diff options
| author | Christina Fu <cfu@redhat.com> | 2012-08-16 11:54:50 -0700 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2012-08-16 11:54:50 -0700 |
| commit | bfa7788127c6eca54668556517981fe45528daaf (patch) | |
| tree | b5a706ad4080e23dc9e30cc6d5f8f890e69bd07b | |
| parent | 7a5b5b06052a3432e1aec0aec8906cd5941f6fd9 (diff) | |
| download | pki-bfa7788127c6eca54668556517981fe45528daaf.tar.gz pki-bfa7788127c6eca54668556517981fe45528daaf.tar.xz pki-bfa7788127c6eca54668556517981fe45528daaf.zip | |
https://fedorahosted.org/pki/ticket/238
TPS installation wizard: SizePanel needs to support ECC curve selection
| -rw-r--r-- | base/tps/doc/CS.cfg.in | 6 | ||||
| -rwxr-xr-x | base/tps/lib/perl/PKI/TPS/SizePanel.pm | 97 | ||||
| -rw-r--r-- | dogtag/tps-ui/shared/docroot/tps/admin/console/config/sizepanel.vm | 125 |
3 files changed, 177 insertions, 51 deletions
diff --git a/base/tps/doc/CS.cfg.in b/base/tps/doc/CS.cfg.in index e712934c9..838b08fb0 100644 --- a/base/tps/doc/CS.cfg.in +++ b/base/tps/doc/CS.cfg.in @@ -377,7 +377,7 @@ preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] preop.cert.sslserver.keysize.customsize=2048 preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.keysize.select=custom +preop.cert.sslserver.keysize.select=default preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert preop.cert.sslserver.subsystem=tps @@ -388,7 +388,7 @@ preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID] preop.cert.subsystem.keysize.customsize=2048 preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.keysize.select=custom +preop.cert.subsystem.keysize.select=default preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert preop.cert.subsystem.subsystem=tps @@ -399,7 +399,7 @@ preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID] preop.cert.audit_signing.keysize.customsize=2048 preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.keysize.select=custom +preop.cert.audit_signing.keysize.select=default preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert preop.cert.audit_signing.subsystem=tps diff --git a/base/tps/lib/perl/PKI/TPS/SizePanel.pm b/base/tps/lib/perl/PKI/TPS/SizePanel.pm index 8ac49b68d..88d7fef79 100755 --- a/base/tps/lib/perl/PKI/TPS/SizePanel.pm +++ b/base/tps/lib/perl/PKI/TPS/SizePanel.pm @@ -91,13 +91,21 @@ sub update my $select = $q->param($certtag.'_choice'); my $keytype = $q->param($certtag.'_keytype'); my $size = $q->param($certtag.'_custom_size'); + my $defaultSize = getDefaultSize($keytype); &PKI::TPS::Wizard::debug_log("SizePanel: update $certtag _choice=$select $certtag _keytype=$keytype customsize= $size"); $::config->put("preop.keysize.select", $select); $::config->put("preop.cert.".$certtag.".keysize.select", $select); - if (! isSupportedSize($keytype, $size)) { + # sizematch is for checking if it's supported + my $sizematch = ""; + if ($select eq "default") { + $sizematch = "$defaultSize"; + } else { + $sizematch = "$size"; + } + if (! isSupportedSize($keytype, $sizematch)) { &PKI::TPS::Wizard::debug_log("SizePanel: update size $size not supported"); return 0; } @@ -105,7 +113,6 @@ sub update $::config->put("preop.cert.".$certtag.".keytype", $keytype); if ($select eq "default") { - my $defaultSize = getDefaultSize($keytype); &PKI::TPS::Wizard::debug_log("SizePanel: update in default, defaultsize = $defaultSize"); $::config->put("preop.keysize.customsize", $defaultSize); $::config->put("preop.keysize.size", $defaultSize); @@ -134,7 +141,7 @@ sub getDefaultSize { my $keytype = $_[0]; if ($keytype eq "ecc") { - return 256; + return "nistp256"; } elsif ($keytype eq "rsa") { return 2048; } @@ -147,26 +154,48 @@ sub isSupportedSize { my $keytype = $_[0]; my $size = $_[1]; - if (($keytype eq "ecc") && ($size ne "256")) { - &PKI::TPS::Wizard::debug_log("SizePanel: isSupportedSize ECC only supports