#2552 pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config
Closed: Fixed None Opened 7 years ago by dsirrine.

When creating ECC CA, pkispawn does not change default key size from nistp256.

This causes certificates created with the SHA384withEC algorithm but creates it
with the nistp256 key size.

Steps to Reproduce:

1. Create CA instance with the attached pkispawn config
2. Check certs using certutil -L -d /var/lib/pki/pki-tomcat/alias -n <certname>

Actual results:

A certificate similar to:
~~~~~~~~~~~~~~~~~~~~~~
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: X9.62 ECDSA signature with SHA384
        Issuer: "CN=CA Signing Certificate,OU=pki-tomcat,O=example.com Securi
            ty Domain"
        Validity:
            Not Before: Mon Nov 21 20:45:29 2016
            Not After : Fri Nov 21 20:45:29 2036
        Subject: "CN=CA Signing Certificate,OU=pki-tomcat,O=example.com Secur
            ity Domain"
        Subject Public Key Info:
            Public Key Algorithm: X9.62 elliptic curve public key
                Args:
                    06:08:2a:86:48:ce:3d:03:01:07
            EC Public Key:
                PublicValue:
                    04:ad:58:85:70:7e:84:a6:59:a1:d9:fe:a4:96:8e:20:
                    25:00:38:4a:62:c7:c3:6a:9c:35:30:47:0e:08:e8:56:
                    fb:e2:fa:f6:06:4a:15:ab:82:21:22:9f:39:eb:7a:7d:
                    85:4e:5b:a5:80:af:ec:2c:13:39:6c:56:ea:f7:64:d3:
                    c3
                Curve: ANSI X9.62 elliptic curve prime256v1 (aka secp256r1,
NIST P-256)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                c9:ae:4f:a5:6e:89:af:c5:a3:b2:d6:7e:17:ec:65:1d:
                20:f2:f6:96

            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Certificate Signing
                    CRL Signing

            Name: Certificate Subject Key ID
            Data:
                c9:ae:4f:a5:6e:89:af:c5:a3:b2:d6:7e:17:ec:65:1d:
                20:f2:f6:96

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://cs9-test.example.com:8080/ca/ocsp"

    Signature Algorithm: X9.62 ECDSA signature with SHA384
    Signature:
        30:45:02:20:41:b7:78:9d:ef:fa:02:d0:5d:31:4f:61:
        3a:bf:63:a3:63:ca:38:66:5c:bb:4d:93:86:0e:a0:41:
        2b:d3:84:3f:02:21:00:f0:47:47:cb:36:95:f6:52:8d:
        4d:8b:36:a4:7f:5a:72:a2:fb:09:c7:fa:1c:42:32:11:
        b4:65:5b:a1:e4:aa:f9
    Fingerprint (SHA-256):
        FF:45:CC:BE:CA:28:B2:10:2C:C0:66:BB:B4:17:F9:BC:B6:90:A9:0A:CC:56:B7:35
:85:AF:CF:C6:4E:FB:CB:15
    Fingerprint (SHA1):
        42:F1:E7:8F:72:F0:53:9E:3F:99:8B:DF:4C:77:F9:12:E5:6B:38:CE

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
            User
        Object Signing Flags:
            Valid CA
            Trusted CA
            User
~~~~~~~~~~~~~~~~

Note the "Curve: ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST
P-256)"

Expected results:

Curve to match the algorithm.

Per PKI Bug Council of 11/29/2016: 10.3 - blocker

Per Offline Triage of 11/30/2016-12/01/2016: 10.3 - critical (downgraded from blocker)

Checking in fix:

commit ae350a3d4e0ae9b82fa44ebdfa37654f0083b4c1
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Thu Dec 8 16:35:20 2016 -0800

Resolve: pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config

Ticket #2552.

This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the
"keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense.

Replying to [comment:5 jmagne]:

Checking in fix:

commit ae350a3d4e0ae9b82fa44ebdfa37654f0083b4c1
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Thu Dec 8 16:35:20 2016 -0800

Resolve: pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config

Ticket #2552.

This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the
"keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense.

Cherry-picked into Dogtag_10_3_BRANCH:

  • ad986509b8446d8fbe02d68f4ff62cb3d39c3fdd

Metadata Update from @dsirrine:
- Issue assigned to jmagne
- Issue set to the milestone: 10.3.9

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2672

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata