From f9102b8df60d50e00d2a45915d06837510cfd1aa Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Tue, 28 Jul 2015 19:56:26 -0600 Subject: Add certutil options for ECC - PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating ecc admin certificate --- .../python/pki/server/deployment/pkihelper.py | 30 ++++++++++++++++++++-- .../python/pki/server/deployment/pkimessages.py | 6 ++++- 2 files changed, 33 insertions(+), 3 deletions(-) (limited to 'base/server/python/pki/server') diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index b02333d54..93fa38494 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -2539,7 +2539,7 @@ class Certutil: raise return - def generate_certificate_request(self, subject, key_size, + def generate_certificate_request(self, subject, key_type, key_size, password_file, noise_file, output_file=None, path=None, ascii_format=None, token=None, @@ -2562,8 +2562,33 @@ class Certutil: extra=config.PKI_INDENTATION_LEVEL_2) raise Exception(log.PKIHELPER_CERTUTIL_MISSING_SUBJECT) + if key_type: + if key_type == "ecc": + command.extend(["-k", "ec"]) + if not key_size: + # supply a default curve for an 'ecc' key type + command.extend(["-q", "nistp256"]) + elif key_type == "rsa": + command.extend(["-k", str(key_type)]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_INVALID_KEY_TYPE_1, + key_type, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception( + log.PKIHELPER_CERTUTIL_INVALID_KEY_TYPE_1 % key_type) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_KEY_TYPE, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKIHELPER_CERTUTIL_MISSING_KEY_TYPE) + if key_size: - command.extend(["-g", str(key_size)]) + if key_type == "ecc": + # For ECC, the key_size will actually contain the key curve + command.extend(["-q", str(key_size)]) + else: + command.extend(["-g", str(key_size)]) if noise_file: command.extend(["-z", noise_file]) @@ -4369,6 +4394,7 @@ class ConfigClient: self.deployer.certutil.generate_certificate_request( self.mdict['pki_admin_subject_dn'], + self.mdict['pki_admin_key_type'], self.mdict['pki_admin_keysize'], self.mdict['pki_client_password_conf'], noise_file, diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index ff3d3704a..cc9102161 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -171,10 +171,14 @@ IMPORTANT: PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = \ "applying in-place slot substitutions on '%s'" PKIHELPER_CERTUTIL_GENERATE_CSR_1 = "executing '%s'" +PKIHELPER_CERTUTIL_INVALID_KEY_TYPE_1 = \ + "certutil: Invalid key type '%s'; valid types are 'ecc' or 'rsa'!" PKIHELPER_CERTUTIL_MISSING_INPUT_FILE = \ - "certutil: Missing '-i input-file' option!" + "certutil: Missing '-i input-file' option!" PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = \ "certutil: Missing '-c issuer-name' option!" +PKIHELPER_CERTUTIL_MISSING_KEY_TYPE = \ + "certutil: Missing '-k key-type-or-id' option (must be 'ecc' or 'rsa')!" PKIHELPER_CERTUTIL_MISSING_NICKNAME = \ "certutil: Missing '-n nickname' option!" PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = \ -- cgit