size 256"); - $::symbol{errorString} = "Unsupported Size $size. ECC only supports size 256"; + if ($keytype eq "ecc") { + my $keys_ecc_curve_list = $::config->get("keys.ecc.curve.list"); + if ($keys_ecc_curve_list eq "") { + $keys_ecc_curve_list = "nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2"; + } + my @curves = split(/,/, $keys_ecc_curve_list); + my $numcurves = @curves; + foreach my $curve (@curves) { + if ($size eq $curve) { + #found curve + return 1; + } + } + &PKI::TPS::Wizard::debug_log("SizePanel: isSupportedSize: curve $size unsupported"); + $::symbol{errorString} = "Unsupported curve $size. ECC only supports the the curves listed in Details"; return 0; - } + } else { + #RSA + my $keys_rsa_size_list = $::config->get("keys.rsa.size.list"); + if ($keys_rsa_size_list eq "") { + $keys_rsa_size_list = "1024,2048,3072,4096"; + } + my @strengths = split(/,/, $keys_rsa_size_list); + my $numstrengths = @strengths; + foreach my $strength (@strengths) { + if ($size eq $strength) { + #found strength + return 1; + } + } - if (($size eq "256") || ($size eq "512") || ($size eq "1024") || - ($size eq "2048") || ($size eq "4096")) { - return 1; + # wrong size + $::symbol{errorString} = "Unsupported Size $size. RSA only supports the sizes listed in Details"; + return 0; } - # wrong size - $::symbol{errorString} = "Unsupported Size $size. RSA only supports sizes 256, 512, 1024, 2048, and 4096"; - return 0; } sub display { my ($q) = @_; - &PKI::TPS::Wizard::debug_log("SizePanel: display"); + &PKI::TPS::Wizard::debug_log("SizePanel: display begins"); my $done = $::config->get("preop.SizePanel.done"); &PKI::TPS::Wizard::debug_log("SizePanel: display is panel done? $done"); @@ -217,26 +246,54 @@ sub display &PKI::TPS::Wizard::debug_log("SizePanel: display keysize select= $select"); $::symbol{select} = $select; } + my $default_size = $::config->get("preop.keysize.size"); if ($default_size eq "") { $::symbol{default_keysize} = 2048; } else { $::symbol{default_keysize} = $default_size; } + + #keys.ecc.curve.default=nistp256 + #keys.ecc.curve.display.list=nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 + #keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 + my $keys_ecc_curve_list = $::config->get("keys.ecc.curve.list"); + if ($keys_ecc_curve_list eq "") { + $::symbol{keys_ecc_curve_list} = "nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2"; + } else { + $::symbol{keys_ecc_curve_list} = $keys_ecc_curve_list; + } + + my $keys_ecc_curve_display_list = $::config->get("keys.ecc.curve.display.list"); + if ($keys_ecc_curve_display_list eq "") { + $::symbol{keys_ecc_curve_display_list} = "nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2" + } else { + $::symbol{keys_ecc_curve_display_list} = $keys_ecc_curve_display_list; + } + my $default_ecc_size = $::config->get("preop.keysize.ecc.size"); - if ($default_ecc_size eq "") { - $::symbol{default_ecc_keysize} = 256; + if (($default_ecc_size eq "") || ($default_ecc_size eq "256")) { + $::symbol{default_ecc_curvename} = "nistp256"; } else { - $::symbol{default_ecc_keysize} = $default_ecc_size; + $::symbol{default_ecc_curvename} = $default_ecc_size; } my $custom_size = $::config->get("preop.keysize.customsize"); - if ($custom_size eq "") { - $::symbol{custom_size} = 2048; +#just leave custom size blank if not set + if ($custom_size ne "") { + $::symbol{custom_size} = $custom_size; + } else { + $::symbol{custom_size} = "enter size for RSA or curve name for ECC"; + } + + my $keys_rsa_size_display_list = $::config->get("keys.rsa.size.list"); + if ($keys_rsa_size_display_list eq "") { + $::symbol{keys_rsa_size_display_list} = "1024,2048,3072,4096"; } else { - $::symbol{custom_size} = $default_size; + $::symbol{keys_rsa_size_display_list} = $keys_rsa_size_display_list; } + &PKI::TPS::Wizard::debug_log("SizePanel: display ends"); return 1; } diff --git a/dogtag/tps-ui/shared/docroot/tps/admin/console/config/sizepanel.vm b/dogtag/tps-ui/shared/docroot/tps/admin/console/config/sizepanel.vm index eeb62f6d8..72c095491 100644 --- a/dogtag/tps-ui/shared/docroot/tps/admin/console/config/sizepanel.vm +++ b/dogtag/tps-ui/shared/docroot/tps/admin/console/config/sizepanel.vm @@ -1,17 +1,18 @@ <!