search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
367 stars 136 forks source link

SCEP enrollment not picking up the given signing algorithm #1862

Open pki-bot opened 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #1300. Originally filed by mharmsen (@mharmsen) on 2015-03-09 18:28:14:

SCEP enrollment not picking up the given signing algorithm. Provided sha256 as the algorithm, certificate is created with sha512.

Steps to Reproduce:

Used sscep client and configured to enable use of SHA2 hashes as described in
http://pki.fedoraproject.org/wiki/SCEP_in_Dogtag#SSCEP_Updates

1. Create request with sha256 digest
# /usr/bin/mkrequest -ip xx.xx.xx.xx netscape sha256
DIGEST=-sha256
Generating RSA private key, 1024 bit long modulus
............++++++
....++++++
e is 65537 (0x10001)

# ls
local.key local.csr

2. get CA certificate
# /usr/bin/sscep getca -c /tmp/newtest/ca.crt -u
http://host.example.com:30044/ca/cgi-bin/pkiclient.exe/usr/bin/sscep:
requesting CA certificate
/usr/bin/sscep: valid response from server
/usr/bin/sscep: MD5 fingerprint:
B3:3E:4C:43:3B:AB:DB:70:C8:E1:BB:D8:6F:16:85:D3
/usr/bin/sscep: CA certificate written as /tmp/newtest/ca.crt

# ls
local.key local.csr ca.crt

Verified the request local.csr using cryptomilk.1 decoder, it is created with sha256.

3. Configure sscep.conf with
FingerPrint sha256
SigAlgorithm sha256

4. Perform scep enroll
# /usr/bin/sscep enroll -f /tmp/newtest/sscep.conf  -c /tmp/newtest/ca.crt -k
/tmp/newtest/local.key  -r /tmp/newtest/local.csr   -E 3des -S sha256 -l
/tmp/newtest/cert.crt -u http://host.example.com:30044/ca/cgi-bin/pkiclient.exe
/usr/bin/sscep: sending certificate request
/usr/bin/sscep: valid response from server
/usr/bin/sscep: pkistatus: SUCCESS
/usr/bin/sscep: certificate written as /tmp/newtest/cert.crt

Actual results:

Certificate approved with sha512 signing algorithm.
[06/Mar/2015:19:42:15][http-bio-30044-exec-2]: EnrollProfile certInfo : [
  Version: V3
  Subject: CN=10.16.4.26
  Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13

  Key:  algorithm = RSA, unparsed keybits =
30 81 89 02 81 81 00 AD F5 FF 6B 4C 1C 7E 43 A6 05 09 D4 B9
51 94 A9 9E 7C 24 62 FF 18 4A 46 50 59 9D 94 4F 59 6C C1 50
AC A7 ED 6E 0C 10 04 6B F3 F0 68 FC AB 5F B3 BB 78 D5 EB BF
4D C3 A0 BB 93 5C 9C F5 F7 F5 D2 5F 7A BD A6 FB CD 12 65 D2
4A E9 AB A3 E8 3B 5A AE 56 EF E8 42 E5 7E E2 05 42 AF 4A 42
56 06 F8 65 76 A8 7C 03 73 1E 6E D9 48 F7 2C 7A 1E 58 5D 79
60 DC F8 80 91 82 B7 72 D6 B7 1A 4B FF 48 33 02 03 01 00 01

  Validity: [From: Fri Mar 06 19:42:15 EST 2015,
               To: Thu Feb 23 19:42:15 EST 2017]
  Issuer: CN=PKI ROOTCA Signing Cert,O=redhat
  SerialNumber: [    00]
  Extension[0] = ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
69 B3 CD 01 C9 A5 CE FF 27 73 F3 24 A8 3B 7A E2 7B 2F 2E E1
]
]
  Extension[1] = ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthInfoAccess [
(0) 1.3.6.1.5.5.7.48.1 URIName: http://host.example.com:30044/ca/ocsp]
  Extension[2] = ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
]
  Extension[3] = oid=2.5.29.37  val=48 20 6 8 43 6 1 5 5 7 3 2 6 8 43 6 1 5 5 7
3 4
]

Expected results:

Certificate should be created with sha256 signing algorithm.
pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2015-03-10 01:19:59

Per CS/DS Meeting of 03/09/2015: 10.3

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2016-05-04 20:11:15

Per Bug Triage of 05/03/2016: 10.4

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-02-27 14:04:21

Metadata Update from @mharmsen:

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-08-31 13:44:18

Metadata Update from @mharmsen:

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2018-04-13 15:01:05

Metadata Update from @mharmsen:

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2018-04-13 16:53:20

Per 10.5.x/10.6 Triage: 10.6

Upgrading SCEP is being proposed for 10.6