,ECC] (optional, default is key_type) -ocsp_signing_key_size <string> Key Size (optional, for RSA default is key_size) -ocsp_signing_key_curvename <string> Key Curve Name (optional, for ECC default is key_curvename) -ocsp_signing_signingalgorithm <string> Algorithm used by the OCSP signing cert to sign objects (optional, default is signing_algorithm) -audit_signing_key_type <string> Key type [RSA,ECC] (optional, default is key_type) -audit_signing_key_size <string> Key Size (optional, for RSA default is key_size) -audit_signing_key_curvename <string> Key Curve Name (optional, for ECC default is key_curvename) -subsystem_key_type <string> Key type [RSA,ECC] (optional, default is key_type) -subsystem_key_size <string> Key Size (optional, for RSA default is key_size) -subsystem_key_curvename <string> Key Curve Name (optional, for ECC default is key_curvename) -sslserver_key_type <string> Key type [RSA,ECC] (optional, default is key_type) -sslserver_key_size <string> Key Size (optional, for RSA default is key_size) -sslserver_key_curvename <string> Key Curve Name (optional, for ECC default is key_curvename)
On an i386 machine, I notice a 'Bad version number in .class file' when I try to get pkisilent ConfigureCA -help Note: on x86_64, this works fine... -------------------------------------------------------- [root@neo kashyap]# arch i686 [root@neo kashyap]# -------------------------- [root@neo kashyap]# pkisilent ConfigureCA -help libpath=/usr/lib Exception in thread "main" java.lang.UnsupportedClassVersionError: Bad version number in .class file at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:620) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124) at java.net.URLClassLoader.defineClass(URLClassLoader.java:260) at java.net.URLClassLoader.access$100(URLClassLoader.java:56) at java.net.URLClassLoader$1.run(URLClassLoader.java:195) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:188) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) ####################################################################### ####################################################################### [root@neo kashyap]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.6 Beta (Tikanga) [root@neo kashyap]# rpm -q pki-silent pki-silent-8.1.0-1.el5pki [root@neo kashyap]# rpm -qi pki-silent | head Name : pki-silent Relocations: (not relocatable) Version : 8.1.0 Vendor: Red Hat, Inc. Release : 1.el5pki Build Date: Wed 26 Jan 2011 02:50:54 AM PST Install Date: Thu 27 Jan 2011 01:03:39 AM PST Build Host: heath.dsdev.sjc.redhat.com Group : System Environment/Shells Source RPM: pki-silent-8.1.0-1.el5pki.src.rpm --------------------------------------------------------