-- --- BEGIN COPYRIGHT BLOCK --- - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; version 2 of the License. - - This program is distributed in the hope that it will be useful, + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation. + + This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301 USA + Copyright (C) 2007 Red Hat, Inc. All rights reserved. --- END COPYRIGHT BLOCK --- --> @@ -29,6 +30,10 @@ div#simple </style> <SCRIPT type="text/JavaScript"> +var keys_ecc_curve_list="$keys_ecc_curve_list"; +var keys_ecc_curve_display_list = "$keys_ecc_curve_display_list"; +var keys_rsa_size_display_list = "$keys_rsa_size_display_list"; + function myOnLoad() { } @@ -69,11 +74,14 @@ function toggleLayer1(whichLayer) function keyTypeChange() { var form = document.forms[0]; + var keyTypeSelect = document.forms[0].elements['keytype']; for (var i = 0; i < form.length; i++) { var name = form[i].name; if (name.indexOf('_keytype') != -1) { - form.elements[name].selectedIndex = keyTypeSelect.selectedIndex; + if (keyTypeSelect.value.indexOf('ecc') != -1) { + form.elements[name].selectedIndex = keyTypeSelect.selectedIndex; + } } } } @@ -120,8 +128,41 @@ function textChange() } } +function displayCurveList() +{ + var list = keys_ecc_curve_display_list.split(","); + var linelen = 0; + for (var i=0; i < list.length -1 ; i++) { + document.write(list[i] + ","); + linelen = linelen + list[i].length; + if (linelen >= 60) { + document.write("<br/>"); + linelen=0; + } + } + document.write(list[list.length -1]); +} + +function displayStrengthList() +{ + var list = keys_rsa_size_display_list.split(","); + var linelen = 0; + for (var i=0; i < list.length -1 ; i++) { + document.write(list[i] + ","); + linelen = linelen + list[i].length; + if (linelen >= 60) { + document.write("<br/>"); + linelen=0; + } + } + document.write(list[list.length -1]); +} + </SCRIPT> Select the key pair type(s) and associated key pair size(s) from the pulldown menus. <a href="javascript:toggle_details();">[Details]</a> +<p> +Note that only RSA is supported for the audit_signing certificate at this point +<p> <SCRIPT type="text/JavaScript"> function toggle_details() { @@ -132,13 +173,32 @@ function toggle_details() d.style.display="block"; } } -</script> +</SCRIPT> <div id=details style="display: none;"> -<p> -Each key pair is comprised of a <b><i>key type</i></b> and a <b><i>key size</i></b>. Based upon the key type selected from the first pulldown menu, associated key sizes (in bits) will be selectable from the second pulldown menu. -<p> -Within each key pair type (but not comparable between two different key pair types), the size of the key is a measure of how secure a given system is (i.e. - the longer the key pair size, the more secure the system). Unfortunately, longer key pair sizes increase the time required to perform operations such as signing certificates. -<p> +<p> +Each certificate can have its own key pair generated with its own independent settings or common settings can be applied to all key pairs. At minimum, each key pair has to define what <i>type</i> it is by identifying a cipher family and then has to set a <i>strength</i> for that key. +</p> +<ul> +<li> +<b><i>Key Type</i></b>. Sets the cipher family to use to generate the key pair. RSA and ECC key types have slightly different strength options. +</li> +<li> +<b><i>RSA strength: Key Size</i></b>. Sets the key length for the generated pair. The key length can be one