Currently many of the enrollment profiles are shared between RSA and ECC certificates. As such the keyUsage extension is not conforming.
This task is to add needed ECC-specific enrollment profiles and make needed adjustments to existing ones for standard conformance.
Metadata Update from @cfu: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1550739 - Custom field type adjusted to None - Custom field version adjusted to None
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 10.6)
Metadata Update from @mharmsen: - Issue assigned to cfu
commit 27cf99efe1e52249f226db24ef28b0990a654dd5 Author: Christina Fu cfu@redhat.com Date: Wed Mar 7 14:56:44 2018 -0800
Ticket #2950 Need ECC-specific Enrollment Profiles for standard conformance This patch adds ECC-specific enrollment profiles where the Key Usage Extension bits for SSL server and client certificates are notably different per RFC 6960: new file: base/ca/shared/conf/ECadminCert.profile new file: base/ca/shared/conf/ECserverCert.profile new file: base/ca/shared/conf/ECsubsystemCert.profile new file: base/ca/shared/profiles/ca/ECAdminCert.cfg new file: base/ca/shared/profiles/ca/caCMCECUserCert.cfg new file: base/ca/shared/profiles/ca/caCMCECserverCert.cfg new file: base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg new file: base/ca/shared/profiles/ca/caECAdminCert.cfg new file: base/ca/shared/profiles/ca/caECAgentServerCert.cfg new file: base/ca/shared/profiles/ca/caECDirPinUserCert.cfg new file: base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg new file: base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg new file: base/ca/shared/profiles/ca/caECServerCert.cfg new file: base/ca/shared/profiles/ca/caECSubsystemCert.cfg new file: base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg new file: base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg new file: base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg new file: base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg In addition, some existing enrollment profiles are adjusted. And while in there, signing algorithms with SHA1, MD2, and MD5 are removed No attempt has been made for TPS enrollment profiles in this round. No attempt has been made for adding ECDH-appropriate profile. This patch addresses: https://pagure.io/dogtagpki/issue/2950 Change-Id: I26e7f9888372acbab4fbd185883427ef030d5e8d
Metadata Update from @cfu: - Issue close_status updated to: fixed - Issue set to the milestone: 10.5.7 (was: 10.5) - Issue status updated to: Closed (was: Open)
just for the record: https://review.gerrithub.io/#/c/403217/
Metadata Update from @mharmsen: - Issue priority set to: critical
commit 995682153e10393dc46f16090c26f28ca1b6cfc6 Author: Christina Fu cfu@redhat.com Date: Thu Mar 29 09:59:02 2018 -0700
quick fix on wrong keyType in profile Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.7-2.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3068
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.