From 5ea26b4a26f3d7f5e12ee74a0b08c19afea30059 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 28 Nov 2023 18:35:20 -0500 Subject: [PATCH] RHCS-4630 (part 2) Add SHA-2 support to Server-side Keygen I'm adding support of SHA-2 to Server-Side keygen. Since there was a recent ticket in similar area, it could sort of be considered relating to it. Adds SHA-2 support to https://bugzilla.redhat.com/show_bug.cgi?id=2246422 --- .../cms/profile/common/CAEnrollProfile.java | 40 ++++++++++++++++++- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java index ca6246a7c66..39fb01fd7db 100644 --- a/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java +++ b/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java @@ -329,13 +329,49 @@ public void execute(IRequest request) // fake key replaced; // need to compute/replace SKI as well if present - Extension ext = CertUtils.getExtension(PKIXExtensions.SubjectKey_Id.toString(), info); + SubjectKeyIdentifierExtension ext = (SubjectKeyIdentifierExtension) CertUtils.getExtension(PKIXExtensions.SubjectKey_Id.toString(), info); if (ext != null) { logger.debug(method + "found SubjectKey_Id extension"); + /* + * determine message digest algorithm: + * the "old_ski" was generated based on the profile + * from the "fake key", + * so we could use it's length to determine the size + * of the new hash. + * + * Message digest can be controlled by the messageDigest + * parameter in the subjectKeyIdentifier extension in a + * profile. e.g. + * policyset.caCertSet.8.default.params.messageDigest=SHA-256 + */ + String messageDigest = "SHA-1"; // default; len==20 + KeyIdentifier old_ski = null; + try { + old_ski = (KeyIdentifier) ext.get(SubjectKeyIdentifierExtension.KEY_ID); + } catch (IOException e) { + old_ski = null; + } + if (old_ski != null) { + byte[] old_ski_val = old_ski.getIdentifier(); + if (old_ski_val != null) { + int old_ski_len = old_ski_val.length; + + if (old_ski_len == 32) { + messageDigest = "SHA-256"; + } else if (old_ski_len == 48) { + messageDigest = "SHA-384"; + } else if (old_ski_len == 64) { + messageDigest = "SHA-512"; + } + } + } + logger.debug(method + "ServerSideKeygen message digest alg == " + messageDigest); // compute keyId X509Key realkey = (X509Key) certKey.get(CertificateX509Key.KEY); - byte[] hash = CryptoUtil.generateKeyIdentifier(realkey.getKey()); + byte[] hash = CryptoUtil.generateKeyIdentifier(realkey.getKey(), messageDigest); + int new_ski_len = hash.length; + logger.debug(method + "ServerSideKeygen hash len = " + new_ski_len); KeyIdentifier id = new KeyIdentifier(hash); SubjectKeyIdentifierExtension skiExt = new SubjectKeyIdentifierExtension(id.getIdentifier());