Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fix Bug 2251981] Part 2: opsFlag parameter #4645

Merged
merged 1 commit into from
Dec 20, 2023
Merged

[Fix Bug 2251981] Part 2: opsFlag parameter #4645

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions base/common/src/main/java/com/netscape/certsrv/system/SystemCertData.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ public class SystemCertData {
@XmlElement
protected String subjectDN;

@XmlElement
protected String opsFlag;

@XmlElement
protected String opsFlagMask;

Expand Down Expand Up @@ -242,6 +245,20 @@ public void setDNSNames(String[] dnsNames) {
this.dnsNames = dnsNames;
}

/**
* @return the certificate operation flags
*/
public String getOpsFlag() {
return opsFlag;
}

/**
* @param The certificate operation flags. It is a comma separated list of usages including: encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap, unwrap and derive.
*/
public void setOpsFlag(String opsFlag) {
this.opsFlag = opsFlag;
}

/**
* @return the certificate operation mask
*/
Expand Down
8 changes: 8 additions & 0 deletions base/server/etc/default.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
pki_audit_signing_signing_algorithm=SHA256withRSA
pki_audit_signing_token=
pki_audit_signing_opsFlag=
pki_audit_signing_opsFlagMask=

pki_backup_keys=False
Expand Down Expand Up @@ -157,6 +158,7 @@ pki_sslserver_key_type=%(pki_ssl_server_key_type)s
pki_sslserver_nickname=%(pki_ssl_server_nickname)s
pki_sslserver_subject_dn=%(pki_ssl_server_subject_dn)s
pki_sslserver_token=%(pki_ssl_server_token)s
pki_sslserver_opsFlag=
pki_sslserver_opsFlagMask=

pki_subsystem_key_algorithm=SHA256withRSA
Expand All @@ -166,6 +168,7 @@ pki_subsystem_key_type=rsa
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
pki_subsystem_subject_dn=cn=Subsystem Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_subsystem_token=
pki_subsystem_opsFlag=
pki_subsystem_opsFlagMask=

#Set this if we want to use PSS signing when RSA is specified
Expand Down Expand Up @@ -356,6 +359,7 @@ pki_ca_signing_serial_number=1
pki_ca_signing_signing_algorithm=SHA256withRSA
pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ca_signing_token=
pki_ca_signing_opsFlag=
pki_ca_signing_opsFlagMask=

# DEPRECATED: Use 'pki_ca_signing_csr_path' instead.
Expand Down Expand Up @@ -392,6 +396,7 @@ pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
pki_ocsp_signing_signing_algorithm=SHA256withRSA
pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ocsp_signing_token=
pki_ocsp_signing_opsFlag=
pki_ocsp_signing_opsFlagMask=

pki_profiles_in_ldap=False
Expand Down Expand Up @@ -505,6 +510,7 @@ pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
pki_storage_signing_algorithm=SHA256withRSA
pki_storage_subject_dn=cn=DRM Storage Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_storage_token=
pki_storage_opsFlag=
pki_storage_opsFlagMask=

pki_transport_key_algorithm=SHA256withRSA
Expand All @@ -514,6 +520,7 @@ pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
pki_transport_signing_algorithm=SHA256withRSA
pki_transport_subject_dn=cn=DRM Transport Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_transport_token=
pki_transport_opsFlag=
pki_transport_opsFlagMask=

pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
Expand Down Expand Up @@ -588,6 +595,7 @@ pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
pki_ocsp_signing_signing_algorithm=SHA256withRSA
pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ocsp_signing_token=
pki_ocsp_signing_opsFlag=
pki_ocsp_signing_opsFlagMask=

pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
Expand Down
1 change: 1 addition & 0 deletions base/server/python/pki/server/deployment/pkihelper.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2890,6 +2890,7 @@ def create_system_cert(self, tag):
cert.nickname = self.mdict["pki_%s_nickname" % tag]
cert.subjectDN = self.mdict["pki_%s_subject_dn" % tag]
cert.token = self.mdict["pki_%s_token" % tag]
cert.opsFlag = self.mdict["pki_%s_opsFlag" % tag]
cert.opsFlagMask = self.mdict["pki_%s_opsFlagMask" % tag]
return cert

Expand Down
59 changes: 39 additions & 20 deletions base/server/src/main/java/com/netscape/cms/servlet/csadmin/Configurator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import org.dogtag.util.cert.CertUtil;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.KeyPairGeneratorSpi;
import org.mozilla.jss.crypto.ObjectNotFoundException;
import org.mozilla.jss.crypto.X509Certificate;
import org.mozilla.jss.netscape.security.pkcs.PKCS10;
Expand Down Expand Up @@ -266,7 +267,7 @@ public KeyPair loadKeyPair(X509Certificate cert) throws Exception {
* -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
* +TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
*/
public KeyPair createECCKeyPair(String tag, CryptoToken token, String curveName, String ecType, String usage)
public KeyPair createECCKeyPair(String tag, CryptoToken token, String curveName, String ecType, String usage, String usageMask)
throws Exception {

