diff options
author | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-04 19:13:26 +0000 |
---|---|---|
committer | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-04 19:13:26 +0000 |
commit | 3e3a6975a235a3f231ff062958fbf8a07439dca1 (patch) | |
tree | 8edd09b39f18251b5331e07f753e70291583f1d3 /pki/base | |
parent | d86e8148b6843d8056872a7fb663d849897a902f (diff) | |
download | pki-3e3a6975a235a3f231ff062958fbf8a07439dca1.tar.gz pki-3e3a6975a235a3f231ff062958fbf8a07439dca1.tar.xz pki-3e3a6975a235a3f231ff062958fbf8a07439dca1.zip |
Bugzilla Bug 638242 - Installation Wizard: at SizePanel, fix selection of signature algorithm; and for ECC curves
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1471 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base')
-rw-r--r-- | pki/base/ca/shared/conf/CS.cfg | 8 | ||||
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/csadmin/Cert.java | 18 | ||||
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java | 9 | ||||
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java | 259 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/CS.cfg | 8 | ||||
-rw-r--r-- | pki/base/ocsp/shared/conf/CS.cfg | 7 | ||||
-rw-r--r-- | pki/base/tks/shared/conf/CS.cfg | 6 |
7 files changed, 217 insertions, 98 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg index 9dd158ed4..57cfce820 100644 --- a/pki/base/ca/shared/conf/CS.cfg +++ b/pki/base/ca/shared/conf/CS.cfg @@ -58,6 +58,7 @@ preop.cert.signing.keysize.size=2048 preop.cert.signing.keysize.custom_size=2048 preop.cert.signing.nickname=caSigningCert cert-[PKI_INSTANCE_ID] preop.cert.signing.profile=caCert.profile +preop.cert.signing.signing.required=true preop.cert.signing.subsystem=ca preop.cert.signing.type=selfsign preop.cert.signing.userfriendlyname=CA Signing Certificate @@ -67,6 +68,7 @@ preop.cert.audit_signing.keysize.custom_size=2048 preop.cert.audit_signing.keysize.size=2048 preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] preop.cert.audit_signing.profile=caAuditSigningCert.profile +preop.cert.audit_signing.signing.required=false preop.cert.audit_signing.subsystem=ca preop.cert.audit_signing.type=local preop.cert.audit_signing.userfriendlyname=CA Audit Signing Certificate @@ -77,6 +79,7 @@ preop.cert.ocsp_signing.keysize.custom_size=2048 preop.cert.ocsp_signing.keysize.size=2048 preop.cert.ocsp_signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] preop.cert.ocsp_signing.profile=caOCSPCert.profile +preop.cert.ocsp_signing.signing.required=true preop.cert.ocsp_signing.subsystem=ca preop.cert.ocsp_signing.type=local preop.cert.ocsp_signing.userfriendlyname=OCSP Signing Certificate @@ -87,6 +90,7 @@ preop.cert.sslserver.keysize.custom_size=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=serverCert.profile +preop.cert.sslserver.signing.required=false preop.cert.sslserver.subsystem=ca preop.cert.sslserver.type=local preop.cert.sslserver.userfriendlyname=SSL Server Certificate @@ -97,6 +101,7 @@ preop.cert.subsystem.keysize.custom_size=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=subsystemCert.profile +preop.cert.subsystem.signing.required=false preop.cert.subsystem.subsystem=ca preop.cert.subsystem.type=local preop.cert.subsystem.userfriendlyname=Subsystem Certificate @@ -764,6 +769,9 @@ debug.filename=[PKI_INSTANCE_PATH]/logs/debug debug.hashkeytypes= debug.level=0 debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 internaldb._000=## internaldb._001=## Internal Database internaldb._002=## diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/Cert.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/Cert.java index 88b13453f..4aca6cec7 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/Cert.