Dne 29.9.2014 v 12:20 Martin Kosek napsal(a):
On 09/29/2014 11:11 AM, Jan Cholasta wrote:
Dne 29.9.2014 v 05:16 Fraser Tweedale napsal(a):
On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote:
On Fri, 26 Sep 2014 13:54:34 +0200
Martin Kosek <mko...@redhat.com> wrote:

I tested the patch (it works fine with Dogtag 10), but I got very
confused.

What CA option are we setting? Signing algorithm or Key Algorithm?
I thought we are only setting Signing algorithm, but in that
case:

We are setting key algorithm for the CA signing key.

That did not made me any less confused... If I check for example
fields from certificate details from my browser, I see 2 algorithms
names:

* Public Key Algorithm (RSA, ECC, ...)
* Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA,
something with ECC)

In that world, "key algorithm" should really refer to the key  PKI
algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes
come to play.

- --ca-key-algorithm option should rather read
--ca-signing-key-algorithm

If you want to emphasize that it is actually the algorithm used to
sign the CA certificate, the option should read
--ca-certificate-signature-algorithm, but I would rather stick to
Dogtag terminology and keep the string "key algorithm" in the
name.

I still think for most people "key algorithm" refers to Public Key
algorithm. Rob or Simo, what is your take on this?

If we are defining the signing algorithm the "signing" string should be
somewhere in the option.
Having just --key-algorithm is indeed confusing.

Simo.


My take is that the terminology should be chosen in line with
standards.  The X.509 field is called `signatureAlgorithm' so
`--ca-certificate-signature-algorithm' makes sense to me.
Consistency with Dogtag terminology is a secondary consideration
considering FreeIPA users are unlikely to interact directly with
Dogtag much (especially during installation).

Fraser


I think it actually sets both the key algorithm and the signature algorithm
(you can't do a RSA signature with a EC key, etc.), that's probably why it is
called "key algorithm" in Dogtag.

Hm, you are right that the key algorithm is implied during signature algorithm
selection. But still, values SHA256withRSA and friends really denote just a
signature algorithm and the option should be named accordingly.

Martin


Updated patch attached.

--
Jan Cholasta
>From 631edd794fd1418db785e780054ecc7ae1b03d8f Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 6 Aug 2014 09:43:19 +0200
Subject: [PATCH] Allow specifying signing algorithm of the IPA CA cert in
 ipa-server-install.

This is especially useful for external CA install, as the algorithm is also
used for the CSR signature.

https://fedorahosted.org/freeipa/ticket/4447
---
 install/tools/ipa-server-install       | 13 ++++++++++---
 install/tools/man/ipa-server-install.1 |  3 +++
 ipaserver/install/cainstance.py        | 12 ++++++++++--
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 7d60d27..4ec430e 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -226,6 +226,10 @@ def parse_options():
     cert_group.add_option("--subject", action="callback", callback=subject_callback,
                       type="string",
                       help="The certificate subject base (default O=<realm-name>)")
+    cert_group.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
+                      type="choice",
+                      choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
+                      help="Signing algorithm of the IPA CA certificate")
     parser.add_option_group(cert_group)
 
     dns_group = OptionGroup(parser, "DNS options")
@@ -1075,7 +1079,8 @@ def main():
             dogtag_constants=dogtag.install_constants)
         if external == 0:
             ca.configure_instance(host_name, domain_name, dm_password,
-                                  dm_password, subject_base=options.subject)
+                                  dm_password, subject_base=options.subject,
+                                  ca_signing_algorithm=options.ca_signing_algorithm)
         elif external == 1:
             # stage 1 of external CA installation
             options.realm_name = realm_name
@@ -1090,14 +1095,16 @@ def main():
             write_cache(vars(options))
             ca.configure_instance(host_name, domain_name, dm_password,
                                   dm_password, csr_file=paths.ROOT_IPA_CSR,
-                                  subject_base=options.subject)
+                                  subject_base=options.subject,
+                                  ca_signing_algorithm=options.ca_signing_algorithm)
         else:
             # stage 2 of external CA installation
             ca.configure_instance(host_name, domain_name, dm_password,
                                   dm_password,
                                   cert_file=options.external_cert_file,
                                   cert_chain_file=options.external_ca_file,
-                                  subject_base=options.subject)
+                                  subject_base=options.subject,
+                                  ca_signing_algorithm=options.ca_signing_algorithm)
 
         # Now put the CA cert where other instances exepct it
         ca.publish_ca_cert(CACERT)
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 8cc2ffa..ecea26d 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -123,6 +123,9 @@ PEM file containing the CA certificate of the CA which issued the Directory Serv
 .TP
 \fB\-\-subject\fR=\fISUBJECT\fR
 The certificate subject base (default O=REALM.NAME)
+.TP
+\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
+Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
 
 .SS "DNS OPTIONS"
 .TP
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 04968d4..06087fa 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -420,7 +420,7 @@ class CAInstance(service.Service):
                            pkcs12_info=None, master_host=None, csr_file=None,
                            cert_file=None, cert_chain_file=None,
                            master_replication_port=None,
-                           subject_base=None):
+                           subject_base=None, ca_signing_algorithm=None):
         """Create a CA instance.
 
            For Dogtag 9, this may involve creating the pki-ca instance.
@@ -446,6 +446,10 @@ class CAInstance(service.Service):
             self.subject_base = DN(('O', self.realm))
         else:
             self.subject_base = subject_base
+        if ca_signing_algorithm is None:
+            self.ca_signing_algorithm = 'SHA256withRSA'
+        else:
+            self.ca_signing_algorithm = ca_signing_algorithm
 
         # Determine if we are installing as an externally-signed CA and
         # what stage we're in.
@@ -573,6 +577,9 @@ class CAInstance(service.Service):
         config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
         config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
 
+        # CA key algorithm
+        config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
+
         if (self.clone):
             cafile = self.pkcs12_info[0]
             shutil.copy(cafile, paths.TMP_CA_P12)
@@ -720,7 +727,8 @@ class CAInstance(service.Service):
                     "-db_name", "ipaca",
                     "-key_size", "2048",
                     "-key_type", "rsa",
-                    "-key_algorithm", "SHA256withRSA",
+                    "-key_algorithm", self.ca_signing_algorithm,
+                    "-signing_algorithm", "SHA256withRSA",
                     "-save_p12", "true",
                     "-backup_pwd", self.admin_password,
                     "-subsystem_name", self.service_name,
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to