Option to change default algorithms

RSA should be default selection for transport, storage, and audit keys till ECC is fully implemented.

Bug #787806.

6 files changed, 43 insertions, 7 deletions

diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in
index 13278ae7..1ba0d2f4 100644
--- a/pki/base/ca/shared/conf/CS.cfg.in
+++ b/pki/base/ca/shared/conf/CS.cfg.in
@@ -59,6 +59,7 @@ ca.cert.sslserver.certusage=SSLServer
 ca.cert.subsystem.certusage=SSLClient
 ca.cert.audit_signing.certusage=ObjectSigner
 preop.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing
+preop.cert.rsalist=audit_signing
 preop.cert.signing.enable=true
 preop.cert.ocsp_signing.enable=true
 preop.cert.sslserver.enable=true
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
index 03f0e186..678145a9 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
@@ -153,6 +153,8 @@ public class SizePanel extends WizardPanelBase {
             // same token for now
             String token = config.getString(PRE_CONF_CA_TOKEN);
             String certTags = config.getString("preop.cert.list");
+            String rsaCertTags = config.getString("preop.cert.rsalist", "");
+            context.put("rsaTags", rsaCertTags);
             StringTokenizer st = new StringTokenizer(certTags, ",");
             mShowSigning = false;
 
diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in
index c99058b7..19570155 100644
--- a/pki/base/kra/shared/conf/CS.cfg.in
+++ b/pki/base/kra/shared/conf/CS.cfg.in
@@ -49,6 +49,7 @@ kra.cert.sslserver.certusage=SSLServer
 kra.cert.subsystem.certusage=SSLClient
 kra.cert.audit_signing.certusage=ObjectSigner
 preop.cert.list=transport,storage,sslserver,subsystem,audit_signing
+preop.cert.rsalist=transport,storage,audit_signing
 preop.cert.transport.enable=true
 preop.cert.storage.enable=true
 preop.cert.sslserver.enable=true
diff --git a/pki/base/ocsp/shared/conf/CS.cfg.in b/pki/base/ocsp/shared/conf/CS.cfg.in
index c05c23fb..4dbda23c 100644
--- a/pki/base/ocsp/shared/conf/CS.cfg.in
+++ b/pki/base/ocsp/shared/conf/CS.cfg.in
@@ -43,6 +43,7 @@ preop.configModules.count=3
 preop.module.token=Internal Key Storage Token
 ocsp.cert.list=signing,sslserver,subsystem,audit_signing
 preop.cert.list=signing,sslserver,subsystem,audit_signing
+preop.cert.rsalist=audit_signing
 ocsp.cert.signing.certusage=StatusResponder
 ocsp.cert.sslserver.certusage=SSLServer
 ocsp.cert.subsystem.certusage=SSLClient
diff --git a/pki/base/tks/shared/conf/CS.cfg.in b/pki/base/tks/shared/conf/CS.cfg.in
index 213b7645..bf195d23 100644
--- a/pki/base/tks/shared/conf/CS.cfg.in
+++ b/pki/base/tks/shared/conf/CS.cfg.in
@@ -34,6 +34,7 @@ tks.cert.sslserver.certusage=SSLServer
 tks.cert.subsystem.certusage=SSLClient
 tks.cert.audit_signing.certusage=ObjectSigner
 preop.cert.list=sslserver,subsystem,audit_signing
+preop.cert.rsalist=audit_signing
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
 preop.cert.audit_signing.enable=true
diff --git a/pki/dogtag/common-ui/shared/admin/console/config/sizepanel.vm b/pki/dogtag/common-ui/shared/admin/console/config/sizepanel.vm
index d8b3c310..ef80ecf2 100644
--- a/pki/dogtag/common-ui/shared/admin/console/config/sizepanel.vm
+++ b/pki/dogtag/common-ui/shared/admin/console/config/sizepanel.vm
@@ -35,6 +35,13 @@ var rsalist="${rsalist}";
 var ecclist="${ecclist}"; 
 var curvelist="${curvelist}";
 var displaycurvelist = "${displaycurvelist}";
+var rsaTags = "${rsaTags}";
+var additionalMessage = "";
+if (rsaTags.length > 0) {
+  additionalMessage = (rsaTags.indexOf(",") != -1)?
+    "<p><b>IMPORTANT:</b> <i>Currently, the Audit Log Signing, Transport, and Storage functionality <b>ONLY</b> support RSA keys.  Users that require ECC keys <b>MUST</b> first select the ECC key type and then verify on the Advanced tab that RSA keys are selected for the Audit Log Signing Certificate, Transport Certificate, and Storage Certificate. All other keys can be ECC.</i>":
+    "<p><b>IMPORTANT:</b> <i>Currently, the Audit Log Signing functionality <b>ONLY</b> supports RSA keys.  Users that require ECC keys <b>MUST</b> first select the ECC key type and then verify on the Advanced tab that an RSA key is selected for the Audit Log Signing Certificate. All other keys can be ECC.</i>";
+}
 
