Dne 6.8.2014 v 18:17 Jan Cholasta napsal(a):
Dne 6.8.2014 v 14:43 Rob Crittenden napsal(a):
Jan Cholasta wrote:
Hi,
the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4447>.
+ cert_group.add_option("--ca-key-algorithm", dest="ca_key_algorithm",
+ help="Key algorithm of the IPA CA certificate
(default SHA256withRSA)")
Why not set the default here rather than later?
CA-related defaults should be internalized in CA-related code IMHO.
Should the list of options be added to the man page as well?
Sure, why not.
Do we want to support the MD*-based signing algorithms? I'd think not.
Since the reason this patch exists is to support old and/or broken
external CAs, I would think yes, but I don't have a strong opinion on this.
Turns out Dogtag does not like them, so I removed them.
Seeing the context makes me wonder if we should eventually add options
for CA key size and signing alg as well.
rob
Updated patch attached.
--
Jan Cholasta
>From 528587b8024055a8cd783cc9ebd493684b6dcc62 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 6 Aug 2014 09:43:19 +0200
Subject: [PATCH] Allow specifying key algorithm of the IPA CA cert in
ipa-server-install.
This is especially useful for external CA install, as the algorithm is also
used for the CSR signature.
https://fedorahosted.org/freeipa/ticket/4447
---
install/tools/ipa-server-install | 13 ++++++++++---
install/tools/man/ipa-server-install.1 | 3 +++
ipaserver/install/cainstance.py | 12 ++++++++++--
3 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 207dabd..e0cc165 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -226,6 +226,10 @@ def parse_options():
cert_group.add_option("--subject", action="callback", callback=subject_callback,
type="string",
help="The certificate subject base (default O=<realm-name>)")
+ cert_group.add_option("--ca-key-algorithm", dest="ca_key_algorithm",
+ type="choice",
+ choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
+ help="Key algorithm of the IPA CA certificate")
parser.add_option_group(cert_group)
dns_group = OptionGroup(parser, "DNS options")
@@ -1082,7 +1086,8 @@ def main():
dogtag_constants=dogtag.install_constants)
if external == 0:
ca.configure_instance(host_name, domain_name, dm_password,
- dm_password, subject_base=options.subject)
+ dm_password, subject_base=options.subject,
+ ca_key_algorithm=options.ca_key_algorithm)
elif external == 1:
# stage 1 of external CA installation
options.realm_name = realm_name
@@ -1097,14 +1102,16 @@ def main():
write_cache(vars(options))
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, csr_file=paths.ROOT_IPA_CSR,
- subject_base=options.subject)
+ subject_base=options.subject,
+ ca_key_algorithm=options.ca_key_algorithm)
else:
# stage 2 of external CA installation
ca.configure_instance(host_name, domain_name, dm_password,
dm_password,
cert_file=options.external_cert_file,
cert_chain_file=options.external_ca_file,
- subject_base=options.subject)
+ subject_base=options.subject,
+ ca_key_algorithm=options.ca_key_algorithm)
# Now put the CA cert where other instances exepct it
ca.publish_ca_cert(CACERT)
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 8cc2ffa..957bd6d 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -123,6 +123,9 @@ PEM file containing the CA certificate of the CA which issued the Directory Serv
.TP
\fB\-\-subject\fR=\fISUBJECT\fR
The certificate subject base (default O=REALM.NAME)
+.TP
+\fB\-\-ca\-key\-algorithm\fR=\fIALGORITHM\fR
+Key algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA.
.SS "DNS OPTIONS"
.TP
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 8c1b139..6534010 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -410,7 +410,7 @@ class CAInstance(service.Service):
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
master_replication_port=None,
- subject_base=None):
+ subject_base=None, ca_key_algorithm=None):
"""Create a CA instance.
For Dogtag 9, this may involve creating the pki-ca instance.
@@ -436,6 +436,10 @@ class CAInstance(service.Service):
self.subject_base = DN(('O', self.realm))
else:
self.subject_base = subject_base
+ if ca_key_algorithm is None:
+ self.ca_key_algorithm = 'SHA256withRSA'
+ else:
+ self.ca_key_algorithm = ca_key_algorithm
# Determine if we are installing as an externally-signed CA and
# what stage we're in.
@@ -563,6 +567,9 @@ class CAInstance(service.Service):
config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
+ # CA key algorithm
+ config.set("CA", "pki_ca_signing_key_algorithm", self.ca_key_algorithm)
+
if (self.clone):
cafile = self.pkcs12_info[0]
shutil.copy(cafile, paths.TMP_CA_P12)
@@ -726,7 +733,8 @@ class CAInstance(service.Service):
"-db_name", "ipaca",
"-key_size", "2048",
"-key_type", "rsa",
- "-key_algorithm", "SHA256withRSA",
+ "-key_algorithm", self.ca_key_algorithm,
+ "-signing_algorithm", "SHA256withRSA",
"-save_p12", "true",
"-backup_pwd", self.admin_password,
"-subsystem_name", self.service_name,
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
