From daa4b591dfed937a8384babbe6d39686b70f7efd Mon Sep 17 00:00:00 2001
From: Andrew Wnuk <awnuk@redhat.com>
Date: Wed, 29 Feb 2012 18:31:58 -0800
Subject: Option to change default algorithms

RSA should be default selection for transport, storage, and audit keys till ECC is fully implemented.

Bug #787806.
---
 pki/base/ca/shared/conf/CS.cfg.in                  |  1 +
 .../netscape/cms/servlet/csadmin/SizePanel.java    |  2 +
 pki/base/kra/shared/conf/CS.cfg.in                 |  1 +
 pki/base/ocsp/shared/conf/CS.cfg.in                |  1 +
 pki/base/tks/shared/conf/CS.cfg.in                 |  1 +
 .../shared/admin/console/config/sizepanel.vm       | 44 ++++++++++++++++++----
 6 files changed, 43 insertions(+), 7 deletions(-)

(limited to 'pki')

diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in
index 13278ae72..1ba0d2f40 100644
--- a/pki/base/ca/shared/conf/CS.cfg.in
+++ b/pki/base/ca/shared/conf/CS.cfg.in
@@ -59,6 +59,7 @@ ca.cert.sslserver.certusage=SSLServer
 ca.cert.subsystem.certusage=SSLClient
 ca.cert.audit_signing.certusage=ObjectSigner
 preop.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing
+preop.cert.rsalist=audit_signing
 preop.cert.signing.enable=true
 preop.cert.ocsp_signing.enable=true
 preop.cert.sslserver.enable=true
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
index 03f0e186d..678145a92 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
@@ -153,6 +153,8 @@ public class SizePanel extends WizardPanelBase {
             // same token for now
             String token = config.getString(PRE_CONF_CA_TOKEN);
             String certTags = config.getString("preop.cert.list");
+            String rsaCertTags = config.getString("preop.cert.rsalist", "");
+            context.put("rsaTags", rsaCertTags);
             StringTokenizer st = new StringTokenizer(certTags, ",");
             mShowSigning = false;
 
diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in
index c99058b74..19570155c 100644
--- a/pki/base/kra/shared/conf/CS.cfg.in
+++ b/pki/base/kra/shared/conf/CS.cfg.in
@@ -49,6 +49,7 @@ kra.cert.sslserver.certusage=SSLServer
 kra.cert.subsystem.certusage=SSLClient
 kra.cert.audit_signing.certusage=ObjectSigner
 preop.cert.list=transport,storage,sslserver,subsystem,audit_signing
+preop.cert.rsalist=transport,storage,audit_signing
 preop.cert.transport.enable=true
 preop.cert.storage.enable=true
 preop.cert.sslserver.enable=true
diff --git a/pki/base/ocsp/shared/conf/CS.cfg.in b/pki/base/ocsp/shared/conf/CS.cfg.in
index c05c23fbb..4dbda23cb 100644
--- a/pki/base/ocsp/shared/conf/CS.cfg.in
+++ b/pki/base/ocsp/shared/conf/CS.cfg.in
@@ -43,6 +43,7 @@ preop.configModules.count=3
 preop.module.token=Internal Key Storage Token
 ocsp.cert.list=signing,sslserver,subsystem,audit_signing
 preop.cert.list=signing,sslserver,subsystem,audit_signing
+preop.cert.rsalist=audit_signing
 ocsp.cert.signing.certusage=StatusResponder
 ocsp.cert.sslserver.certusage=SSLServer
 ocsp.cert.subsystem.certusage=SSLClient
diff --git a/pki/base/tks/shared/conf/CS.cfg.in b/pki/base/tks/shared/conf/CS.cfg.in
index 213b7645f..bf195d234 100644
--- a/pki/base/tks/shared/conf/CS.cfg.in
+++ b/pki/base/tks/shared/conf/CS.cfg.in
@@ -34,6 +34,7 @@ tks.cert.sslserver.certusage=SSLServer
 tks.cert.subsystem.certusage=SSLClient
 tks.cert.audit_signing.certusage=ObjectSigner
 preop.cert.list=sslserver,subsystem,audit_signing
+preop.cert.rsalist=audit_signing
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
 preop.cert.audit_signing.enable=true
diff --git a/pki/dogtag/common-ui/shared/admin/console/config/sizepanel.vm b/pki/dogtag/common-ui/shared/admin/console/config/sizepanel.vm
index d8b3c3108..ef80ecf20 100644
--- a/pki/dogtag/common-ui/shared/admin/console/config/sizepanel.vm
+++ b/pki/dogtag/common-ui/shared/admin/console/config/sizepanel.vm
@@ -35,6 +35,13 @@ var rsalist="${rsalist}";
 var ecclist="${ecclist}"; 
 var curvelist="${curvelist}";
 var displaycurvelist = "${displaycurvelist}";
+var rsaTags = "${rsaTags}";
+var additionalMessage = "";
+if (rsaTags.length > 0) {
+  additionalMessage = (rsaTags.indexOf(",") != -1)?
+    "<p><b>IMPORTANT:</b> <i>Currently, the Audit Log Signing, Transport, and Storage functionality <b>ONLY</b> support RSA keys.  Users that require ECC keys <b>MUST</b> first select the ECC key type and then verify on the Advanced tab that RSA keys are selected for the Audit Log Signing Certificate, Transport Certificate, and Storage Certificate. All other keys can be ECC.</i>":
+    "<p><b>IMPORTANT:</b> <i>Currently, the Audit Log Signing functionality <b>ONLY</b> supports RSA keys.  Users that require ECC keys <b>MUST</b> first select the ECC key type and then verify on the Advanced tab that an RSA key is selected for the Audit Log Signing Certificate. All other keys can be ECC.</i>";
+}
 
