URL: https://github.com/freeipa/freeipa/pull/5868 Author: rcritten Title: #5868: Add SHA384withRSA as a certificate signing algorithm Action: opened
PR body: """ It required support in dogtag which was added in 10.5.0. This is only easily configurable during installation because it will set ca.signing.defaultSigningAlgorithm to the selected algorithm in CS.cfg The certificate profiles will generally by default set default.params.signingAlg=- which means use the CA default. So while an existing installation will technically allow SHA384withRSA it will require profile changes and/or changing the defaultSigningAlgorithm in CS.cfg and restarting (completely untested). And that won't affect already issued-certificates. https://pagure.io/freeipa/issue/8906 Signed-off-by: Rob Crittenden <[email protected]> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5868/head:pr5868 git checkout pr5868
From 42bfab441f881d2e8256a4c715c680af308b8e1d Mon Sep 17 00:00:00 2001 From: Rob Crittenden <[email protected]> Date: Wed, 30 Jun 2021 13:15:45 -0400 Subject: [PATCH] Add SHA384withRSA as a certificate signing algorithm It required support in dogtag which was added in 10.5.0. This is only easily configurable during installation because it will set ca.signing.defaultSigningAlgorithm to the selected algorithm in CS.cfg The certificate profiles will generally by default set default.params.signingAlg=- which means use the CA default. So while an existing installation will technically allow SHA384withRSA it will require profile changes and/or changing the defaultSigningAlgorithm in CS.cfg and restarting (completely untested). And that won't affect already issued-certificates. https://pagure.io/freeipa/issue/8906 Signed-off-by: Rob Crittenden <[email protected]> --- install/share/profiles/IECUserRoles.cfg | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 2 +- install/share/profiles/acmeIPAServerCert.cfg | 2 +- install/share/profiles/caIPAserviceCert.UPGRADE.cfg | 2 +- install/share/profiles/caIPAserviceCert.cfg | 2 +- install/tools/ipa-ca-install.in | 2 +- install/tools/man/ipa-ca-install.1 | 2 +- install/tools/man/ipa-server-install.1 | 2 +- ipaserver/install/ca.py | 1 + ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl | 8 ++++---- ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl | 2 +- ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl | 2 +- .../test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl | 2 +- ipatests/test_xmlrpc/data/smime-mod.cfg.tmpl | 2 +- ipatests/test_xmlrpc/data/smime.cfg.tmpl | 2 +- 15 files changed, 18 insertions(+), 17 deletions(-) diff --git a/install/share/profiles/IECUserRoles.cfg b/install/share/profiles/IECUserRoles.cfg index 9d2b4bb7932..0ce69017eba 100644 --- a/install/share/profiles/IECUserRoles.cfg +++ b/install/share/profiles/IECUserRoles.cfg @@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg index 5993520cb43..a980c97c502 100644 --- a/install/share/profiles/KDCs_PKINIT_Certs.cfg +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.2.3.5 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/install/share/profiles/acmeIPAServerCert.cfg b/install/share/profiles/acmeIPAServerCert.cfg index 2487056e149..1607f59b18a 100644 --- a/install/share/profiles/acmeIPAServerCert.cfg +++ b/install/share/profiles/acmeIPAServerCert.cfg @@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.range=90 policyset.serverCertSet.7.default.params.startTime=0 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/install/share/profiles/caIPAserviceCert.UPGRADE.cfg b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg index 1efd2066b9f..572a64fe69d 100644 --- a/install/share/profiles/caIPAserviceCert.UPGRADE.cfg +++ b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg @@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg index dd06df521b5..cffd8cd02a7 100644 --- a/install/share/profiles/caIPAserviceCert.cfg +++ b/install/share/profiles/caIPAserviceCert.cfg @@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/install/tools/ipa-ca-install.in b/install/tools/ipa-ca-install.in index 18c23035d0d..d35d9ba957c 100644 --- a/install/tools/ipa-ca-install.in +++ b/install/tools/ipa-ca-install.in @@ -81,7 +81,7 @@ def parse_options(): parser.add_option("--external-cert-file", dest="external_cert_files", action="append", metavar="FILE", help="File containing the IPA CA certificate and the external CA certificate chain") - ca_algos = ('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA') + ca_algos = ('SHA1withRSA', 'SHA256withRSA', 'SHA384withRSA', 'SHA512withRSA') parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm", type="choice", choices=ca_algos, metavar="{{{0}}}".format(",".join(ca_algos)), diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 8e57c009257..7284ba55082 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -77,7 +77,7 @@ The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs ar File containing overrides for CA installation. .TP \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR -Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. +Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. .TP \fB\-\-no\-host\-dns\fR Do not use DNS for hostname lookup during installation diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index fdb0f4cb370..2e89cfc3745 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -162,7 +162,7 @@ The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). R The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first). .TP \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR -Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. +Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. .SS "SECRET MANAGEMENT OPTIONS" .TP diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 8fb5e3ec91e..e0ca7f4b966 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -435,6 +435,7 @@ def uninstall(): class CASigningAlgorithm(enum.Enum): SHA1_WITH_RSA = 'SHA1withRSA' SHA_256_WITH_RSA = 'SHA256withRSA' + SHA_384_WITH_RSA = 'SHA384withRSA' SHA_512_WITH_RSA = 'SHA512withRSA' diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl index 99548192346..38f7619e630 100644 --- a/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl @@ -505,7 +505,7 @@ <policyAttribute name="signingAlg"> <Descriptor> <Syntax>choice</Syntax> - <Constraint>SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA</Constraint> + <Constraint>SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA</Constraint> <Description>Signing Algorithm</Description> </Descriptor> </policyAttribute> @@ -514,15 +514,15 @@ </params> </def> <constraint id="No Constraint"> - <description>This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</description> + <description>This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</description> <classId>signingAlgConstraintImpl</classId> <constraint id="signingAlgsAllowed"> <descriptor> <Syntax>string</Syntax> <Description>Allowed Signing Algorithms</Description> - <DefaultValue>SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</DefaultValue> + <DefaultValue>SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</DefaultValue> </descriptor> - <value>SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</value> + <value>SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</value> </constraint> </constraint> </value> diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl index 7fc2281ee14..61a48371fa3 100644 --- a/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl @@ -90,7 +90,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA, SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl index f9e8ce441df..72b5d10f264 100644 --- a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl @@ -89,7 +89,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl index 3fa2970b0ad..67637cf8b94 100644 --- a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl @@ -90,7 +90,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/ipatests/test_xmlrpc/data/smime-mod.cfg.tmpl b/ipatests/test_xmlrpc/data/smime-mod.cfg.tmpl index da94c25e574..2e593f648e3 100644 --- a/ipatests/test_xmlrpc/data/smime-mod.cfg.tmpl +++ b/ipatests/test_xmlrpc/data/smime-mod.cfg.tmpl @@ -78,7 +78,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/ipatests/test_xmlrpc/data/smime.cfg.tmpl b/ipatests/test_xmlrpc/data/smime.cfg.tmpl index 3baf03f0bf1..cbcc7a150ac 100644 --- a/ipatests/test_xmlrpc/data/smime.cfg.tmpl +++ b/ipatests/test_xmlrpc/data/smime.cfg.tmpl @@ -88,7 +88,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=-
_______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
