On Fri, May 18, 2007 at 11:18:13AM -0700, Chris wrote:
> Hi, I'm new to this forum. I'm having an issue when generating keys using
> ikecert
You're also asking a question about a released version of Solaris, not about
OpenSolaris. Also, even if you were running OpenSolaris, you're talking
about bits that aren't open-sourced. Next time, please contact your Sun
service rep.
I'll give you this one for free, though. :)
> ikecert certlocal -ks -m 512 -t rsa-sha1 -D "C=US, O=SUN" -A IP=1.2.3.4
That actually does what it says.
> Finishes successfully but when I display the certificate I see its type is
> actually rsa-md5 (as below). I expected a keytype of rsa-sha1, any ideas?
>
> ikecert certdb -lv | grep Type
Here's how I know you're not on OpenSolaris:
PSARC 2004/647 ikecert keytype correction
5019445 ikecert certdb -l lies about certificate signature types
These were integrated into S10!!!
> Certificate Slot Name: 5 Type: rsa-md5
That should now read "rsa".
If you use a BER dumper, the cert's signature is indeed coded with the
appropriate hash. Observe:
# ikecert certlocal -ks -m 512 -t rsa-sha1 -D "C=US, CN=Test"
Creating private key.
Certificate added to database.
-----BEGIN X509 CERTIFICATE-----
MIIBPjCB6aADAgECAgUA3igrQjANBgkqhkiG9w0BAQUFADAcMQswCQYDVQQGEwJV
UzENMAsGA1UEAxMEVGVzdDAeFw0wNzA1MTgxODIyNDNaFw0xMTA1MTgxODIyNDNa
MBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDEwRUZXN0MFwwDQYJKoZIhvcNAQEBBQAD
SwAwSAJBAKAA/mxp8IafP90cLwzJ4k2m0Xb4QKtCNBYcMb0PcByKp2nFKul41kEX
MCGqM3ZuqRmZj697zTz3o1xfIH4/W3ECAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgWg
MA0GCSqGSIb3DQEBBQUAA0EAFBom+90vpCs7S3/TIWHTFE5ddU8eLHcI7J8LHnHL
ntmym/7eY1ku6xC88s4AExStKjnhfa3+Xe1wnMo9PZuTyQ==
-----END X509 CERTIFICATE-----
# /usr/sfw/bin/openssl asn1parse -inform DER < /etc/inet/ike/publickeys/0
0:d=0 hl=4 l= 318 cons: SEQUENCE
4:d=1 hl=3 l= 233 cons: SEQUENCE
7:d=2 hl=2 l= 3 cons: cont [ 0 ]
9:d=3 hl=2 l= 1 prim: INTEGER :02
12:d=2 hl=2 l= 5 prim: INTEGER :DE282B42
19:d=2 hl=2 l= 13 cons: SEQUENCE
21:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
32:d=3 hl=2 l= 0 prim: NULL
34:d=2 hl=2 l= 28 cons: SEQUENCE
36:d=3 hl=2 l= 11 cons: SET
38:d=4 hl=2 l= 9 cons: SEQUENCE
40:d=5 hl=2 l= 3 prim: OBJECT :countryName
45:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
49:d=3 hl=2 l= 13 cons: SET
51:d=4 hl=2 l= 11 cons: SEQUENCE
53:d=5 hl=2 l= 3 prim: OBJECT :commonName
58:d=5 hl=2 l= 4 prim: PRINTABLESTRING :Test
64:d=2 hl=2 l= 30 cons: SEQUENCE
66:d=3 hl=2 l= 13 prim: UTCTIME :070518182243Z
81:d=3 hl=2 l= 13 prim: UTCTIME :110518182243Z
96:d=2 hl=2 l= 28 cons: SEQUENCE
98:d=3 hl=2 l= 11 cons: SET
100:d=4 hl=2 l= 9 cons: SEQUENCE
102:d=5 hl=2 l= 3 prim: OBJECT :countryName
107:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
111:d=3 hl=2 l= 13 cons: SET
113:d=4 hl=2 l= 11 cons: SEQUENCE
115:d=5 hl=2 l= 3 prim: OBJECT :commonName
120:d=5 hl=2 l= 4 prim: PRINTABLESTRING :Test
126:d=2 hl=2 l= 92 cons: SEQUENCE
128:d=3 hl=2 l= 13 cons: SEQUENCE
130:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
141:d=4 hl=2 l= 0 prim: NULL
143:d=3 hl=2 l= 75 prim: BIT STRING
220:d=2 hl=2 l= 18 cons: cont [ 3 ]
222:d=3 hl=2 l= 16 cons: SEQUENCE
224:d=4 hl=2 l= 14 cons: SEQUENCE
226:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
231:d=5 hl=2 l= 1 prim: BOOLEAN :255
234:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
240:d=1 hl=2 l= 13 cons: SEQUENCE
242:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
253:d=2 hl=2 l= 0 prim: NULL
255:d=1 hl=2 l= 65 prim: BIT STRING
#
In other words, no worries! The right thing is actually done!
Dan