 function myOnLoad() {
    var form = document.forms[0];
@@ -143,7 +150,7 @@ function setAlgOptions(keyType, certTag)
   } else {
     algSelect = document.forms[0].elements[certTag + '_keyalgorithm'];
   }
-  if (algSelect == undefined) {
+  if (typeof(algSelect) == "undefined") {
     return;
   }
   algSelect.options.length=0;
@@ -179,6 +186,9 @@ function setSigningAlgOptions(keyType, certTag)
   } else {
     algSelect = document.forms[0].elements[certTag + '_signingalgorithm'];
   }
+  if (typeof(algSelect) == "undefined") {
+    return;
+  }
   algSelect.options.length=0;
   if (keyType == "rsa") {
     list = rsalist.split(",");
@@ -229,6 +239,17 @@ function toggleAllKeyCurves(keyType)
   }
 }
 
+function indexOfTag(tag)
+{
+  var index = rsaTags.indexOf(tag);
+  if (index > 0) {
+    if (rsaTags.charAt(index-1) != ',') {
+      index = -1;
+    }
+  }
+  return index;
+}
+
 function keyTypeChange(certTag)
 {
   var form = document.forms[0];
@@ -237,13 +258,18 @@ function keyTypeChange(certTag)
     keyTypeSelect = document.forms[0].elements['keytype'];
     for (var i = 0; i < form.length; i++) {
       var name = form[i].name;
-      if (name.indexOf('_keytype') != -1) {
-        form.elements[name].selectedIndex = keyTypeSelect.selectedIndex;
+      var k = name.indexOf('_keytype');
+      if (k != -1) {
+        var tag = name.substring(0, k);
+        if ((keyTypeSelect.value.indexOf('ecc') != -1) &&
+            (indexOfTag(tag) == -1)) {
+          form.elements[name].selectedIndex = keyTypeSelect.selectedIndex;
+          setAlgOptions(keyTypeSelect.value, tag);
+          setSigningAlgOptions(keyTypeSelect.value, tag);
+          toggleKeyCurve(keyTypeSelect.value, tag);
+        }
       }
     }
-    setAllAlgOptions(keyTypeSelect.value);
-    setAllSigningAlgOptions(keyTypeSelect.value);
-    toggleAllKeyCurves(keyTypeSelect.value);
   } else {
       keyTypeSelect = document.forms[0].elements[certTag + '_keytype'];
       toggleKeyCurve(keyTypeSelect.value, certTag);
@@ -337,7 +363,11 @@ function displayCurveList()
 }
   
 </SCRIPT>
-Select the key pair type(s), associated key pair size(s) or curve name(s), and signature algorithm(s) from the pulldown menus.  <font color="red">Currently, the Audit Log Signing functionality only supports RSA keys.  Users that require ECC keys must select the Advanced tab, and specify RSA keys for the Audit Log Signing Certificate.  All other keys can be ECC.  </font><a href="javascript:toggle_details();">[Details]</a>
+Select the key pair type(s), associated key pair size(s) or curve name(s), and signature algorithm(s) from the pulldown menus.  
+<SCRIPT type="text/JavaScript">
+document.write(additionalMessage);
+</SCRIPT>
+  <a href="javascript:toggle_details();">[Details]</a>
 <SCRIPT type="text/JavaScript">
 function toggle_details()
 {
-- 
cgit