From dcfa946e321b429a098a3b504eed61c2c93ea306 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 5 Dec 2023 17:50:12 -0500 Subject: [PATCH] Bug2253044-AKI-non-SHA1-support This patch is to address the issue where the AKI would not match the SKI in the case when SHA-1 is not selected for calculationg SKI for root ca. CA profiles have also been changed so that the SKI will come before AKI so that SKI could propagate to AKI properly in the case of a root CA. fixes https://bugzilla.redhat.com/show_bug.cgi?id=2253044 --- base/ca/shared/conf/caCert.profile | 2 +- base/ca/shared/profiles/ca/caCACert.cfg | 2 +- base/ca/shared/profiles/ca/caCMCcaCert.cfg | 2 +- .../profiles/ca/caCrossSignedCACert.cfg | 2 +- .../ca/shared/profiles/ca/caInstallCACert.cfg | 2 +- .../cms/profile/def/CAEnrollDefault.java | 22 ++++++++++++++++++- 6 files changed, 26 insertions(+), 6 deletions(-) diff --git a/base/ca/shared/conf/caCert.profile b/base/ca/shared/conf/caCert.profile index b9d9eff7d63..c3b06d179b3 100644 --- a/base/ca/shared/conf/caCert.profile +++ b/base/ca/shared/conf/caCert.profile @@ -6,7 +6,7 @@ name=All Purpose CA Profile description=This profile creates a CA certificate that is valid for all signing purposes. profileIDMapping=caCACert profileSetIDMapping=caCertSet -list=2,4,5,6,7 +list=2,7,4,5,6 2.default.class=com.netscape.cms.profile.def.CAValidityDefault 2.default.name=CA Certificate Validity Default 2.default.params.range=7305 diff --git a/base/ca/shared/profiles/ca/caCACert.cfg b/base/ca/shared/profiles/ca/caCACert.cfg index 8fd7d3361c8..2cab591c393 100644 --- a/base/ca/shared/profiles/ca/caCACert.cfg +++ b/base/ca/shared/profiles/ca/caCACert.cfg @@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=caCertSet -policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 +policyset.caCertSet.list=1,2,3,8,4,5,6,9,10 policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.caCertSet.1.constraint.name=Subject Name Constraint policyset.caCertSet.1.constraint.params.pattern=CN=.* diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg index 8480a98b7cc..42feeb5b31b 100644 --- a/base/ca/shared/profiles/ca/caCMCcaCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg @@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=caCertSet -policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 +policyset.caCertSet.list=1,2,3,8,4,5,6,9,10 policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.caCertSet.1.constraint.name=Subject Name Constraint policyset.caCertSet.1.constraint.params.pattern=CN=.* diff --git a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg index 4324e3303d2..9d107bd4f0f 100644 --- a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg +++ b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg @@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=caCertSet -policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 +policyset.caCertSet.list=1,2,3,8,4,5,6,9,10 policyset.caCertSet.1.constraint.class_id=userSubjectNameConstraintImpl policyset.caCertSet.1.constraint.name=User Subject Name Constraint policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl diff --git a/base/ca/shared/profiles/ca/caInstallCACert.cfg b/base/ca/shared/profiles/ca/caInstallCACert.cfg index 451c31e227f..8c3cf2a1209 100644 --- a/base/ca/shared/profiles/ca/caInstallCACert.cfg +++ b/base/ca/shared/profiles/ca/caInstallCACert.cfg @@ -11,7 +11,7 @@ input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=caCertSet -policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 +policyset.caCertSet.list=1,2,3,8,4,5,6,9,10 policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.caCertSet.1.constraint.name=Subject Name Constraint policyset.caCertSet.1.constraint.params.pattern=CN=.* diff --git a/base/ca/src/main/java/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/ca/src/main/java/com/netscape/cms/profile/def/CAEnrollDefault.java index ec02380bbf5..d70d4aabb9d 100644 --- a/base/ca/src/main/java/com/netscape/cms/profile/def/CAEnrollDefault.java +++ b/base/ca/src/main/java/com/netscape/cms/profile/def/CAEnrollDefault.java @@ -47,12 +47,26 @@ public CAEnrollDefault() { } public KeyIdentifier getKeyIdentifier(X509CertInfo info) { + return getKeyIdentifier(info, "SHA-1"); + } + public KeyIdentifier getKeyIdentifier(X509CertInfo info, String messageDigest) { String method = "CAEnrollDefault: getKeyIdentifier: "; try { + /* + * The SKI must be placed before the AKI in the enrollment profile + * for this to work properly + */ + SubjectKeyIdentifierExtension ext = (SubjectKeyIdentifierExtension) getExtension(PKIXExtensions.SubjectKey_Id.toString(), info); + if (ext != null) { + logger.debug(method + "found SubjectKey_Id extension"); + KeyIdentifier kid = (KeyIdentifier) ext.get(SubjectKeyIdentifierExtension.KEY_ID); + return kid; + } + // ski not found, calculate the ski CertificateX509Key ckey = (CertificateX509Key) info.get(X509CertInfo.KEY); X509Key key = (X509Key) ckey.get(CertificateX509Key.KEY); - byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey()); + byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey(), messageDigest); if (hash == null) { logger.warn(method + "CryptoUtil.generateKeyIdentifier returns null"); return null; @@ -85,14 +99,20 @@ public KeyIdentifier getCAKeyIdentifier(ICertificateAuthority ca) throws EBaseEx SubjectKeyIdentifierExtension.KEY_ID); return keyId; } catch (IOException e) { + logger.warn(method + e.toString()); + return null; } } + logger.warn(method + "SubjectKeyIdentifierExtension not found in CA signing cert. Returning null"); + return null; + /* SubjectKeyIdentifierExtension has to exist in a CA signing cert byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey()); if (hash == null) { logger.warn(method + "CryptoUtil.generateKeyIdentifier returns null"); return null; } return new KeyIdentifier(hash); + */ } }