Fix Bugzilla Bug 661196 - ECC(with nethsm) subca configuration fails with Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA.

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1639 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: jmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-12-15 22:21:26 +0000
committer: jmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-12-15 22:21:26 +0000
commit: 717ddc7782211ce853d7b2d48859041e2b59559a (patch)
tree: 387a38db54b44e2da6267cd7f0e766e1d81542fe
parent: b5a7e18271854491bacb02921c84806d87c399d2 (diff)
download: pki-717ddc7782211ce853d7b2d48859041e2b59559a.tar.gz
pki-717ddc7782211ce853d7b2d48859041e2b59559a.tar.xz
pki-717ddc7782211ce853d7b2d48859041e2b59559a.zip
12 files changed, 13 insertions, 12 deletions
diff --git a/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg
index e80dfe23..8d402f77 100644
--- a/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg
@@ -30,7 +30,7 @@ policyset.cmcUserCertSet.2.default.params.range=180
 policyset.cmcUserCertSet.2.default.params.startTime=0
 policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
 policyset.cmcUserCertSet.3.constraint.name=Key Constraint
-policyset.cmcUserCertSet.3.constraint.params.keyType=RSA
+policyset.cmcUserCertSet.3.constraint.params.keyType=-
 policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
 policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
 policyset.cmcUserCertSet.3.default.name=Key Default
diff --git a/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
index 127a1332..c9507b56 100644
--- a/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
@@ -30,7 +30,7 @@ policyset.cmcUserCertSet.2.default.params.startTime=0
 policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
 policyset.cmcUserCertSet.3.constraint.name=Key Constraint
 policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
-policyset.cmcUserCertSet.3.constraint.params.keyType=RSA
+policyset.cmcUserCertSet.3.constraint.params.keyType=-
 policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
 policyset.cmcUserCertSet.3.default.name=Key Default
 policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
diff --git a/pki/base/ca/shared/profiles/ca/caInstallCACert.cfg b/pki/base/ca/shared/profiles/ca/caInstallCACert.cfg
index 36721c1d..43588fe3 100644
--- a/pki/base/ca/shared/profiles/ca/caInstallCACert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caInstallCACert.cfg
@@ -30,7 +30,7 @@ policyset.caCertSet.2.default.params.range=720
 policyset.caCertSet.2.default.params.startTime=0
 policyset.caCertSet.3.constraint.class_id=keyConstraintImpl
 policyset.caCertSet.3.constraint.name=Key Constraint
-policyset.caCertSet.3.constraint.params.keyType=RSA
+policyset.caCertSet.3.constraint.params.keyType=-
 policyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
 policyset.caCertSet.3.default.class_id=userKeyDefaultImpl
 policyset.caCertSet.3.default.name=Key Default
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
index 3d72b20f..11b8d78f 100644
--- a/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
@@ -30,7 +30,7 @@ policyset.auditSigningCertSet.2.default.params.range=720
 policyset.auditSigningCertSet.2.default.params.startTime=0
 policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
 policyset.auditSigningCertSet.3.constraint.name=Key Constraint
-policyset.auditSigningCertSet.3.constraint.params.keyType=RSA
+policyset.auditSigningCertSet.3.constraint.params.keyType=-
 policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
 policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
 policyset.auditSigningCertSet.3.default.name=Key Default
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
index 55185aa9..de226b63 100644
--- a/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
@@ -30,7 +30,7 @@ policyset.ocspCertSet.2.default.params.range=720
 policyset.ocspCertSet.2.default.params.startTime=0
 policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl
 policyset.ocspCertSet.3.constraint.name=Key Constraint
-policyset.ocspCertSet.3.constraint.params.keyType=RSA
+policyset.ocspCertSet.3.constraint.params.keyType=-
 policyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
 policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl
 policyset.ocspCertSet.3.default.name=Key Default
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg
index 9d42b852..de07df56 100644
--- a/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg
@@ -30,7 +30,7 @@ policyset.ocspCertSet.2.default.params.range=720
 policyset.ocspCertSet.2.default.params.startTime=0
 policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl
 policyset.ocspCertSet.3.constraint.name=Key Constraint
-policyset.ocspCertSet.3.constraint.params.keyType=RSA
+policyset.ocspCertSet.3.constraint.params.keyType=-
 policyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
 policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl
 policyset.ocspCertSet.3.default.name=Key Default
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
index a343a384..f639d243 100644
--- a/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
@@ -30,7 +30,7 @@ policyset.serverCertSet.2.default.params.range=720
 policyset.serverCertSet.2.default.params.startTime=0
 policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
 policyset.serverCertSet.3.constraint.name=Key Constraint
-policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyType=-
 policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
 policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
 policyset.serverCertSet.3.default.name=Key Default
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
index c6cf2dd0..73f21948 100644
--- a/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
@@ -32,7 +32,7 @@ policyset.serverCertSet.2.default.params.range=720
 policyset.serverCertSet.2.default.params.startTime=0
 policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
 policyset.serverCertSet.3.constraint.name=Key Constraint
-policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyType=-
 policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
 policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
 policyset.serverCertSet.3.default.name=Key Default
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
index ddbc37a5..1faa6100 100644
--- a/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
@@ -30,7 +30,7 @@ policyset.transportCertSet.2.default.params.range=720
 policyset.transportCertSet.2.default.params.startTime=0
 policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl
 policyset.transportCertSet.3.constraint.name=Key Constraint
-policyset.transportCertSet.3.constraint.params.keyType=RSA
+policyset.transportCertSet.3.constraint.params.keyType=-
 policyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
 policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl
 policyset.transportCertSet.3.default.name=Key Default
diff --git a/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
index ee0df883..a823bab1 100644
--- a/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
@@ -29,7 +29,7 @@ policyset.cmcUserCertSet.2.default.params.startTime=0
 policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
 policyset.cmcUserCertSet.3.constraint.name=Key Constraint
 policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
-policyset.cmcUserCertSet.3.constraint.params.keyType=RSA
+policyset.cmcUserCertSet.3.constraint.params.keyType=-
 policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
 policyset.cmcUserCertSet.3.default.name=Key Default
 policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java
index 01fd7eb0..a94536e8 100644
--- a/pki/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java
+++ b/pki/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java
@@ -84,7 +84,7 @@ public class KeyConstraint extends EnrollConstraint {
 
     public IDescriptor getConfigDescriptor(Locale locale, String name) { 
         if (name.equals(CONFIG_KEY_TYPE)) {
-            return new Descriptor(IDescriptor.CHOICE, "RSA,EC",
+            return new Descriptor(IDescriptor.CHOICE, "-,RSA,EC",
                     "RSA",
                     CMS.getUserMessage(locale, "CMS_PROFILE_KEY_TYPE"));
         }   else if (name.equals(CONFIG_KEY_PARAMETERS)) {
@@ -144,7 +144,7 @@ public class KeyConstraint extends EnrollConstraint {
             if (alg.equals("EC")) {
                 //For now only check for legal EC key type.
                 //We don't have the required EC key class to evaluate curve names.
-                if (!alg.equals(keyType)) {
+                if (!alg.equals(keyType) && !isOptional(keyType)) {
                     throw new ERejectException(
                             CMS.getUserMessage(
                                 getLocale(request),
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
index 43fa3e0d..dc8adaf9 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
@@ -58,6 +58,7 @@ public class CertUtil {
       throws IOException {
         HttpClient httpclient = new HttpClient();
         String c = null;
+        CMS.debug("CertUtil createRemoteCert: content " + content);
         try {
             JssSSLSocketFactory factory = new JssSSLSocketFactory();
author	jmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-12-15 22:21:26 +0000
committer	jmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-12-15 22:21:26 +0000
commit	717ddc7782211ce853d7b2d48859041e2b59559a (patch)
tree	387a38db54b44e2da6267cd7f0e766e1d81542fe
parent	b5a7e18271854491bacb02921c84806d87c399d2 (diff)
download	pki-717ddc7782211ce853d7b2d48859041e2b59559a.tar.gz pki-717ddc7782211ce853d7b2d48859041e2b59559a.tar.xz pki-717ddc7782211ce853d7b2d48859041e2b59559a.zip