From 6adb8dd366e3ca2d4ba0405e6d586b3b2b1f5282 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 28 Nov 2023 18:35:20 -0500 Subject: [PATCH] RHCS-4630 (part 2) Add SHA-2 support to Server-side Keygen I'm adding support of SHA-2 to Server-Side keygen. Since there was a recent ticket in similar area, it could sort of be considered relating to it. Adds SHA-2 support to https://bugzilla.redhat.com/show_bug.cgi?id=2246422 --- .../cms/profile/common/CAEnrollProfile.java | 40 ++++++++++++++++++- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java index 010f584b945..92b93b5cf1f 100644 --- a/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java +++ b/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java @@ -320,13 +320,49 @@ public void execute(Request request) throws EProfileException, ERejectException // fake key replaced; // need to compute/replace SKI as well if present - Extension ext = CertUtils.getExtension(PKIXExtensions.SubjectKey_Id.toString(), info); + SubjectKeyIdentifierExtension ext = (SubjectKeyIdentifierExtension) CertUtils.getExtension(PKIXExtensions.SubjectKey_Id.toString(), info); if (ext != null) { logger.debug(method + "found SubjectKey_Id extension"); + /* + * determine message digest algorithm: + * the "old_ski" was generated based on the profile + * from the "fake key", + * so we could use it's length to determine the size + * of the new hash. + * + * Message digest can be controlled by the messageDigest + * parameter in the subjectKeyIdentifier extension in a + * profile. e.g. + * policyset.caCertSet.8.default.params.messageDigest=SHA-256 + */ + String messageDigest = "SHA-1"; // default; len==20 + KeyIdentifier old_ski = null; + try { + old_ski = (KeyIdentifier) ext.get(SubjectKeyIdentifierExtension.KEY_ID); + } catch (IOException e) { + old_ski = null; + } + if (old_ski != null) { + byte[] old_ski_val = old_ski.getIdentifier(); + if (old_ski_val != null) { + int old_ski_len = old_ski_val.length; + + if (old_ski_len == 32) { + messageDigest = "SHA-256"; + } else if (old_ski_len == 48) { + messageDigest = "SHA-384"; + } else if (old_ski_len == 64) { + messageDigest = "SHA-512"; + } + } + } + logger.debug(method + "ServerSideKeygen message digest alg == " + messageDigest); // compute keyId X509Key realkey = (X509Key) certKey.get(CertificateX509Key.KEY); - byte[] hash = CryptoUtil.generateKeyIdentifier(realkey.getKey()); + byte[] hash = CryptoUtil.generateKeyIdentifier(realkey.getKey(), messageDigest); + int new_ski_len = hash.length; + logger.debug(method + "ServerSideKeygen hash len = " + new_ski_len); KeyIdentifier id = new KeyIdentifier(hash); SubjectKeyIdentifierExtension skiExt = new SubjectKeyIdentifierExtension(id.getIdentifier());