Skip to content

Commit

Permalink
Bug2253044-AKI-non-SHA1-support
Browse files Browse the repository at this point in the history
This patch is to address the issue where the AKI would not match the SKI
in the case when SHA-1 is not selected for calculationg SKI for root ca.
CA profiles have also been changed so that the SKI will come before AKI
so that SKI could propagate to AKI properly in the case of a root CA.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2253044
  • Loading branch information
ladycfu committed Dec 6, 2023
1 parent 6b1201e commit dcfa946
Show file tree
Hide file tree
Showing 6 changed files with 26 additions and 6 deletions.
2 changes: 1 addition & 1 deletion base/ca/shared/conf/caCert.profile
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ name=All Purpose CA Profile
description=This profile creates a CA certificate that is valid for all signing purposes.
profileIDMapping=caCACert
profileSetIDMapping=caCertSet
list=2,4,5,6,7
list=2,7,4,5,6
2.default.class=com.netscape.cms.profile.def.CAValidityDefault
2.default.name=CA Certificate Validity Default
2.default.params.range=7305
Expand Down
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caCACert.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=caCertSet
policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.caCertSet.1.constraint.name=Subject Name Constraint
policyset.caCertSet.1.constraint.params.pattern=CN=.*
Expand Down
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caCMCcaCert.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=caCertSet
policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.caCertSet.1.constraint.name=Subject Name Constraint
policyset.caCertSet.1.constraint.params.pattern=CN=.*
Expand Down
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caCrossSignedCACert.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=caCertSet
policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
policyset.caCertSet.1.constraint.class_id=userSubjectNameConstraintImpl
policyset.caCertSet.1.constraint.name=User Subject Name Constraint
policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl
Expand Down
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caInstallCACert.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=caCertSet
policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.caCertSet.1.constraint.name=Subject Name Constraint
policyset.caCertSet.1.constraint.params.pattern=CN=.*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,12 +47,26 @@ public CAEnrollDefault() {
}

public KeyIdentifier getKeyIdentifier(X509CertInfo info) {
return getKeyIdentifier(info, "SHA-1");
}
public KeyIdentifier getKeyIdentifier(X509CertInfo info, String messageDigest) {
String method = "CAEnrollDefault: getKeyIdentifier: ";
try {
/*
* The SKI must be placed before the AKI in the enrollment profile
* for this to work properly
*/
SubjectKeyIdentifierExtension ext = (SubjectKeyIdentifierExtension) getExtension(PKIXExtensions.SubjectKey_Id.toString(), info);
if (ext != null) {
logger.debug(method + "found SubjectKey_Id extension");
KeyIdentifier kid = (KeyIdentifier) ext.get(SubjectKeyIdentifierExtension.KEY_ID);
return kid;
}
// ski not found, calculate the ski
CertificateX509Key ckey = (CertificateX509Key)
info.get(X509CertInfo.KEY);
X509Key key = (X509Key) ckey.get(CertificateX509Key.KEY);
byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey());
byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey(), messageDigest);
if (hash == null) {
logger.warn(method + "CryptoUtil.generateKeyIdentifier returns null");
return null;
Expand Down Expand Up @@ -85,14 +99,20 @@ public KeyIdentifier getCAKeyIdentifier(ICertificateAuthority ca) throws EBaseEx
SubjectKeyIdentifierExtension.KEY_ID);
return keyId;
} catch (IOException e) {
logger.warn(method + e.toString());
return null;
}
}
logger.warn(method + "SubjectKeyIdentifierExtension not found in CA signing cert. Returning null");
return null;

/* SubjectKeyIdentifierExtension has to exist in a CA signing cert
byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey());
if (hash == null) {
logger.warn(method + "CryptoUtil.generateKeyIdentifier returns null");
return null;
}
return new KeyIdentifier(hash);
*/
}
}

0 comments on commit dcfa946

Please sign in to comment.