Issue #1300: SCEP enrollment not picking up the given signing algorithm - dogtagpki

dogtagpki

#1300 SCEP enrollment not picking up the given signing algorithm

Closed: migrated 3 years ago by dmoluguw. Opened 9 years ago by mharmsen.

SCEP enrollment not picking up the given signing algorithm. Provided sha256 as
the algorithm, certificate is created with sha512.

Steps to Reproduce:

Used sscep client and configured to enable use of SHA2 hashes as described in
http://pki.fedoraproject.org/wiki/SCEP_in_Dogtag#SSCEP_Updates

1. Create request with sha256 digest
# /usr/bin/mkrequest -ip xx.xx.xx.xx netscape sha256
DIGEST=-sha256
Generating RSA private key, 1024 bit long modulus
............++++++
....++++++
e is 65537 (0x10001)

# ls
local.key local.csr

2. get CA certificate
# /usr/bin/sscep getca -c /tmp/newtest/ca.crt -u
http://host.example.com:30044/ca/cgi-bin/pkiclient.exe/usr/bin/sscep:
requesting CA certificate
/usr/bin/sscep: valid response from server
/usr/bin/sscep: MD5 fingerprint:
B3:3E:4C:43:3B:AB:DB:70:C8:E1:BB:D8:6F:16:85:D3
/usr/bin/sscep: CA certificate written as /tmp/newtest/ca.crt

# ls
local.key local.csr ca.crt

Verified the request local.csr using asn.1 decoder, it is created with sha256.

3. Configure sscep.conf with
FingerPrint sha256
SigAlgorithm sha256

4. Perform scep enroll
# /usr/bin/sscep enroll -f /tmp/newtest/sscep.conf  -c /tmp/newtest/ca.crt -k
/tmp/newtest/local.key  -r /tmp/newtest/local.csr   -E 3des -S sha256 -l
/tmp/newtest/cert.crt -u http://host.example.com:30044/ca/cgi-bin/pkiclient.exe
/usr/bin/sscep: sending certificate request
/usr/bin/sscep: valid response from server
/usr/bin/sscep: pkistatus: SUCCESS
/usr/bin/sscep: certificate written as /tmp/newtest/cert.crt

Actual results:

Certificate approved with sha512 signing algorithm.
[06/Mar/2015:19:42:15][http-bio-30044-exec-2]: EnrollProfile certInfo : [
  Version: V3
  Subject: CN=10.16.4.26
  Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13

  Key:  algorithm = RSA, unparsed keybits =
30 81 89 02 81 81 00 AD F5 FF 6B 4C 1C 7E 43 A6 05 09 D4 B9
51 94 A9 9E 7C 24 62 FF 18 4A 46 50 59 9D 94 4F 59 6C C1 50
AC A7 ED 6E 0C 10 04 6B F3 F0 68 FC AB 5F B3 BB 78 D5 EB BF
4D C3 A0 BB 93 5C 9C F5 F7 F5 D2 5F 7A BD A6 FB CD 12 65 D2
4A E9 AB A3 E8 3B 5A AE 56 EF E8 42 E5 7E E2 05 42 AF 4A 42
56 06 F8 65 76 A8 7C 03 73 1E 6E D9 48 F7 2C 7A 1E 58 5D 79
60 DC F8 80 91 82 B7 72 D6 B7 1A 4B FF 48 33 02 03 01 00 01

  Validity: [From: Fri Mar 06 19:42:15 EST 2015,
               To: Thu Feb 23 19:42:15 EST 2017]
  Issuer: CN=PKI ROOTCA Signing Cert,O=redhat
  SerialNumber: [    00]
  Extension[0] = ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
69 B3 CD 01 C9 A5 CE FF 27 73 F3 24 A8 3B 7A E2 7B 2F 2E E1
]
]
  Extension[1] = ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthInfoAccess [
(0) 1.3.6.1.5.5.7.48.1 URIName: http://host.example.com:30044/ca/ocsp]
  Extension[2] = ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
]
  Extension[3] = oid=2.5.29.37  val=48 20 6 8 43 6 1 5 5 7 3 2 6 8 43 6 1 5 5 7
3 4
]

Expected results:

Certificate should be created with sha256 signing algorithm.

mharmsen commented 9 years ago

Per CS/DS Meeting of 03/09/2015: 10.3

mharmsen commented 7 years ago

Per Bug Triage of 05/03/2016: 10.4

Metadata Update from @mharmsen:
- Issue set to the milestone: UNTRIAGED

7 years ago

Metadata Update from @mharmsen:
- Custom field feature adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field version adjusted to None
- Issue close_status updated to: None
- Issue set to the milestone: FUTURE (was: UNTRIAGED)

6 years ago

Metadata Update from @mharmsen:
- Issue assigned to cfu
- Issue set to the milestone: 10.6 (was: FUTURE)

6 years ago

mharmsen commented 6 years ago

Per 10.5.x/10.6 Triage: 10.6

Upgrading SCEP is being proposed for 10.6

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1862

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

cfu

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

10.6

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1199692

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

SCEP

proposedmilestone

None

dogtagpki

Source Code

#1300 SCEP enrollment not picking up the given signing algorithm Closed: migrated 3 years ago by dmoluguw. Opened 9 years ago by mharmsen.

Metadata

#1300 SCEP enrollment not picking up the given signing algorithm

Closed: migrated 3 years ago by dmoluguw. Opened 9 years ago by mharmsen.