Bug2253044-AKI-non-SHA1-support

This patch is to address the issue where the AKI would not match the SKI in the case when SHA-1 is not selected for calculationg SKI for root ca. CA profiles have also been changed so that the SKI will come before AKI so that SKI could propagate to AKI properly in the case of a root CA. fixes https://bugzilla.redhat.com/show_bug.cgi?id=2253044
dogtagpki · Dec 6, 2023 · cc95f31 · cc95f31
1 parent f340c06
commit cc95f31
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 6 deletions.
diff --git a/base/ca/shared/conf/caCert.profile b/base/ca/shared/conf/caCert.profile
@@ -6,7 +6,7 @@ name=All Purpose CA Profile
 description=This profile creates a CA certificate that is valid for all signing purposes.
 profileIDMapping=caCACert
 profileSetIDMapping=caCertSet
-list=2,4,5,6,7
+list=2,7,4,5,6
 2.default.class=com.netscape.cms.profile.def.CAValidityDefault
 2.default.name=CA Certificate Validity Default
 2.default.params.range=7305

diff --git a/base/ca/shared/profiles/ca/caCACert.cfg b/base/ca/shared/profiles/ca/caCACert.cfg
@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=caCertSet
-policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
+policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
 policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.caCertSet.1.constraint.name=Subject Name Constraint
 policyset.caCertSet.1.constraint.params.pattern=CN=.*

diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg
@@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=caCertSet
-policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
+policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
 policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.caCertSet.1.constraint.name=Subject Name Constraint
 policyset.caCertSet.1.constraint.params.pattern=CN=.*

diff --git a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg
@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=caCertSet
-policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
+policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
 policyset.caCertSet.1.constraint.class_id=userSubjectNameConstraintImpl
 policyset.caCertSet.1.constraint.name=User Subject Name Constraint
 policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl

diff --git a/base/ca/shared/profiles/ca/caInstallCACert.cfg b/base/ca/shared/profiles/ca/caInstallCACert.cfg
@@ -11,7 +11,7 @@ input.i2.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=caCertSet
-policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
+policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
 policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.caCertSet.1.constraint.name=Subject Name Constraint
 policyset.caCertSet.1.constraint.params.pattern=CN=.*

diff --git a/base/ca/src/main/java/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/ca/src/main/java/com/netscape/cms/profile/def/CAEnrollDefault.java
@@ -46,12 +46,26 @@ public CAEnrollDefault() {
     }
 
     public KeyIdentifier getKeyIdentifier(X509CertInfo info) {
+        return getKeyIdentifier(info, "SHA-1");
+    }
+    public KeyIdentifier getKeyIdentifier(X509CertInfo info, String messageDigest) {
         String method = "CAEnrollDefault: getKeyIdentifier: ";
         try {
+            /*
+             * The SKI must be placed before the AKI in the enrollment profile
+             * for this to work properly
+             */
+            SubjectKeyIdentifierExtension ext = (SubjectKeyIdentifierExtension) getExtension(PKIXExtensions.SubjectKey_Id.toString(), info);
+            if (ext != null) {
+                logger.debug(method + "found SubjectKey_Id extension");
+                KeyIdentifier kid = (KeyIdentifier) ext.get(SubjectKeyIdentifierExtension.KEY_ID);
+                return kid;
+            }
+            // ski not found, calculate the ski
             CertificateX509Key ckey = (CertificateX509Key)
                     info.get(X509CertInfo.KEY);
             X509Key key = (X509Key) ckey.get(CertificateX509Key.KEY);
-            byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey());
+            byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey(), messageDigest);
             if (hash == null) {
                 logger.warn(method + "CryptoUtil.generateKeyIdentifier returns null");
                 return null;
@@ -83,14 +97,20 @@ public KeyIdentifier getCAKeyIdentifier(X509CertImpl caCert) throws EBaseExcepti
                         SubjectKeyIdentifierExtension.KEY_ID);
                 return keyId;
             } catch (IOException e) {
+                logger.warn(method + e.toString());
+                return null;
             }
         }
+        logger.warn(method + "SubjectKeyIdentifierExtension not found in CA signing cert. Returning null");
+            return null;
 
+        /* SubjectKeyIdentifierExtension has to exist in a CA signing cert
         byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey());
         if (hash == null) {
             logger.warn(method + "CryptoUtil.generateKeyIdentifier returns null");
             return null;
         }
         return new KeyIdentifier(hash);
+        */
     }
 }