if (curveName == null) {
Expand All @@ -281,18 +282,23 @@ public KeyPair createECCKeyPair(String tag, CryptoToken token, String curveName,
logger.info("Configurator: - type: " + ecType);

do {
if (usage == null || usage.isEmpty()) {
KeyPairGeneratorSpi.Usage[] eccUsage = null;
KeyPairGeneratorSpi.Usage[] eccUsageMask = null;
if (usage != null && !usage.isEmpty()) {
eccUsage = CryptoUtil.generateUsage(usage);
}
if (usageMask != null && !usageMask.isEmpty()) {
eccUsageMask = CryptoUtil.generateUsage(usageMask);
} else {
if (tag.equals("sslserver") && ecType.equalsIgnoreCase("ECDH")) {
pair = CryptoUtil.generateECCKeyPair(token, curveName, null, CryptoUtil.ECDH_USAGES_MASK);

eccUsageMask = CryptoUtil.ECDH_USAGES_MASK;
} else {
pair = CryptoUtil.generateECCKeyPair(token, curveName, null, CryptoUtil.ECDHE_USAGES_MASK);
eccUsageMask = CryptoUtil.ECDHE_USAGES_MASK;
}
} else {
pair = CryptoUtil.generateECCKeyPair(token, curveName,
CryptoUtil.generateUsage(usage),
CryptoUtil.generateUsage(usage));
}
pair = CryptoUtil.generateECCKeyPair(token, curveName,
eccUsage,
eccUsageMask);

// XXX - store curve , w
byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID();
Expand All @@ -309,7 +315,7 @@ public KeyPair createECCKeyPair(String tag, CryptoToken token, String curveName,
return pair;
}

public KeyPair createRSAKeyPair(String tag, CryptoToken token, String keySize, String usage)
public KeyPair createRSAKeyPair(String tag, CryptoToken token, String keySize, String usage, String usageMask)
throws Exception {

logger.debug("Configurator.createRSAKeyPair(" + token + ")");
Expand All @@ -323,18 +329,28 @@ public KeyPair createRSAKeyPair(String tag, CryptoToken token, String keySize, S
logger.error("Configurator.createRSAKeyPair: tag " + tag);
KeyPair pair = null;
do {
if (usage == null || usage.isEmpty()) {
KeyPairGeneratorSpi.Usage[] rsaUsage = null;
KeyPairGeneratorSpi.Usage[] rsaUsageMask = null;
if (usage != null && !usage.isEmpty()) {
rsaUsage = CryptoUtil.generateUsage(usage);
} else {
if("transport".equals(tag) || "storage".equals(tag) || "subsystem".equals(tag)) {
pair = CryptoUtil.generateRSAKeyPair(token,size,
CryptoUtil.RSA_KEYPAIR_USAGES,
CryptoUtil.RSA_KEYPAIR_USAGES_MASK);
} else {
pair = CryptoUtil.generateRSAKeyPair(token, size);
rsaUsage = CryptoUtil.RSA_KEYPAIR_USAGES;
}
}
if (usageMask != null && !usageMask.isEmpty()) {
rsaUsageMask = CryptoUtil.generateUsage(usageMask);
} else {
if("transport".equals(tag) || "storage".equals(tag) || "subsystem".equals(tag)) {
rsaUsageMask = CryptoUtil.RSA_KEYPAIR_USAGES_MASK;
}
}

if (rsaUsage == null && rsaUsageMask == null) {
pair = CryptoUtil.generateRSAKeyPair(token, size);
} else {
pair = CryptoUtil.generateRSAKeyPair(token, size,
CryptoUtil.generateUsage(usage),
CryptoUtil.generateUsage(usage));
rsaUsage, rsaUsageMask);
}

byte[] id = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID();
Expand Down Expand Up @@ -617,6 +633,9 @@ public Cert setupCert(CertificateSetupRequest request) throws Exception {
String certType = certData.getType();
logger.info("Configurator: - cert type: " + certType);

String usage = certData.getOpsFlag();
logger.info("Configurator: - cert usage: " + usage);

String usageMask = certData.getOpsFlagMask();
logger.info("Configurator: - cert usageMask: " + usageMask);

Expand Down Expand Up @@ -660,10 +679,10 @@ public Cert setupCert(CertificateSetupRequest request) throws Exception {
// Note: IE only supports "ECDHE", but "ECDH" is more efficient.
String ecType = preopConfig.getString("cert." + tag + ".ec.type", "ECDHE");

keyPair = createECCKeyPair(tag, token, keySize, ecType, usageMask);
keyPair = createECCKeyPair(tag, token, keySize, ecType, usage, usageMask);

} else {
keyPair = createRSAKeyPair(tag, token, keySize, usageMask);
keyPair = createRSAKeyPair(tag, token, keySize, usage, usageMask);
}
}

Expand Down
Loading