#792 Support SHA256 for SKI
Closed: fixed 6 years ago Opened 10 years ago by nkinder.

Do we need/Is it time to change the message digest used in the SKI from the
hardcoded SHA-1 to something else?
Should it be configurable?

Although we seem to follow the recommendations from
RFC 2459 / 4.2.1.1 Authority Key Identifier
RFC 5280 / 4.2.1.2. Subject Key Identifier
I wanted to make this request is evaluated, it seem a little bit streched to
modify a key identifier as a cert is signed with stronger message digest, but
there may be some reasons.

Steps to Reproduce:
1.any cert enrollment
2.SKI message digest is created using SHA-1
3.

Actual results:

Expected results:

Additional info:

./pki-common/pki-common-8.1.3/src/com/netscape/cms/profile/def/SubjectKeyIdenti
fierExtDefault.java
...
public class SubjectKeyIdentifierExtDefault extends EnrollExtDefault {
...
public KeyIdentifier getKeyIdentifier(X509CertInfo info) {
try {
CertificateX509Key infokey = (CertificateX509Key)
info.get(X509CertInfo.KEY);
X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY);
MessageDigest md = MessageDigest.getInstance("SHA-1");
...


Metadata Update from @nkinder:
- Issue set to the milestone: UNTRIAGED

7 years ago

we should add this configuration feature and remove the hard coded SHA-1 reference for SKI hash
I provided a test patch in 2013 in RH bz 1024558 that allowed SHA-256, this may need to be reviewed.

added gerrit review request for
https://review.gerrithub.io/#/c/356980/
patch may need changes, but it has been providing the wanted feature for some time.

Metadata Update from @mharmsen:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None
- Issue priority set to: critical (was: major)
- Issue set to the milestone: 10.4 (was: UNTRIAGED)

6 years ago

Per PKI Bug Council of May 25, 2017: move to 10.5

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5 (was: 10.4)

6 years ago

I think this will require some serious testing; there may be software out there
that assume it to be the 20-byte SHA-1 digest of public key BIT STRING.

Also, I do not see any particular urgency to change. It is valid to change it to
any other random/pseudorandom identifier but there is no defined way of
indicating what alg has been used, AFAIA.

Metadata Update from @mharmsen:
- Issue priority set to: major (was: critical)

6 years ago

[20171025] - Offline Triage ==> 10.6

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.6 (was: 10.5)

6 years ago

Jack Magne 2017-10-25 20:21:27 EDT

Checkin:

Author: Jack Magne jmagne@redhat.com
Date: Wed Oct 18 19:04:47 2017 -0700

Fix: #792 Support SHA256 for SKI

Provide simple support for this feature.
Simple mod to the profile default for KeyIdentificationExtDefault to allow
the user of the console to select a desired hash algorithm for the key info value calculated.

Right now you can choose SHA-1,SHA-256,SHA-384, and SHA-512.

The code defaults to SHA-1 in case of profiles that have not had the hash alg explicity set in the profile for this given extension. The decision should be one made by the user on purpose with full knowledge.

Here is a sample setting that will get set in a given profile for this extension:

policyset.userCertSet.11.constraint.class_id=noConstraintImpl
policyset.userCertSet.11.constraint.name=No Constraint
policyset.userCertSet.11.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.userCertSet.11.default.name=Subject Key Identifier Default

policyset.userCertSet.11.default.params.messageDigest=SHA-256

Making this configurable per every profile that may use this extension provides flexibility.

Change-Id: Iebb8f8fb9e8f3be7e2753e92fa73ea61c7fa58b7

Metadata Update from @mharmsen:
- Issue close_status updated to: fixed
- Issue priority set to: critical (was: major)
- Issue set to the milestone: 10.5.1 (was: 10.6)
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.5.1-1.fc27

6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1359

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata