From ca8c7010e8aa0f87bde11c36947fefd549bae8fd Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jul 12 2021 07:01:59 +0000 Subject: Add SHA384withRSA as a certificate signing algorithm It required support in dogtag which was added in 10.5.0. This is only easily configurable during installation because it will set ca.signing.defaultSigningAlgorithm to the selected algorithm in CS.cfg The certificate profiles will generally by default set default.params.signingAlg=- which means use the CA default. So while an existing installation will technically allow SHA384withRSA it will require profile changes and/or changing the defaultSigningAlgorithm in CS.cfg and restarting (completely untested). And that won't affect already issued-certificates. https://pagure.io/freeipa/issue/8906 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- diff --git a/install/share/profiles/IECUserRoles.cfg b/install/share/profiles/IECUserRoles.cfg index 9d2b4bb..0ce6901 100644 --- a/install/share/profiles/IECUserRoles.cfg +++ b/install/share/profiles/IECUserRoles.cfg @@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg index 5993520..a980c97 100644 --- a/install/share/profiles/KDCs_PKINIT_Certs.cfg +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.2.3.5 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/install/share/profiles/acmeIPAServerCert.cfg b/install/share/profiles/acmeIPAServerCert.cfg index 2487056..1607f59 100644 --- a/install/share/profiles/acmeIPAServerCert.cfg +++ b/install/share/profiles/acmeIPAServerCert.cfg @@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.range=90 policyset.serverCertSet.7.default.params.startTime=0 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/install/share/profiles/caIPAserviceCert.UPGRADE.cfg b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg index 1efd206..572a64f 100644 --- a/install/share/profiles/caIPAserviceCert.UPGRADE.cfg +++ b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg @@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg index dd06df5..cffd8cd 100644 --- a/install/share/profiles/caIPAserviceCert.cfg +++ b/install/share/profiles/caIPAserviceCert.cfg @@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/install/tools/ipa-ca-install.in b/install/tools/ipa-ca-install.in index 18c2303..d35d9ba 100644 --- a/install/tools/ipa-ca-install.in +++ b/install/tools/ipa-ca-install.in @@ -81,7 +81,7 @@ def parse_options(): parser.add_option("--external-cert-file", dest="external_cert_files", action="append", metavar="FILE", help="File containing the IPA CA certificate and the external CA certificate chain") - ca_algos = ('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA') + ca_algos = ('SHA1withRSA', 'SHA256withRSA', 'SHA384withRSA', 'SHA512withRSA') parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm", type="choice", choices=ca_algos, metavar="{{{0}}}".format(",".join(ca_algos)), diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 8e57c00..7284ba5 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -77,7 +77,7 @@ The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs ar File containing overrides for CA installation. .TP \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR -Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. +Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. .TP \fB\-\-no\-host\-dns\fR Do not use DNS for hostname lookup during installation diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index fdb0f4c..2e89cfc 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -162,7 +162,7 @@ The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). R The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first). .TP \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR -Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. +Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. .SS "SECRET MANAGEMENT OPTIONS" .TP diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 8fb5e3e..e0ca7f4 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -435,6 +435,7 @@ def uninstall(): class CASigningAlgorithm(enum.Enum): SHA1_WITH_RSA = 'SHA1withRSA' SHA_256_WITH_RSA = 'SHA256withRSA' + SHA_384_WITH_RSA = 'SHA384withRSA' SHA_512_WITH_RSA = 'SHA512withRSA' diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl index 9954819..38f7619 100644 --- a/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl @@ -505,7 +505,7 @@ choice - SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA + SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA Signing Algorithm @@ -514,15 +514,15 @@ - This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC + This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC signingAlgConstraintImpl string Allowed Signing Algorithms - SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC + SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC - SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC + SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl index 7fc2281..61a4837 100644 --- a/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl @@ -90,7 +90,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA, SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl index f9e8ce4..72b5d10 100644 --- a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl @@ -89,7 +89,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl index 3fa2970..67637cf 100644 --- a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl @@ -90,7 +90,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/ipatests/test_xmlrpc/data/smime-mod.cfg.tmpl b/ipatests/test_xmlrpc/data/smime-mod.cfg.tmpl index da94c25..2e593f6 100644 --- a/ipatests/test_xmlrpc/data/smime-mod.cfg.tmpl +++ b/ipatests/test_xmlrpc/data/smime-mod.cfg.tmpl @@ -78,7 +78,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/ipatests/test_xmlrpc/data/smime.cfg.tmpl b/ipatests/test_xmlrpc/data/smime.cfg.tmpl index 3baf03f..cbcc7a1 100644 --- a/ipatests/test_xmlrpc/data/smime.cfg.tmpl +++ b/ipatests/test_xmlrpc/data/smime.cfg.tmpl @@ -88,7 +88,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=-