From f9102b8df60d50e00d2a45915d06837510cfd1aa Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Tue, 28 Jul 2015 19:56:26 -0600 Subject: Add certutil options for ECC - PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating ecc admin certificate --- base/server/etc/default.cfg | 1 + base/server/man/man5/pki_default.cfg.5 | 2 +- base/server/man/man8/pkispawn.8 | 4 ++- .../python/pki/server/deployment/pkihelper.py | 30 ++++++++++++++++++++-- .../python/pki/server/deployment/pkimessages.py | 6 ++++- 5 files changed, 38 insertions(+), 5 deletions(-) diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 58f338692..26ffd0d38 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -66,6 +66,7 @@ pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert pki_admin_cert_request_type=pkcs10 pki_admin_dualkey=False pki_admin_keysize=2048 +pki_admin_key_type=rsa pki_admin_password= pki_audit_group=pkiaudit pki_audit_signing_key_algorithm=SHA256withRSA diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 index df4f94428..17130aecf 100644 --- a/base/server/man/man5/pki_default.cfg.5 +++ b/base/server/man/man5/pki_default.cfg.5 @@ -125,7 +125,7 @@ Password for the admin user. This password is used to log into the pki-console .IP Email address for the admin user. .TP -.B pki_admin_dualkey, pki_admin_keysize, pki_admin_keytype +.B pki_admin_dualkey, pki_admin_keysize, pki_admin_key_type .IP Settings for the administrator certificate and keys. .TP diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 index 8d8a4ff41..411d93f0e 100644 --- a/base/server/man/man8/pkispawn.8 +++ b/base/server/man/man8/pkispawn.8 @@ -265,6 +265,8 @@ where \fImyconfig.txt\fP contains the following text: .nf [DEFAULT] pki_admin_password=\fISecret123\fP +pki_admin_keysize=nistp256 +pki_admin_key_type=ecc pki_client_pkcs12_password=\fISecret123\fP pki_ds_password=\fISecret123\fP pki_ssl_server_key_algorithm=SHA256withEC @@ -286,7 +288,7 @@ pki_ocsp_signing_signing_algorithm=SHA256withEC .fi .PP -In order to utilize ECC, the SSL Server and Subsystem key algorithm, key size, and key type should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, and rsa --> ecc, respectively. +In order to utilize ECC, the SSL Server and Subsystem key algorithm, key size, and key type should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, and rsa --> ecc, respectively. To use an ECC admin key size and key type, the values should also be changed from 2048 --> nistp256, and rsa --> ecc. .PP Additionally, for a CA subsystem, both the CA and OCSP Signing key algorithm, key size, key type, and signing algorithm should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, rsa --> ecc, and SHA256withRSA --> SHA256withEC,respectively. diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index b02333d54..93fa38494 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -2539,7 +2539,7 @@ class Certutil: raise return - def generate_certificate_request(self, subject, key_size, + def generate_certificate_request(self, subject, key_type, key_size, password_file, noise_file, output_file=None, path=None, ascii_format=None, token=None, @@ -2562,8 +2562,33 @@ class Certutil: extra=config.PKI_INDENTATION_LEVEL_2) raise Exception(log.PKIHELPER_CERTUTIL_MISSING_SUBJECT) + if key_type: + if key_type == "ecc": + command.extend(["-k", "ec"]) + if not key_size: + # supply a default curve for an 'ecc' key type + command.extend(["-q", "nistp256"]) + elif key_type == "rsa": + command.extend(["-k", str(key_type)]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_INVALID_KEY_TYPE_1, + key_type, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception( + log.PKIHELPER_CERTUTIL_INVALID_KEY_TYPE_1 % key_type) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_KEY_TYPE, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKIHELPER_CERTUTIL_MISSING_KEY_TYPE) + if key_size: - command.extend(["-g", str(key_size)]) + if key_type == "ecc": + # For ECC, the key_size will actually contain the key curve + command.extend(["-q", str(key_size)]) + else: + command.extend(["-g", str(key_size)]) if noise_file: command.extend(["-z", noise_file]) @@ -4369,6 +4394,7 @@ class ConfigClient: self.deployer.certutil.generate_certificate_request( self.mdict['pki_admin_subject_dn'], + self.mdict['pki_admin_key_type'], self.mdict['pki_admin_keysize'], self.mdict['pki_client_password_conf'], noise_file, diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index ff3d3704a..cc9102161 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -171,10 +171,14 @@ IMPORTANT: PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = \ "applying in-place slot substitutions on '%s'" PKIHELPER_CERTUTIL_GENERATE_CSR_1 = "executing '%s'" +PKIHELPER_CERTUTIL_INVALID_KEY_TYPE_1 = \ + "certutil: Invalid key type '%s'; valid types are 'ecc' or 'rsa'!" PKIHELPER_CERTUTIL_MISSING_INPUT_FILE = \ - "certutil: Missing '-i input-file' option!" + "certutil: Missing '-i input-file' option!" PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = \ "certutil: Missing '-c issuer-name' option!" +PKIHELPER_CERTUTIL_MISSING_KEY_TYPE = \ + "certutil: Missing '-k key-type-or-id' option (must be 'ecc' or 'rsa')!" PKIHELPER_CERTUTIL_MISSING_NICKNAME = \ "certutil: Missing '-n nickname' option!" PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = \ -- cgit