commit 5823d43d06c263076159d5606154776e24b4f111
Author: Matthew Harmsen <mharmsen@redhat.com>
Date: Tue Jul 28 19:56:26 2015 -0600
Add certutil options for ECC
- PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating
ecc admin certificate
(cherry picked from commit f9102b8df60d50e00d2a45915d06837510cfd1aa)
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 58f3386..26ffd0d 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -66,6 +66,7 @@ pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
pki_admin_cert_request_type=pkcs10
pki_admin_dualkey=False
pki_admin_keysize=2048
+pki_admin_key_type=rsa
pki_admin_password=
pki_audit_group=pkiaudit
pki_audit_signing_key_algorithm=SHA256withRSA
diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5
index df4f944..17130ae 100644
--- a/base/server/man/man5/pki_default.cfg.5
+++ b/base/server/man/man5/pki_default.cfg.5
@@ -125,7 +125,7 @@ Password for the admin user. This password is used to log into the pki-console
.IP
Email address for the admin user.
.TP
-.B pki_admin_dualkey, pki_admin_keysize, pki_admin_keytype
+.B pki_admin_dualkey, pki_admin_keysize, pki_admin_key_type
.IP
Settings for the administrator certificate and keys.
.TP
diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
index 8d8a4ff..411d93f 100644
--- a/base/server/man/man8/pkispawn.8
+++ b/base/server/man/man8/pkispawn.8
@@ -265,6 +265,8 @@ where \fImyconfig.txt\fP contains the following text:
.nf
[DEFAULT]
pki_admin_password=\fISecret123\fP
+pki_admin_keysize=nistp256
+pki_admin_key_type=ecc
pki_client_pkcs12_password=\fISecret123\fP
pki_ds_password=\fISecret123\fP
pki_ssl_server_key_algorithm=SHA256withEC
@@ -286,7 +288,7 @@ pki_ocsp_signing_signing_algorithm=SHA256withEC
.fi
.PP
-In order to utilize ECC, the SSL Server and Subsystem key algorithm, key size, and key type should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, and rsa --> ecc, respectively.
+In order to utilize ECC, the SSL Server and Subsystem key algorithm, key size, and key type should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, and rsa --> ecc, respectively. To use an ECC admin key size and key type, the values should also be changed from 2048 --> nistp256, and rsa --> ecc.
.PP
Additionally, for a CA subsystem, both the CA and OCSP Signing key algorithm, key size, key type, and signing algorithm should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, rsa --> ecc, and SHA256withRSA --> SHA256withEC,respectively.
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index b02333d..93fa384 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -2539,7 +2539,7 @@ class Certutil:
raise
return
- def generate_certificate_request(self, subject, key_size,
+ def generate_certificate_request(self, subject, key_type, key_size,
password_file, noise_file,
output_file=None, path=None,
ascii_format=None, token=None,
@@ -2562,8 +2562,33 @@ class Certutil:
extra=config.PKI_INDENTATION_LEVEL_2)
raise Exception(log.PKIHELPER_CERTUTIL_MISSING_SUBJECT)
+ if key_type:
+ if key_type == "ecc":
+ command.extend(["-k", "ec"])
+ if not key_size:
+ # supply a default curve for an 'ecc' key type
+ command.extend(["-q", "nistp256"])
+ elif key_type == "rsa":
+ command.extend(["-k", str(key_type)])
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_INVALID_KEY_TYPE_1,
+ key_type,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise Exception(
+ log.PKIHELPER_CERTUTIL_INVALID_KEY_TYPE_1 % key_type)
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_KEY_TYPE,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise Exception(log.PKIHELPER_CERTUTIL_MISSING_KEY_TYPE)
+
if key_size:
- command.extend(["-g", str(key_size)])
+ if key_type == "ecc":
+ # For ECC, the key_size will actually contain the key curve
+ command.extend(["-q", str(key_size)])
+ else:
+ command.extend(["-g", str(key_size)])
if noise_file:
command.extend(["-z", noise_file])
@@ -4369,6 +4394,7 @@ class ConfigClient:
self.deployer.certutil.generate_certificate_request(
self.mdict['pki_admin_subject_dn'],
+ self.mdict['pki_admin_key_type'],
self.mdict['pki_admin_keysize'],
self.mdict['pki_client_password_conf'],
noise_file,
diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py
index ff3d370..cc91021 100644
--- a/base/server/python/pki/server/deployment/pkimessages.py
+++ b/base/server/python/pki/server/deployment/pkimessages.py
@@ -171,10 +171,14 @@ IMPORTANT:
PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = \
"applying in-place slot substitutions on '%s'"
PKIHELPER_CERTUTIL_GENERATE_CSR_1 = "executing '%s'"
+PKIHELPER_CERTUTIL_INVALID_KEY_TYPE_1 = \
+ "certutil: Invalid key type '%s'; valid types are 'ecc' or 'rsa'!"
PKIHELPER_CERTUTIL_MISSING_INPUT_FILE = \
- "certutil: Missing '-i input-file' option!"
+ "certutil: Missing '-i input-file' option!"
PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = \
"certutil: Missing '-c issuer-name' option!"
+PKIHELPER_CERTUTIL_MISSING_KEY_TYPE = \
+ "certutil: Missing '-k key-type-or-id' option (must be 'ecc' or 'rsa')!"
PKIHELPER_CERTUTIL_MISSING_NICKNAME = \
"certutil: Missing '-n nickname' option!"
PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = \