diff options
| author | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-16 17:47:44 +0000 |
|---|---|---|
| committer | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-16 17:47:44 +0000 |
| commit | 16d2ce478d63a463c1f32ab3d84cc6146b5b609d (patch) | |
| tree | 46081676c3b8b706adcbf9b5cc38514dc6edbfca /pki/base | |
| parent | 79feb306610de68850e7821c677fd7f5e2075d87 (diff) | |
| download | pki-16d2ce478d63a463c1f32ab3d84cc6146b5b609d.tar.gz pki-16d2ce478d63a463c1f32ab3d84cc6146b5b609d.tar.xz pki-16d2ce478d63a463c1f32ab3d84cc6146b5b609d.zip | |
Bugzilla Bug 583754 - pki-silent needs an option to configure signing algorithm for CA certificates
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1507 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base')
| -rw-r--r-- | pki/base/silent/src/ca/ConfigureCA.java | 43 | ||||
| -rw-r--r-- | pki/base/silent/src/subca/ConfigureSubCA.java | 41 | ||||
| -rwxr-xr-x | pki/base/silent/templates/pki_silent.template | 18 | ||||
| -rwxr-xr-x | pki/base/silent/templates/subca_silent.template | 13 |
4 files changed, 91 insertions, 24 deletions
diff --git a/pki/base/silent/src/ca/ConfigureCA.java b/pki/base/silent/src/ca/ConfigureCA.java index e3a92dd88..616c2b5d8 100644 --- a/pki/base/silent/src/ca/ConfigureCA.java +++ b/pki/base/silent/src/ca/ConfigureCA.java @@ -96,6 +96,9 @@ public class ConfigureCA { public static String key_size = null; public static String key_type = null; public static String key_algorithm = null; + public static String signing_algorithm = null; + public static String signing_signingalgorithm = null; + public static String ocsp_signing_signingalgorithm = null; public static String token_name = null; public static String token_pwd = null; @@ -515,36 +518,33 @@ public class ConfigureCA { + "&sslserver_custom_size=" + key_size + "&sslserver_choice=custom" + "&sslserver_keytype=" + key_type - + "&sslserver_keyalgorithm=" + key_algorithm - + "&keyalgorithm=" + key_algorithm + "&choice=default" + "&keytype=" + key_type - + "&custom_size=" + key_size + ""; + + "&custom_size=" + key_size; } else { query_string = "p=10" + "&op=next" + "&xml=true" + "&subsystem_custom_size=" + key_size + "&subsystem_keytype=" + key_type + "&subsystem_choice=custom" - + "&subsystem_keyalgorithm=" + key_algorithm + "&sslserver_custom_size=" + key_size + "&sslserver_keytype=" + key_type + "&sslserver_choice=custom" - + "&sslserver_keyalgorithm=" + key_algorithm + "&signing_custom_size=" + key_size + "&signing_keytype=" + key_type + "&signing_choice=custom" + "&signing_keyalgorithm=" + key_algorithm + + "&signing_signingalgorithm=" + signing_signingalgorithm + "&ocsp_signing_custom_size=" + key_size + "&ocsp_signing_keytype=" + key_type + "&ocsp_signing_choice=custom" - + "&ocsp_signing_keyalgorithm=" + key_algorithm + + "&ocsp_signing_signingalgorithm=" + ocsp_signing_signingalgorithm + "&audit_signing_custom_size=" + key_size + "&audit_signing_keytype=" + key_type + "&audit_signing_choice=custom" - + "&audit_signing_keyalgorithm=" + key_algorithm + "&custom_size=" + key_size + "&keytype=" + key_type + "&choice=custom" - + "&keyalgorithm=" + key_algorithm + ""; + + "&signingalgorithm=" + signing_algorithm + + "&keyalgorithm=" + key_algorithm; } hr = hc.sslConnect(cs_hostname, cs_port, wizard_uri, query_string); @@ -1411,6 +1411,9 @@ public class ConfigureCA { StringHolder x_key_size = new StringHolder(); StringHolder x_key_type = new StringHolder(); StringHolder x_key_algorithm = new StringHolder(); + StringHolder x_signing_algorithm = new StringHolder(); + StringHolder x_signing_signingalgorithm = new StringHolder(); + StringHolder x_ocsp_signing_signingalgorithm = new StringHolder(); StringHolder x_token_name = new StringHolder(); StringHolder x_token_pwd = new StringHolder(); @@ -1488,7 +1491,10 @@ public class ConfigureCA { parser.addOption("-key_size %s #Key Size", x_key_size); parser.addOption("-key_type %s #Key type [RSA,ECC]", x_key_type); - parser.addOption("-key_algorithm %s #Key algorithm", x_key_algorithm); + parser.addOption("-key_algorithm %s #Key algorithm of the CA certificate", x_key_algorithm); + parser.addOption("-signing_algorithm %s #Signing algorithm", x_signing_algorithm); + parser.addOption("-signing_signingalgorithm %s #Algorithm used be CA cert to sign objects (optional)", x_signing_signingalgorithm); + parser.addOption("-ocsp_signing_signingalgorithm %s #Algorithm used by the OCSP signing cert to sign objects (optional)", x_ocsp_signing_signingalgorithm); parser.addOption("-token_name %s #HSM/Software Token name", x_token_name); parser.addOption("-token_pwd %s #HSM/Software Token password (optional - only required for HSM)", x_token_pwd); @@ -1578,6 +1584,25 @@ public class ConfigureCA { } else { key_algorithm = x_key_algorithm.value; } + + if ((x_signing_algorithm.value == null) || (x_signing_algorithm.equals(""))) { + signing_algorithm = key_algorithm; + } else { + signing_algorithm = x_signing_algorithm.value; + } + + if ((x_ocsp_signing_signingalgorithm.value == null) || (x_ocsp_signing_signingalgorithm.equals(""))) { + ocsp_signing_signingalgorithm = signing_algorithm; + } else { + ocsp_signing_signingalgorithm = x_ocsp_signing_signingalgorithm.value; + } + + if ((x_signing_signingalgorithm.value == null) || (x_signing_signingalgorithm.equals(""))) { + signing_signingalgorithm = signing_algorithm; + } else { + signing_signingalgorithm = x_signing_signingalgorithm.value; + } + token_name = x_token_name.value; token_pwd = x_token_pwd.value; save_p12 = x_save_p12.value; diff --git a/pki/base/silent/src/subca/ConfigureSubCA.java b/pki/base/silent/src/subca/ConfigureSubCA.java index 38e39bf62..f10affc0c 100644 --- a/pki/base/silent/src/subca/ConfigureSubCA.java +++ b/pki/base/silent/src/subca/ConfigureSubCA.java @@ -98,7 +98,10 @@ public class ConfigureSubCA public static String key_size = null; public static String key_type = null; - public static String key_algorithm = null; + public static String signing_algorithm = null; + public static String signing_signingalgorithm = null; + public static String ocsp_signing_signingalgorithm = null; + public static String token_name = null; public static String token_pwd = null; @@ -421,27 +424,24 @@ public class ConfigureSubCA String query_string = "p=10" + "&op=next" + "&xml=true" + "&keytype=" + key_type + - "&keyalgorithm=" + key_algorithm + + "&signingalgorithm=" + signing_algorithm + "&choice=default"+ "&custom_size=" + key_size + "&signing_keytype=" + key_type + - "&signing_keyalgorithm=" + key_algorithm + + "&signing_signingalgorithm=" + signing_signingalgorithm + "&signing_choice=default"+ "&signing_custom_size=" + key_size + "&ocsp_signing_keytype=" + key_type + - "&ocsp_signing_keyalgorithm=" + key_algorithm + + "&ocsp_signing_signingalgorithm=" + ocsp_signing_signingalgorithm + "&ocsp_signing_choice=default"+ "&ocsp_signing_custom_size=" + key_size + "&sslserver_keytype=" + key_type + - "&sslserver_keyalgorithm=" + key_algorithm + "&sslserver_choice=default"+ "&sslserver_custom_size=" + key_size + "&subsystem_keytype=" + key_type + - "&subsystem_keyalgorithm=" + key_algorithm + "&subsystem_choice=default"+ "&subsystem_custom_size=" + key_size + "&audit_signing_keytype=" + key_type + - "&audit_signing_keyalgorithm=" + key_algorithm + "&audit_signing_choice=default" + "&audit_signing_custom_size=" + key_size + ""; @@ -990,7 +990,9 @@ public class ConfigureSubCA // key size StringHolder x_key_size = new StringHolder(); StringHolder x_key_type = new StringHolder(); - StringHolder x_key_algorithm = new StringHolder(); + StringHolder x_signing_algorithm = new StringHolder(); + StringHolder x_signing_signingalgorithm = new StringHolder(); + StringHolder x_ocsp_signing_signingalgorithm = new StringHolder(); StringHolder x_token_name = new StringHolder(); StringHolder x_token_pwd = new StringHolder(); @@ -1073,8 +1075,10 @@ public class ConfigureSubCA x_key_size); parser.addOption ("-key_type %s #Key type [RSA,ECC]", x_key_type); - parser.addOption ("-key_algorithm %s #Key algorithm", - x_key_algorithm); + parser.addOption("-signing_algorithm %s #Signing algorithm", x_signing_algorithm); + parser.addOption("-signing_signingalgorithm %s #Algorithm used be CA cert to sign objects (optional)", x_signing_signingalgorithm); + parser.addOption("-ocsp_signing_signingalgorithm %s #Algorithm used by the OCSP signing cert to sign objects (optional)", x_ocsp_signing_signingalgorithm); + parser.addOption ("-token_name %s #HSM/Software Token name", x_token_name); parser.addOption ("-token_pwd %s #HSM/Software Token password (optional - required for HSM)", @@ -1154,10 +1158,21 @@ public class ConfigureSubCA key_size = x_key_size.value; key_type = x_key_type.value; - if ((x_key_algorithm.value == null) || (x_key_algorithm.equals(""))) { - key_algorithm = "SHA256withRSA"; + if ((x_signing_algorithm.value == null) || (x_signing_algorithm.equals(""))) { + signing_algorithm = "SHA256withRSA"; + } else { + signing_algorithm = x_signing_algorithm.value; + } + if ((x_ocsp_signing_signingalgorithm.value == null) || (x_ocsp_signing_signingalgorithm.equals(""))) { + ocsp_signing_signingalgorithm = signing_algorithm; + } else { + ocsp_signing_signingalgorithm = x_ocsp_signing_signingalgorithm.value; + } + + if ((x_signing_signingalgorithm.value == null) || (x_signing_signingalgorithm.equals(""))) { + signing_signingalgorithm = signing_algorithm; } else { - key_algorithm = x_key_algorithm.value; + signing_signingalgorithm = x_signing_signingalgorithm.value; } token_name = x_token_name.value; diff --git a/pki/base/silent/templates/pki_silent.template b/pki/base/silent/templates/pki_silent.template index 64d56823a..31b40ff9c 100755 --- a/pki/base/silent/templates/pki_silent.template +++ b/pki/base/silent/templates/pki_silent.template @@ -373,6 +373,12 @@ pki_silent_tps_log=/tmp/tps.log ## Subject Name: "cn=CA Audit Signing Certificate," ## + "o=${pki_security_domain_name}" ## +## NOTE: The parameters for the signing and key algorithms have the following meaning: +## ca_key_algorithm - signature algorithm used to sign the CA certificate +## ca_signing_algorithm - signature algorithm used by the CA and OCSP signing certs to sign objects. +## ca_signing_signingalgorithm - optionally specify the algorithm used by the CA signing cert to sign objects +## ca_ocsp_signing_signingalgorithm - optionally specify the algorithm used by the CA ocsp signing cert to sign objects +## ca_agent_name="CA\ Administrator\ of\ Instance\ ${ca_instance_name}\'s\ ${pki_security_domain_name}\ ID" ca_agent_key_size=2048 @@ -383,6 +389,9 @@ ca_db_name="${pki_host}-${ca_instance_name}" ca_key_size=2048 ca_key_type=rsa ca_key_algorithm=SHA256withRSA +ca_signing_algorithm=SHA256withRSA +ca_signing_signingalgorithm=SHA256withRSA +ca_ocsp_signing_signingalgorithm=SHA256withRSA ca_save_p12=false ca_sign_cert_subject_name="cn=Certificate\ Authority,o=${pki_security_domain_name}" ca_subsystem_cert_subject_name="cn=CA\ Subsystem\ Certificate,o=${pki_security_domain_name}" @@ -1079,6 +1088,9 @@ pkisilent ConfigureCA \ -key_size ${ca_key_size} \ -key_type ${ca_key_type} \ -key_algorithm ${ca_key_algorithm} \ + -signing_algorithm ${ca_signing_algorithm} \ + -signing_signingalgorithm ${ca_signing_signingalgorithm} \ + -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \ -save_p12 ${ca_save_p12} \ -subsystem_name ${ca_subsystem_name} \ -token_name ${ca_token_name} \ @@ -1205,6 +1217,9 @@ pkisilent ConfigureCA \ # -key_size ${ca_key_size} \ # -key_type ${ca_key_type} \ # -key_algorithm ${ca_key_algorithm} \ +# -signing_algorithm ${ca_signing_algorithm} \ +# -signing_signingalgorithm ${ca_signing_signingalgorithm} \ +# -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \ # -save_p12 ${ca_save_p12} \ # -subsystem_name ${ca_subsystem_name} \ # -token_name ${ca_token_name} \ @@ -1272,6 +1287,9 @@ pkisilent ConfigureCA \ # -key_size ${ca_key_size} \ # -key_type ${ca_key_type} \ # -key_algorithm ${ca_key_algorithm} \ +# -signing_algorithm ${ca_signing_algorithm} \ +# -signing_signingalgorithm ${ca_signing_signingalgorithm} \ +# -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \ # -save_p12 ${ca_save_p12} \ # -subsystem_name ${ca_subsystem_name} \ # -token_name ${ca_token_name} \ diff --git a/pki/base/silent/templates/subca_silent.template b/pki/base/silent/templates/subca_silent.template index 5bb27e9b0..1475996d1 100755 --- a/pki/base/silent/templates/subca_silent.template +++ b/pki/base/silent/templates/subca_silent.template @@ -274,6 +274,11 @@ pki_silent_subca_log=/tmp/subca.log ## Subject Name: "cn=CA Subsystem Certificate 2," ## + "o=${pki_security_domain_name}" ## +## NOTE: The parameters for the signing algorithms have the following meaning: +## subca_signing_algorithm - signature algorithm used by the CA and OCSP signing certs to sign objects. +## subca_signing_signingalgorithm - optionally specify the algorithm used by the CA signing cert to sign objects +## subca_ocsp_signing_signingalgorithm - optionally specify the algorithm used by the CA ocsp signing cert to sign objects +## subca_agent_name="CA\ Administrator\ of\ Instance\ ${subca_instance_name}\'s\ ${pki_security_domain_name}\ ID" subca_agent_key_size=2048 @@ -283,7 +288,9 @@ subca_base_dn="dc=${pki_host}-${subca_instance_name}" subca_db_name="${pki_host}-${subca_instance_name}" subca_key_size=2048 subca_key_type=rsa -subca_key_algorithm=SHA256withRSA +subca_signing_algorithm=SHA256withRSA +subca_signing_signingalgorithm=SHA256withRSA +subca_ocsp_signing_signingalgorithm=SHA256withRSA subca_sign_cert_subject_name="cn=Certificate\ Authority\ 2,o=${pki_security_domain_name}" subca_subsystem_cert_subject_name="cn=CA\ Subsystem\ Certificate\ 2,o=${pki_security_domain_name}" subca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate\ 2,o=${pki_security_domain_name}" @@ -481,7 +488,9 @@ pkisilent ConfigureSubCA \ -db_name "${subca_db_name}" \ -key_size ${subca_key_size} \ -key_type ${subca_key_type} \ - -key_algorithm ${subca_key_algorithm} \ + -signing_algorithm ${subca_signing_algorithm} \ + -signing_signingalgorithm ${subca_signing_signingalgorithm} \ + -ocsp_signing_signingalgorithm ${subca_ocsp_signing_signingalgorithm} \ -token_name ${subca_token_name} \ -token_pwd ${subca_token_password} \ -agent_key_size ${subca_agent_key_size} \ |