 function myOnLoad() {
    var form = document.forms[0];
@@ -143,7 +150,7 @@ function setAlgOptions(keyType, certTag)
   } else {
     algSelect = document.forms[0].elements[certTag + '_keyalgorithm'];
   }
-  if (algSelect == undefined) {
+  if (typeof(algSelect) == "undefined") {
     return;
   }
   algSelect.options.length=0;
@@ -179,6 +186,9 @@ function setSigningAlgOptions(keyType, certTag)
   } else {
     algSelect = document.forms[0].elements[certTag + '_signingalgorithm'];
   }
+  if (typeof(algSelect) == "undefined") {
+    return;
+  }
   algSelect.options.length=0;
   if (keyType == "rsa") {
     list = rsalist.split(",");
@@ -229,6 +239,17 @@ function toggleAllKeyCurves(keyType)
   }
 }
 
+function indexOfTag(tag)
+{
+  var index = rsaTags.indexOf(tag);
+  if (index > 0) {
+    if (rsaTags.charAt(index-1) != ',') {
+      index = -1;
+    }
+  }
+  return index;
+}
+
 function keyTypeChange(certTag)
 {
   var form = document.forms[0];
@@ -237,13 +258,18 @@ function keyTypeChange(certTag)
     keyTypeSelect = document.forms[0].elements['keytype'];
     for (var i = 0; i < form.length; i++) {
       var name = form[i].name;
-      if (name.indexOf('_keytype') != -1) {
-        form.elements[name].selectedIndex = keyTypeSelect.selectedIndex;
+      var k = name.indexOf('_keytype');
+      if (k != -1) {
+        var tag = name.substring(0, k);
+        if ((keyTypeSelect.value.indexOf('ecc') != -1) &&
+            (indexOfTag(tag) == -1)) {
+          form.elements[name].selectedIndex = keyTypeSelect.selectedIndex;
+          setAlgOptions(keyTypeSelect.value, tag);
+          setSigningAlgOptions(keyTypeSelect.value, tag);
+          toggleKeyCurve(keyTypeSelect.value, tag);
+        }
       }
     }
-    setAllAlgOptions(keyTypeSelect.value);
-    setAllSigningAlgOptions(keyTypeSelect.value);
-    toggleAllKeyCurves(keyTypeSelect.value);
   } else {
       keyTypeSelect = document.forms[0].elements[certTag + '_keytype'];
       toggleKeyCurve(keyTypeSelect.value, certTag);
@@ -337,7 +363,11 @@ function displayCurveList()
 }
   
 </SCRIPT>
-Select the key pair type(s), associated key pair size(s) or curve name(s), and signature algorithm(s) from the pulldown menus.  <font color="red">Currently, the Audit Log Signing functionality only supports RSA keys.  Users that require ECC keys must select the Advanced tab, and specify RSA keys for the Audit Log Signing Certificate.  All other keys can be ECC.  </font><a href="javascript:toggle_details();">[Details]</a>
+Select the key pair type(s), associated key pair size(s) or curve name(s), and signature algorithm(s) from the pulldown menus.  
+<SCRIPT type="text/JavaScript">
+document.write(additionalMessage);
+</SCRIPT>
+  <a href="javascript:toggle_details();">[Details]</a>
 <SCRIPT type="text/JavaScript">
 function toggle_details()
 {