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/Cert.java @@ -34,7 +34,9 @@ public class Cert { private String mUserFriendlyName = ""; private String mKeyOption = ""; private String mCustomKeysize = ""; + private String mCustomCurvename = ""; private boolean mEnable = true; + private boolean mSigningRequired = false; private String mSubsystem = ""; public Cert(String tokenName, String nickName, String certTag) { @@ -51,6 +53,14 @@ public class Cert { return mEnable; } + public void setSigningRequired(boolean required) { + mSigningRequired = required; + } + + public boolean isSigningRequired() { + return mSigningRequired; + } + public void setNickname(String s) { mNickname = s; } @@ -163,4 +173,12 @@ public class Cert { public void setCustomKeysize(String size) { mCustomKeysize = size; } + + public String getCustomCurvename() { + return mCustomCurvename; + } + + public void setCustomCurvename(String curve) { + mCustomCurvename = curve; + } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 21a91c167..43fa3e0d8 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -406,8 +406,13 @@ public class CertUtil { CMS.debug("key algorithm is " + keyAlgo); String caSigningKeyType = config.getString("preop.cert.signing.keytype","rsa"); - String caSigningKeyAlgo = - config.getString("preop.cert.signing.keyalgorithm","SHA256withRSA"); + String caSigningKeyAlgo = ""; + if (type.equals("selfsign")) { + caSigningKeyAlgo = config.getString("preop.cert.signing.keyalgorithm","SHA256withRSA"); + } else { + caSigningKeyAlgo = config.getString("preop.cert.signing.signingalgorithm","SHA256withRSA"); + } + CMS.debug("CA Signing Key type " + caSigningKeyType); CMS.debug("CA Signing Key algorithm " + caSigningKeyAlgo); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java index 0f9ef3007..3a3f1b927 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java @@ -46,8 +46,10 @@ public class SizePanel extends WizardPanelBase { private Vector mCerts = null; private WizardServlet mServlet = null; - public static final String DEFAULT_ECC_KEY_SIZE = "256"; - public static final String DEFAULT_RSA_KEY_SIZE = "2048"; + private String default_ecc_curve_name; + private String default_rsa_key_size; + private boolean mShowSigning = false; + public SizePanel() {} /** @@ -111,7 +113,11 @@ public class SizePanel extends WizardPanelBase { HttpServletResponse response, Context context) { CMS.debug("SizePanel: display()"); - context.put("title", "Key Pairs"); + try { + initParams(request, context); + } catch (IOException e) { + } + context.put("firsttime", "false"); String errorString = ""; mCerts = new Vector(); @@ -123,41 +129,22 @@ public class SizePanel extends WizardPanelBase { context.put("firsttime", "true"); } - String select = ""; - try { - select = config.getString("preop.subsystem.select", ""); - } catch (Exception e) { - } - - context.put("select", select); - - String ecclist = ""; try { - ecclist = config.getString("preop.ecc.algorithm.list", "SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC"); + default_ecc_curve_name = config.getString("keys.ecc.curve.default", "nistp521"); } catch (Exception e) { } - context.put("ecclist", ecclist); - String rsalist = ""; try { - rsalist = config.getString("preop.rsa.algorithm.list", "SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA"); + default_rsa_key_size = config.getString("keys.rsa.keysize.default", "2048"); } catch (Exception e) { } - context.put("rsalist", rsalist); - - String subsystemType = ""; - try { - subsystemType = config.getString("pkicreate.subsystem_type"); - } catch (Exception e) { - } - context.put("subsystemtype", subsystemType); - try { // same token for now String token = config.getString(PRE_CONF_CA_TOKEN); String certTags = config.getString("preop.cert.list"); StringTokenizer st = new StringTokenizer(certTags, ","); + mShowSigning = false; while (st.hasMoreTokens()) { String certTag = st.nextToken(); @@ -177,8 +164,20 @@ public class SizePanel extends WizardPanelBase { s = config.getString( PCERT_PREFIX + certTag + ".keysize.custom_size", - DEFAULT_RSA_KEY_SIZE); + default_rsa_key_size); c.setCustomKeysize(s); + + s = config.getString( + PCERT_PREFIX + certTag + ".curvename.custom_name", + default_ecc_curve_name); + c.setCustomCurvename(s); + + boolean signingRequired = config.getBoolean( + PCERT_PREFIX + certTag + ".signing.required", + false); + c.setSigningRequired(signingRequired); + if (signingRequired) mShowSigning = true; + String userfriendlyname = config.getString( PCERT_PREFIX + certTag + ".userfriendlyname"); c.setUserFriendlyName(userfriendlyname); @@ -191,10 +190,11 @@ public class SizePanel extends WizardPanelBase { } CMS.debug("SizePanel: display() 1"); + context.put("show_signing", mShowSigning ? "true" : "false"); context.put("certs", mCerts); context.put("errorString", errorString); - context.put("default_keysize", DEFAULT_RSA_KEY_SIZE); - context.put("default_ecc_keysize", DEFAULT_ECC_KEY_SIZE); + context.put("default_keysize", default_rsa_key_size); + context.put("default_ecc_curvename", default_ecc_curve_name); context.put("panel", "admin/console/config/sizepanel.vm"); } @@ -252,8 +252,8 @@ public class SizePanel extends WizardPanelBase { continue; String keytype = HttpInput.getKeyType(request, ct + "_keytype"); // rsa or ecc - String keyalgorithm = HttpInput.getString(request, ct + "_keyalgorithm"); + String keyalgorithm = HttpInput.getString(request, ct + "_keyalgorithm"); if (keyalgorithm == null) { if (keytype != null && keytype.equals("ecc")) { keyalgorithm = "SHA256withEC"; @@ -262,6 +262,11 @@ public class SizePanel extends WizardPanelBase { } } + String signingalgorithm = HttpInput.getString(request, ct + "_signingalgorithm"); + if (signingalgorithm == null) { + signingalgorithm = keyalgorithm; + } + String select = HttpInput.getID(request, ct + "_choice"); if (select == null) { @@ -277,53 +282,74 @@ public class SizePanel extends WizardPanelBase { config.getString(PCERT_PREFIX + ct + ".keytype", ""); String oldkeyalgorithm = config.getString(PCERT_PREFIX + ct + ".keyalgorithm", ""); + String oldsigningalgorithm = + config.getString(PCERT_PREFIX + ct + ".signingalgorithm", ""); + String oldcurvename = + config.getString(PCERT_PREFIX + ct + ".curvename.name", ""); if (select.equals("default")) { // XXXrenaming these...keep for now just in case config.putString("preop.keysize.select", "default"); if (keytype != null && keytype.equals("ecc")) { - config.putString("preop.keysize.custom_size", - DEFAULT_ECC_KEY_SIZE); - config.putString("preop.keysize.size", DEFAULT_ECC_KEY_SIZE); + config.putString("preop.curvename.custom_name", + default_ecc_curve_name); + config.putString("preop.curvename.name", default_ecc_curve_name); } else { config.putString("preop.keysize.custom_size", - DEFAULT_RSA_KEY_SIZE); - config.putString("preop.keysize.size", DEFAULT_RSA_KEY_SIZE); + default_rsa_key_size); + config.putString("preop.keysize.size", default_rsa_key_size); } config.putString(PCERT_PREFIX + ct + ".keytype", keytype); config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm); + config.putString(PCERT_PREFIX + ct + ".signingalgorithm", signingalgorithm); config.putString(PCERT_PREFIX + ct + ".keysize.select", "default"); if (keytype != null && keytype.equals("ecc")) { config.putString(PCERT_PREFIX + ct + - ".keysize.custom_size", - DEFAULT_ECC_KEY_SIZE); - config.putString(PCERT_PREFIX + ct + ".keysize.size", - DEFAULT_ECC_KEY_SIZE); + ".curvename.custom_name", + default_ecc_curve_name); + config.putString(PCERT_PREFIX + ct + ".curvename.name", + default_ecc_curve_name); } else { config.putString(PCERT_PREFIX + ct + ".keysize.custom_size", - DEFAULT_RSA_KEY_SIZE); + default_rsa_key_size); config.putString(PCERT_PREFIX + ct + ".keysize.size", - DEFAULT_RSA_KEY_SIZE); + default_rsa_key_size); } } else if (select.equals("custom")) { // XXXrenaming these...keep for now just in case config.putString("preop.keysize.select", "custom"); - config.putString("preop.keysize.size", + if (keytype != null && keytype.equals("ecc")) { + config.putString("preop.curvename.name", + HttpInput.getString(request, ct + "_custom_curvename")); + config.putString("preop.curvename.custom_name", + HttpInput.getString(request, ct + "_custom_curvename")); + } else { + config.putString("preop.keysize.size", HttpInput.getKeySize(request, ct + "_custom_size", keytype)); - config.putString("preop.keysize.custom_size", + config.putString("preop.keysize.custom_size", HttpInput.getKeySize(request, ct + "_custom_size", keytype)); + } config.putString(PCERT_PREFIX + ct + ".keytype", keytype); config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm); + config.putString(PCERT_PREFIX + ct + ".signingalgorithm", signingalgorithm); config.putString(PCERT_PREFIX + ct + ".keysize.select", "custom"); - config.putString(PCERT_PREFIX + ct + ".keysize.custom_size", - HttpInput.getKeySize(request, ct + "_custom_size", keytype)); - config.putString(PCERT_PREFIX + ct + ".keysize.size", - HttpInput.getKeySize(request, ct + "_custom_size", keytype)); + + if (keytype != null && keytype.equals("ecc")) { + config.putString(PCERT_PREFIX + ct + ".curvename.custom_name", + HttpInput.getString(request, ct + "_custom_curvename")); + config.putString(PCERT_PREFIX + ct + ".curvename.name", + HttpInput.getString(request, ct + "_custom_curvename")); + } else { + config.putString(PCERT_PREFIX + ct + ".keysize.custom_size", + HttpInput.getKeySize(request, ct + "_custom_size")); + config.putString(PCERT_PREFIX + ct + ".keysize.size", + HttpInput.getKeySize(request, ct + "_custom_size")); + } } else { CMS.debug("SizePanel: invalid choice " + select); throw new IOException("invalid choice " + select); @@ -335,9 +361,16 @@ public class SizePanel extends WizardPanelBase { config.getString(PCERT_PREFIX + ct + ".keytype", ""); String newkeyalgorithm = config.getString(PCERT_PREFIX + ct + ".keyalgorithm", ""); + String newsigningalgorithm = + config.getString(PCERT_PREFIX + ct + ".signingalgorithm", ""); + String newcurvename = + config.getString(PCERT_PREFIX+ct+".curvename.name", ""); + if (!oldkeysize.equals(newkeysize) || !oldkeytype.equals(newkeytype) || - !oldkeyalgorithm.equals(newkeyalgorithm)) + !oldkeyalgorithm.equals(newkeyalgorithm) || + !oldsigningalgorithm.equals(newsigningalgorithm) || + !oldcurvename.equals(newcurvename)) hasChanged = true; }// while @@ -370,9 +403,11 @@ public class SizePanel extends WizardPanelBase { while (c.hasMoreElements()) { Cert cert = (Cert) c.nextElement(); String ct = cert.getCertTag(); + String friendlyName = ct; boolean enable = true; try { - enable = config.getBoolean(PCERT_PREFIX+ct+".enable", true); + enable = config.getBoolean(PCERT_PREFIX+ct+".enable", true); + friendlyName = config.getString(PCERT_PREFIX + ct + ".userfriendlyname", ct); } catch (Exception e) { } @@ -382,20 +417,23 @@ public class SizePanel extends WizardPanelBase { try { String keytype = config.getString(PCERT_PREFIX + ct + ".keytype"); String keyalgorithm = config.getString(PCERT_PREFIX + ct + ".keyalgorithm"); - int keysize = config.getInteger( - PCERT_PREFIX + ct + ".keysize.size"); if (keytype.equals("rsa")) { + int keysize = config.getInteger( + PCERT_PREFIX + ct + ".keysize.size"); createRSAKeyPair(token, keysize, config, ct); } else { - createECCKeyPair(token, keysize, config, ct); + String curveName = config.getString( + PCERT_PREFIX + ct + ".curvename.name", default_ecc_curve_name); + createECCKeyPair(token, curveName, config, ct); } config.commit(false); } catch (Exception e) { CMS.debug(e); CMS.debug("SizePanel: key generation failure: " + e.toString()); - throw new IOException("key generation failure"); + throw new IOException("key generation failure for the certificate: " + friendlyName + + ". See the logs for details."); } } // while @@ -413,10 +451,10 @@ public class SizePanel extends WizardPanelBase { } - public void createECCKeyPair(String token, int keysize, IConfigStore config, String ct) + public void createECCKeyPair(String token, String curveName, IConfigStore config, String ct) throws NoSuchAlgorithmException, NoSuchTokenException, TokenException, CryptoManager.NotInitializedException { - CMS.debug("Generating ECC key pair with keysize="+ keysize + + CMS.debug("Generating ECC key pair with curvename="+ curveName + ", token="+token); KeyPair pair = null; /* @@ -452,14 +490,14 @@ public class SizePanel extends WizardPanelBase { do { if (ct.equals("sslserver") && sslType.equalsIgnoreCase("ECDH")) { CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDH. Make sure server.xml is set properly with -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); - pair = CryptoUtil.generateECCKeyPair(token, keysize, + pair = CryptoUtil.generateECCKeyPair(token, curveName, null, ECDH_usages_mask); } else { if (ct.equals("sslserver")) { CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDHE. Make sure server.xml is set properly with +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); } - pair = CryptoUtil.generateECCKeyPair(token, keysize, + pair = CryptoUtil.generateECCKeyPair(token, curveName, null, usages_mask); } @@ -485,39 +523,11 @@ public class SizePanel extends WizardPanelBase { String keyAlgo = ""; try { - keyAlgo = config.getString(PCERT_PREFIX + ct + ".keyalgorithm"); + keyAlgo = config.getString(PCERT_PREFIX + ct + ".signingalgorithm"); } catch (Exception e1) { } - // set default signing algorithm for CA - String systemType = ""; - try { - systemType = config.getString("preop.system.name"); - } catch (Exception e1) { - } - - if (systemType.equalsIgnoreCase("CA")) { - if (ct.equals("signing")) { - config.putString("ca.signing.defaultSigningAlgorithm", - keyAlgo); - config.putString("ca.crl.MasterCRL.signingAlgorithm", - keyAlgo); - } else if (ct.equals("ocsp_signing")) { - config.putString("ca.ocsp_signing.defaultSigningAlgorithm", - keyAlgo); - } - } else if (systemType.equalsIgnoreCase("OCSP")) { - if (ct.equals("signing")) { - config.putString("ocsp.signing.defaultSigningAlgorithm", - keyAlgo); - } - } else if (systemType.equalsIgnoreCase("KRA") || - systemType.equalsIgnoreCase("DRM")) { - if (ct.equals("transport")) { - config.putString("kra.transportUnit.signingAlgorithm", keyAlgo); - } - } - + setSigningAlgorithm(ct, keyAlgo, config); } public void createRSAKeyPair(String token, int keysize, IConfigStore config, String ct) @@ -549,19 +559,70 @@ public class SizePanel extends WizardPanelBase { String keyAlgo = ""; try { - keyAlgo = config.getString(PCERT_PREFIX + ct + ".keyalgorithm"); + keyAlgo = config.getString(PCERT_PREFIX + ct + ".signingalgorithm"); } catch (Exception e1) { } - if (ct.equals("signing")) { - config.putString("ca.signing.defaultSigningAlgorithm", + setSigningAlgorithm(ct, keyAlgo, config); + } + + public void setSigningAlgorithm(String ct, String keyAlgo, IConfigStore config) { + String systemType = ""; + try { + systemType = config.getString("preop.system.name"); + } catch (Exception e1) { + } + if (systemType.equalsIgnoreCase("CA")) { + if (ct.equals("signing")) { + config.putString("ca.signing.defaultSigningAlgorithm", keyAlgo); - config.putString("ca.crl.MasterCRL.signingAlgorithm", + config.putString("ca.crl.MasterCRL.signingAlgorithm", keyAlgo); - } - if (ct.equals("ocsp_signing")) { - config.putString("ca.ocsp_signing.defaultSigningAlgorithm", + } else if (ct.equals("ocsp_signing")) { + config.putString("ca.ocsp_signing.defaultSigningAlgorithm", keyAlgo); + } + } else if (systemType.equalsIgnoreCase("OCSP")) { + if (ct.equals("signing")) { + config.putString("ocsp.signing.defaultSigningAlgorithm", + keyAlgo); + } + } else if (systemType.equalsIgnoreCase("KRA") || + systemType.equalsIgnoreCase("DRM")) { + if (ct.equals("transport")) { + config.putString("kra.transportUnit.signingAlgorithm", keyAlgo); + } + } + } + + public void initParams(HttpServletRequest request, Context context) + throws IOException + { + IConfigStore config = CMS.getConfigStore(); + String s = ""; + try { + context.put("title", "Key Pairs"); + + s = config.getString("preop.subsystem.select", ""); + context.put("select", s); + + s = config.getString("preop.hierarchy.select", "root"); + context.put("hselect", s); + + s = config.getString("preop.ecc.algorithm.list", "SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC"); + context.put("ecclist", s); + + s = config.getString("preop.rsa.algorithm.list", "SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA"); + context.put("rsalist", s); + + s = config.getString("keys.ecc.curve.list", "nistp521"); + context.put("curvelist", s); + + s = config.getString("pkicreate.subsystem_type"); + context.put("subsystemtype", s); + + } catch (Exception e) { + CMS.debug("SizePanel(): initParams: unable to set all initial parameters:" + e); } } @@ -571,10 +632,16 @@ public class SizePanel extends WizardPanelBase { public void displayError(HttpServletRequest request, HttpServletResponse response, Context context) { - context.put("title", "Key Pairs"); + try { + initParams(request, context); + } catch (IOException e) { + } + context.put("certs", mCerts); - context.put("default_keysize", DEFAULT_RSA_KEY_SIZE); - context.put("default_ecc_keysize", DEFAULT_ECC_KEY_SIZE); + context.put("show_signing", mShowSigning ? "true" : "false"); + context.put("default_keysize", default_rsa_key_size); + context.put("default_ecc_curvename", default_ecc_curve_name); + context.put("panel", "admin/console/config/sizepanel.vm"); } } diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg index f7afdb41b..7f0ab3c38 100644 --- a/pki/base/kra/shared/conf/CS.cfg +++ b/pki/base/kra/shared/conf/CS.cfg @@ -47,6 +47,7 @@ preop.cert.audit_signing.keysize.custom_size=2048 preop.cert.audit_signing.keysize.size=2048 preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.signing.required=false preop.cert.audit_signing.subsystem=kra preop.cert.audit_signing.type=remote preop.cert.audit_signing.userfriendlyname=DRM Audit Signing Certificate @@ -57,6 +58,7 @@ preop.cert.storage.keysize.custom_size=2048 preop.cert.storage.keysize.size=2048 preop.cert.storage.nickname=storageCert cert-[PKI_INSTANCE_ID] preop.cert.storage.profile=caInternalAuthDRMstorageCert +preop.cert.storage.signing.required=false preop.cert.storage.subsystem=kra preop.cert.storage.type=remote preop.cert.storage.userfriendlyname=Storage Certificate @@ -67,6 +69,7 @@ preop.cert.transport.keysize.custom_size=2048 preop.cert.transport.keysize.size=2048 preop.cert.transport.nickname=transportCert cert-[PKI_INSTANCE_ID] preop.cert.transport.profile=caInternalAuthTransportCert +preop.cert.transport.signing.required=true preop.cert.transport.subsystem=kra preop.cert.transport.type=remote preop.cert.transport.userfriendlyname=Transport Certificate @@ -77,6 +80,7 @@ preop.cert.sslserver.keysize.custom_size=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.signing.required=false preop.cert.sslserver.subsystem=kra preop.cert.sslserver.type=remote preop.cert.sslserver.userfriendlyname=SSL Server Certificate @@ -87,6 +91,7 @@ preop.cert.subsystem.keysize.custom_size=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.signing.required=false preop.cert.subsystem.subsystem=kra preop.cert.subsystem.type=remote preop.cert.subsystem.userfriendlyname=Subsystem Certificate @@ -185,6 +190,9 @@ debug.filename=[PKI_INSTANCE_PATH]/logs/debug debug.hashkeytypes= debug.level=0 debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 internaldb._000=## internaldb._001=## Internal Database internaldb._002=## diff --git a/pki/base/ocsp/shared/conf/CS.cfg b/pki/base/ocsp/shared/conf/CS.cfg index f73e75b97..e1586a2ed 100644 --- a/pki/base/ocsp/shared/conf/CS.cfg +++ b/pki/base/ocsp/shared/conf/CS.cfg @@ -50,6 +50,7 @@ preop.cert.audit_signing.keysize.custom_size=2048 preop.cert.audit_signing.keysize.size=2048 preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.signing.required=false preop.cert.audit_signing.subsystem=ocsp preop.cert.audit_signing.type=remote preop.cert.audit_signing.userfriendlyname=OCSP Audit Signing Certificate @@ -60,6 +61,7 @@ preop.cert.signing.keysize.custom_size=2048 preop.cert.signing.keysize.size=2048 preop.cert.signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] preop.cert.signing.profile=caInternalAuthOCSPCert +preop.cert.signing.signing.required=true preop.cert.signing.subsystem=ocsp preop.cert.signing.type=remote preop.cert.signing.userfriendlyname=OCSP Signing Certificate @@ -70,6 +72,7 @@ preop.cert.sslserver.keysize.custom_size=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.signing.required=false preop.cert.sslserver.subsystem=ocsp preop.cert.sslserver.type=remote preop.cert.sslserver.userfriendlyname=SSL Server Certificate @@ -80,6 +83,7 @@ preop.cert.subsystem.keysize.custom_size=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.signing.required=false preop.cert.subsystem.subsystem=ocsp preop.cert.subsystem.type=remote preop.cert.subsystem.userfriendlyname=Subsystem Certificate @@ -154,6 +158,9 @@ debug.filename=[PKI_INSTANCE_PATH]/logs/debug debug.hashkeytypes= debug.level=0 debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 internaldb._000=## internaldb._001=## Internal Database internaldb._002=## diff --git a/pki/base/tks/shared/conf/CS.cfg b/pki/base/tks/shared/conf/CS.cfg index 5ecde135a..93bda8ad1 100644 --- a/pki/base/tks/shared/conf/CS.cfg +++ b/pki/base/tks/shared/conf/CS.cfg @@ -40,6 +40,7 @@ preop.cert.audit_signing.keysize.custom_size=2048 preop.cert.audit_signing.keysize.size=2048 preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.signing.required=false preop.cert.audit_signing.subsystem=tks preop.cert.audit_signing.type=remote preop.cert.audit_signing.userfriendlyname=TKS Audit Signing Certificate @@ -50,6 +51,7 @@ preop.cert.sslserver.keysize.custom_size=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.signing.required=false preop.cert.sslserver.subsystem=tks preop.cert.sslserver.type=remote preop.cert.sslserver.userfriendlyname=SSL Server Certificate @@ -60,6 +62,7 @@ preop.cert.subsystem.keysize.custom_size=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.signing.required=false preop.cert.subsystem.subsystem=tks preop.cert.subsystem.type=remote preop.cert.subsystem.userfriendlyname=Subsystem Certificate @@ -152,6 +155,9 @@ debug.filename=[PKI_INSTANCE_PATH]/logs/debug debug.hashkeytypes= debug.level=0 debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 internaldb._000=## internaldb._001=## Internal Database internaldb._002=## |