of the lenghs listed below. Longer keys are stronger, which makes them more secure. +However, longer key pair sizes also increase the time required to perform operations such as signing certificates, so long keys can affect performance. +<br/><ul style="list-style:none"><li><i> +<SCRIPT type="text/JavaScript"> +displayStrengthList(); +</SCRIPT></i></li></ul> +</li> +<li> +<b><i>ECC strength: Curve Name</i></b>. Sets the curve algorithm to use, which can be any one of the curves listed below. The curves that are included in parenthesis are equivalent - and either name can be used. Note that not all curves may be supported by the token. +<br/><ul style="list-style:none"><li><i> +<SCRIPT type="text/JavaScript"> +displayCurveList(); +</SCRIPT></i></li></ul> +</li> +</ul> +<br/> </div> #if ($errorString != "") <img src="../img/icon_crit_update.gif"> <font color="red">$errorString</font> @@ -161,27 +221,30 @@ Within each key pair type (but not comparable between two different key pair typ </tr> </table> <p> + +<p> <input #if ($select == "default") checked #end - onChange="defaultChange()" type=radio name="choice" value="default"><b>Use the default key size ($default_keysize bits for RSA, $default_ecc_keysize bits for ECC)</b>. + onChange="defaultChange()" type=radio name="choice" value="default"><b>Use the default key size ($default_keysize bits for RSA; curve $default_ecc_curvename for ECC)</b>. <p> <input #if ($select == "custom") checked #end - onChange="customChange()" type=radio name="choice" value="custom"><b>Use the following custom key size:</b> + onChange="customChange()" type=radio name="choice" value="custom"><b>Use the following custom key strength:</b> <p> <table width=100% class="details"> <tr> - <th>Key Size:</th> - <td><input onChange="textChange()" type="text" size="20" name="custom_size" value="2048" /></td> + <th>Key Size or Curve (see Details above):</th> + <td><input onChange="textChange()" type="text" size="20" name="custom_size" value="" /></td> </tr> </table> -</div> <p> +</div> + <div id="advance"> <p> <table width=100%> @@ -189,13 +252,18 @@ Within each key pair type (but not comparable between two different key pair typ <td align=right><a href="javascript:toggleLayer1('simple');toggleLayer('advance');" title="Simple">[Simple]</a></td> </tr> </table> + #foreach ($item in $certs) <H2>Key for $item.getUserFriendlyName()</H2> <p> <table width=100% class="details"> <tr> <th width="30%">Key Type:</th> +#if ($item.getCertTag() == "audit_signing") + <td><select name="$item.getCertTag()_keytype"><option value=rsa>RSA</option></select></td> +#else <td><select name="$item.getCertTag()_keytype"><option value=rsa>RSA</option><option value=ecc>ECC</option></select></td> +#end </tr> </table> <p> @@ -203,23 +271,24 @@ Within each key pair type (but not comparable between two different key pair typ #if ($item.useDefaultKey()) checked #end - type=radio name=$item.getCertTag()_choice value="default"><b>Use the default key size ($default_keysize bits for RSA, $default_ecc_keysize bits for ECC). + type=radio name=$item.getCertTag()_choice value="default"><b>Use the default key size ($default_keysize bits for RSA, curve $default_ecc_curvename for ECC). <p> <input #if (!$item.useDefaultKey()) checked #end - type=radio name=$item.getCertTag()_choice value="custom"><b>Use the following custom key size:</b> + type=radio name=$item.getCertTag()_choice value="custom"><b>Use the following custom key strength:</b> <p> <table width=100% class="details"> <tr> - <th>Key Size:</th> - <td><input type="text" size="20" name=$item.getCertTag()_custom_size value="$item.getCustomKeysize()" /></td> + <th>Key Size or Curve (see Details above):</th> + <td><input type="text" size="20" name=$item.getCertTag()_custom_size value="" /></td> </tr> </table> #end </div> + <br/> <br/> <br/> |