#781 IPA admin cert is created with SHA1 signing algorithm, should be SHA256
Closed: Fixed None Opened 10 years ago by vakwetu.

Description of problem:
IPA admin cert is created with SHA1 signing algorithm, should be SHA256.

Version-Release number of selected component (if applicable):
pki-ca-10.0.5-1.el7.noarch

How reproducible:

Steps to Reproduce:
1. CS.cfg after the CA install has this:
ca.signing.defaultSigningAlgorithm=SHA256withRSA

  1. CA's debug log has this:
    [28/Oct/2013:18:10:44]http-bio-8443-exec-3: Creating local certificate... dn=cn=ipa-ca-agent,O=TESTRELM.COM
    [28/Oct/2013:18:10:44]http-bio-8443-exec-3: Cert Template: [
    Version: V3
    Subject: CN=ipa-ca-agent,O=TESTRELM.COM
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: algorithm = RSA, unparsed keybits =
30 82 01 0A 02 82 01 01 00 EC FF FE 3A D3 01 E9 66 68 81 1A
7E D6 7B E1 24 83 50 37 ED 87 AF EA C2 2C 49 B4 69 83 ED 90
AE 83 0D 02 B3 F7 9A 1C 9D 59 61 36 BA D0 AF 19 60 1D F2 22
57 87 1E 4F FC B3 CF 43 B9 C0 09 B8 4E AD 36 9A AB 18 46 8F
72 4B 7D 15 5F 55 22 B5 C5 EF 07 32 6F C2 4F 0B 1F EC DD 44
9A 5A 59 59 2C 27 D4 8A 26 FC 45 A4 14 1F F9 89 33 2C D4 ED
BB D1 AF 86 E1 CD F3 73 1A 58 E3 FF 30 DF B8 D2 98 58 20 C7
D0 56 97 93 51 15 23 6C BE A4 AA 48 4F A6 33 85 F4 4E 7B 19
E1 92 B1 F8 59 63 BA BC F5 91 D2 0F 71 14 3C F2 AA 0B 2E 25
18 A0 E5 42 84 B2 8C 4B 6C EF D8 13 02 A0 84 98 07 38 CA 21
B5 B3 65 58 0A D6 CE AC 2E 0D F5 6B 6D 15 14 51 61 17 AD 57
50 2D CA 0E 6F 73 5A E3 4D 0E E2 AA EB 25 4C 18 70 E3 08 45
C7 79 1B 6F 4D 64 1F E5 CB C6 1B 4C 8C 1D 2F BB 06 E9 DA 0D
15 89 84 30 07 02 03 01 00 01

Validity: [From: Mon Oct 28 18:10:44 EDT 2013,
To: Mon Oct 28 18:10:44 EDT 2013]
Issuer: CN=Certificate Authority,O=TESTRELM.COM
SerialNumber: [ 06]

]

Actual results:
Admin/agent cert created with SHA1 algorithm

Expected results:
Admin/agent cert should be created with SHA256 signing algorithm.

Additional info:


10.0: 3cdb23de2802cf12a1d5981e8b94b1d1bc0f8e8a
master: 2e54c85990e7969f7e36c324052b67f62debe4c2

Please correct the typo in 'vase/ca/shared/conf/CS.cfg.in' from:

ca.profiles.defaultSigningAlgsAllowed==SHA256withRSA,SHA1withRSA,SHA512withRSA,M
D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with
EC

to:

ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,M
D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with
EC

Basically, the double '==' should be replaced by a single '=', as this may be viewed as a part of the value string ('=SHA256withRSA' rather than 'SHA256withRSA').

Fixed in master, 10.0 and 10.1 branches.

To ssh://vakwetu@git.fedorahosted.org/git/pki.git
ffcf024..cfd98df DOGTAG_10_1_BRANCH -> DOGTAG_10_1_BRANCH

Metadata Update from @vakwetu:
- Issue assigned to vakwetu
- Issue set to the milestone: 10.2 - 06/14 (June)

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1348

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata