Do we need/Is it time to change the message digest used in the SKI from the hardcoded SHA-1 to something else? Should it be configurable?
Although we seem to follow the recommendations from RFC 2459 / 4.2.1.1 Authority Key Identifier RFC 5280 / 4.2.1.2. Subject Key Identifier I wanted to make this request is evaluated, it seem a little bit streched to modify a key identifier as a cert is signed with stronger message digest, but there may be some reasons.
Steps to Reproduce: 1.any cert enrollment 2.SKI message digest is created using SHA-1 3.
Actual results:
Expected results:
Additional info:
./pki-common/pki-common-8.1.3/src/com/netscape/cms/profile/def/SubjectKeyIdenti fierExtDefault.java ... public class SubjectKeyIdentifierExtDefault extends EnrollExtDefault { ... public KeyIdentifier getKeyIdentifier(X509CertInfo info) { try { CertificateX509Key infokey = (CertificateX509Key) info.get(X509CertInfo.KEY); X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY); MessageDigest md = MessageDigest.getInstance("SHA-1"); ...
Metadata Update from @nkinder: - Issue set to the milestone: UNTRIAGED
we should add this configuration feature and remove the hard coded SHA-1 reference for SKI hash I provided a test patch in 2013 in RH bz 1024558 that allowed SHA-256, this may need to be reviewed.
added gerrit review request for https://review.gerrithub.io/#/c/356980/ patch may need changes, but it has been providing the wanted feature for some time.
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None - Issue priority set to: critical (was: major) - Issue set to the milestone: 10.4 (was: UNTRIAGED)
Per PKI Bug Council of May 25, 2017: move to 10.5
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 10.4)
I think this will require some serious testing; there may be software out there that assume it to be the 20-byte SHA-1 digest of public key BIT STRING.
Also, I do not see any particular urgency to change. It is valid to change it to any other random/pseudorandom identifier but there is no defined way of indicating what alg has been used, AFAIA.
Metadata Update from @mharmsen: - Issue priority set to: major (was: critical)
[20171025] - Offline Triage ==> 10.6
Metadata Update from @mharmsen: - Issue set to the milestone: 10.6 (was: 10.5)
Jack Magne 2017-10-25 20:21:27 EDT
Checkin:
Author: Jack Magne jmagne@redhat.com Date: Wed Oct 18 19:04:47 2017 -0700
Fix: #792 Support SHA256 for SKI Provide simple support for this feature. Simple mod to the profile default for KeyIdentificationExtDefault to allow the user of the console to select a desired hash algorithm for the key info value calculated. Right now you can choose SHA-1,SHA-256,SHA-384, and SHA-512. The code defaults to SHA-1 in case of profiles that have not had the hash alg explicity set in the profile for this given extension. The decision should be one made by the user on purpose with full knowledge. Here is a sample setting that will get set in a given profile for this extension: policyset.userCertSet.11.constraint.class_id=noConstraintImpl policyset.userCertSet.11.constraint.name=No Constraint policyset.userCertSet.11.default.class_id=subjectKeyIdentifierExtDefaultImpl policyset.userCertSet.11.default.name=Subject Key Identifier Default policyset.userCertSet.11.default.params.messageDigest=SHA-256 Making this configurable per every profile that may use this extension provides flexibility. Change-Id: Iebb8f8fb9e8f3be7e2753e92fa73ea61c7fa58b7
Metadata Update from @mharmsen: - Issue close_status updated to: fixed - Issue priority set to: critical (was: major) - Issue set to the milestone: 10.5.1 (was: 10.6) - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.1-1.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1359
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.