[MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to appropriate 'pki' man page

This fix will involve the following changes to the source tree.

1. Fixes to the CS.cfg to add two new cert profiles.
2. Make the caDualCert.cfg profile invisible since it has little chance of
working any more in Firefox.
3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI
to have convenient profiles from which to enroll signing ONLY certificates.

4 files changed, 178 insertions, 2 deletions

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 288f0d519..68e79a48f 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -966,7 +966,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
 oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
 os.userid=nobody
-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
 profile.caUUIDdeviceCert.class_id=caEnrollImpl
 profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
 profile.caManualRenewal.class_id=caEnrollImpl
@@ -1037,6 +1037,10 @@ profile.caServerCert.class_id=caEnrollImpl
 profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerCert.cfg
 profile.caSignedLogCert.class_id=caEnrollImpl
 profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSignedLogCert.cfg
+profile.caSigningECUserCert.class_id=caEnrollImpl
+profile.caSigningECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningECUserCert.cfg
+profile.caSigningUserCert.class_id=caEnrollImpl
+profile.caSigningUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningUserCert.cfg
 profile.caSimpleCMCUserCert.class_id=caEnrollImpl
 profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSimpleCMCUserCert.cfg
 profile.caSubsystemCert.class_id=caEnrollImpl
diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg
index f90f78f6c..87036d194 100644
--- a/base/ca/shared/profiles/ca/caDualCert.cfg
+++ b/base/ca/shared/profiles/ca/caDualCert.cfg
@@ -1,5 +1,5 @@
 desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later.
-visible=true
+visible=false
 enable=true
 enableBy=admin
 name=Manual User Signing & Encryption Certificates Enrollment
diff --git a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg
new file mode 100644
index 000000000..b410504a3
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling user ECC signing certificates. It works only with the latest Firefox.
+visible=false
+enable=true
+enableBy=admin
+name=Manual User Signing ECC Certificate Enrollment
+auth.class_id=
+input.list=i1,i2,i3
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=subjectNameInputImpl
+input.i3.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=signingCertSet
+policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.signingCertSet.1.constraint.name=Subject Name Constraint
+policyset.signingCertSet.1.constraint.params.pattern=CN=.*
+policyset.signingCertSet.1.constraint.params.accept=true
+policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.signingCertSet.1.default.name=Subject Name Default
+policyset.signingCertSet.1.default.params.name=
+policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.signingCertSet.2.constraint.name=Validity Constraint
+policyset.signingCertSet.2.constraint.params.range=365
+policyset.signingCertSet.2.constraint.params.notBeforeCheck=false
+policyset.signingCertSet.2.constraint.params.notAfterCheck=false
+policyset.signingCertSet.2.default.class_id=validityDefaultImpl
+policyset.signingCertSet.2.default.name=Validity Default
+policyset.signingCertSet.2.default.params.range=180
+policyset.signingCertSet.2.default.params.startTime=0
+policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.signingCertSet.3.constraint.name=Key Constraint
+policyset.signingCertSet.3.constraint.params.keyType=EC
+policyset.signingCertSet.3.constraint.params.keyParameters=nistp256,nistp521
+policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.signingCertSet.3.default.name=Key Default
+policyset.signingCertSet.4.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.4.constraint.name=No Constraint
+policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.signingCertSet.4.default.name=Authority Key Identifier Default
+policyset.signingCertSet.5.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.5.constraint.name=No Constraint
+policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.signingCertSet.5.default.name=AIA Extension Default
+policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.signingCertSet.5.default.params.authInfoAccessCritical=false
+policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.signingCertSet.6.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.6.constraint.name=No Constraint
+policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.signingCertSet.6.default.name=Key Usage Default
+policyset.signingCertSet.6.default.params.keyUsageCritical=true
+policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.signingCertSet.6.default.params.keyUsageCrlSign=false
+policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.signingCertSet.7.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.7.constraint.name=No Constraint
+policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.signingCertSet.7.default.params.exKeyUsageCritical=false
+policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.signingCertSet.8.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.8.constraint.name=No Constraint
+policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+policyset.signingCertSet.8.default.name=Subject Alt Name Constraint
+policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false
+policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name
+policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
+policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
+policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.signingCertSet.9.constraint.name=No Constraint
+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.signingCertSet.9.default.name=Signing Alg
+policyset.signingCertSet.9.default.params.signingAlg=-
+
diff --git a/base/ca/shared/profiles/ca/caSigningUserCert.cfg b/base/ca/shared/profiles/ca/caSigningUserCert.cfg
new file mode 100644
index 000000000..f197ffaa9
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caSigningUserCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling user signing certificates.
+visible=false
+enable=true
+enableBy=admin
+name=Manual User Signing Certificate Enrollment
+auth.class_id=
+input.list=i1,i2,i3
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=subjectNameInputImpl
+input.i3.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=signingCertSet
+policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.signingCertSet.1.constraint.name=Subject Name Constraint
+policyset.signingCertSet.1.constraint.params.pattern=CN=.*
+policyset.signingCertSet.1.constraint.params.accept=true
+policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.signingCertSet.1.default.name=Subject Name Default
+policyset.signingCertSet.1.default.params.name=
+policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.signingCertSet.2.constraint.name=Validity Constraint
+policyset.signingCertSet.2.constraint.params.range=365
+policyset.signingCertSet.2.constraint.params.notBeforeCheck=false
+policyset.signingCertSet.2.constraint.params.notAfterCheck=false
+policyset.signingCertSet.2.default.class_id=validityDefaultImpl
+policyset.signingCertSet.2.default.name=Validity Default
+policyset.signingCertSet.2.default.params.range=180
+policyset.signingCertSet.2.default.params.startTime=0
+policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.signingCertSet.3.constraint.name=Key Constraint
+policyset.signingCertSet.3.constraint.params.keyType=RSA
+policyset.signingCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.signingCertSet.3.default.name=Key Default
+policyset.signingCertSet.4.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.4.constraint.name=No Constraint
+policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.signingCertSet.4.default.name=Authority Key Identifier Default
+policyset.signingCertSet.5.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.5.constraint.name=No Constraint
+policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.signingCertSet.5.default.name=AIA Extension Default
+policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.signingCertSet.5.default.params.authInfoAccessCritical=false
+policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.signingCertSet.6.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.6.constraint.name=No Constraint
+policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.signingCertSet.6.default.name=Key Usage Default
+policyset.signingCertSet.6.default.params.keyUsageCritical=true
+policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.signingCertSet.6.default.params.keyUsageCrlSign=false
+policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.signingCertSet.7.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.7.constraint.name=No Constraint
+policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.signingCertSet.7.default.params.exKeyUsageCritical=false
+policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.signingCertSet.8.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.8.constraint.name=No Constraint
+policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+policyset.signingCertSet.8.default.name=Subject Alt Name Constraint
+policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false
+policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name
+policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
+policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
+policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.signingCertSet.9.constraint.name=No Constraint
+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.signingCertSet.9.default.name=Signing Alg
+policyset.signingCertSet.9.default.params.signingAlg=-
+