When creating ECC CA, pkispawn does not change default key size from nistp256.
This causes certificates created with the SHA384withEC algorithm but creates it with the nistp256 key size.
Steps to Reproduce:
1. Create CA instance with the attached pkispawn config 2. Check certs using certutil -L -d /var/lib/pki/pki-tomcat/alias -n <certname>
Actual results:
A certificate similar to: ~~~~~~~~~~~~~~~~~~~~~~ Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: X9.62 ECDSA signature with SHA384 Issuer: "CN=CA Signing Certificate,OU=pki-tomcat,O=example.com Securi ty Domain" Validity: Not Before: Mon Nov 21 20:45:29 2016 Not After : Fri Nov 21 20:45:29 2036 Subject: "CN=CA Signing Certificate,OU=pki-tomcat,O=example.com Secur ity Domain" Subject Public Key Info: Public Key Algorithm: X9.62 elliptic curve public key Args: 06:08:2a:86:48:ce:3d:03:01:07 EC Public Key: PublicValue: 04:ad:58:85:70:7e:84:a6:59:a1:d9:fe:a4:96:8e:20: 25:00:38:4a:62:c7:c3:6a:9c:35:30:47:0e:08:e8:56: fb:e2:fa:f6:06:4a:15:ab:82:21:22:9f:39:eb:7a:7d: 85:4e:5b:a5:80:af:ec:2c:13:39:6c:56:ea:f7:64:d3: c3 Curve: ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: c9:ae:4f:a5:6e:89:af:c5:a3:b2:d6:7e:17:ec:65:1d: 20:f2:f6:96 Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Certificate Signing CRL Signing Name: Certificate Subject Key ID Data: c9:ae:4f:a5:6e:89:af:c5:a3:b2:d6:7e:17:ec:65:1d: 20:f2:f6:96 Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://cs9-test.example.com:8080/ca/ocsp" Signature Algorithm: X9.62 ECDSA signature with SHA384 Signature: 30:45:02:20:41:b7:78:9d:ef:fa:02:d0:5d:31:4f:61: 3a:bf:63:a3:63:ca:38:66:5c:bb:4d:93:86:0e:a0:41: 2b:d3:84:3f:02:21:00:f0:47:47:cb:36:95:f6:52:8d: 4d:8b:36:a4:7f:5a:72:a2:fb:09:c7:fa:1c:42:32:11: b4:65:5b:a1:e4:aa:f9 Fingerprint (SHA-256): FF:45:CC:BE:CA:28:B2:10:2C:C0:66:BB:B4:17:F9:BC:B6:90:A9:0A:CC:56:B7:35 :85:AF:CF:C6:4E:FB:CB:15 Fingerprint (SHA1): 42:F1:E7:8F:72:F0:53:9E:3F:99:8B:DF:4C:77:F9:12:E5:6B:38:CE Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: Valid CA Trusted CA User Object Signing Flags: Valid CA Trusted CA User ~~~~~~~~~~~~~~~~ Note the "Curve: ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256)"
Expected results:
Curve to match the algorithm.
Per PKI Bug Council of 11/29/2016: 10.3 - blocker
Per Offline Triage of 11/30/2016-12/01/2016: 10.3 - critical (downgraded from blocker)
Checking in fix:
commit ae350a3d4e0ae9b82fa44ebdfa37654f0083b4c1 Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com Date: Thu Dec 8 16:35:20 2016 -0800
Resolve: pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config Ticket #2552. This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the "keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense.
Replying to [comment:5 jmagne]:
Checking in fix: commit ae350a3d4e0ae9b82fa44ebdfa37654f0083b4c1 Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com Date: Thu Dec 8 16:35:20 2016 -0800 Resolve: pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config Ticket #2552. This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the "keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense.
Cherry-picked into Dogtag_10_3_BRANCH:
Metadata Update from @dsirrine: - Issue assigned to jmagne - Issue set to the milestone: 10.3.9
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2672
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.