search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
368 stars 136 forks source link

RFE: CMC ECC #933

Closed pki-bot closed 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #362. Originally filed by cfu (@cfu) on 2012-10-08 21:14:02:

Currently, all the CMC tools as well as the CA CMC enrollment do not support ECC. This task encompass all necessary changes to allow the CMC tools and the server CMC-handing to work with ECC.

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-12-19 05:31:48

also added support for CMC revocation in CMCRequest as well as op flags in ECC key gen CMC-ECC-forReview1.diff2

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-12-19 05:33:40

also added support for CMC revocation in CMCRequest as well as op flags in ECC key gen CMC-ECC-forReview1.diff

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-12-19 06:02:41

The usages and examples for how to test each tool modified to work with CMC/ECC are to follow.

=============

PKCS10Client new usage:

Usage: PKCS10Client -d -h -p -a <algorithm: 'rsa' or 'ec'> -l -c -o -n 

Optionally, for ECC key generation per definition in JSS pkcs11.PK11KeyPairGenerator:

-t <1 for temporary(session); 0 for permanent(token); default is 0>

-s <1 for sensitive; 0 for non-sensitive; -1 temporaryPairMode dependent; default is -1>

-e <1 for extractable; 0 for non-extractable; -1 token dependent; default is -1>

Also optional for ECC key generation:

-x <ture for SSL cert that does ECDH ECDSA; false otherwise; default false>

available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2

Example 1 shows how to generate an EC PKCS10 request then turn into a CMC request then submit to CA for issuance in different ways:

alternative, instead of HttpClient, you can copy the CMC request and paste it into EE page CMC profile: Signed CMC-Authenticated User Certificate Enrollment

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-12-19 06:08:08

CMCRequest config file example for CMC EC PKCS10 request Demo_cmc_ECpkcs10.cfg

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-12-19 06:09:44

HttpClient config file example to submit the CMC EC PKCS10 request from previous PKCS10Client and CMCRequest example DemoHttpClient.cfg

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-12-19 06:23:10

CRMFPopClient new usage:

CRMF Proof Of Possession Utility....

Usage: CRMFPopClient -d -p -h -o -n -a <algorithm: 'rsa' or 'ec'> -l -c -m -f <profile name; rsa default caEncUserCert; ec default caEncECUserCert> -u -r -q <POP_NONE, POP_SUCCESS, or POP_FAIL; default POP_SUCCESS> 

Optionally, for ECC key generation per definition in JSS pkcs11.PK11KeyPairGenerator:

-t <1 for temporary(session); 0 for permanent(token); default is true>

-s <1 for sensitive; 0 for non-sensitive; -1 temporaryPairMode dependent; default is -1>

-e <1 for extractable; 0 for non-extractable; -1 token dependent; default is -1>

Also optional for ECC key generation:

-x <ture for SSL cert that does ECDH ECDSA; false otherwise; default false>

note: '-x true' can only be used with POP_NONE available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2

IMPORTANT: The file "transport.txt" needs to be created to contain the transport certificate in its base64 encoded format. This file should consist of one line containing a single certificate in base64 encoded format with the header and footer removed.

Example on how to run CRMFPopClient to generate an EC CRMF request and use CMCRequest to turn it into a CMC CRMF EC request:

(NOTE: due to certicom private key issue, key archival can only work with conforming tokens such as nethsm; The example provided and in my own developer's test environment, I use nethsm)

Alternative, instead of HttpClient, you can also paste the CMC request into EE page CMC enrollment profile: Signed CMC-Authenticated User Certificate Enrollment

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-12-19 06:25:29

CMCRequest config file example for CMC EC CRMF request Demo_cmc_ECCRMF.cfg

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-12-19 06:26:09

HttpClient config file example to submit the CMC EC CRMF request from previous CRMFPopClient and CMCRequest example DemoHttpClient_CRMF.cfg

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-12-19 06:28:36

CMCRevoke's new usage:

Usage: CMCRevoke -d<dir to cert8.db, key3.db> -n -i -s -m -p -h -c

Example: CMCRevoke -d. -n"cfu pkcs10nfast admin pki-ca-ecc-08202012 2" -i"CN=Certificate Authority,OU=pki-ca-ecc-08202012,O=DsdevSjcRedhat Domain ecc 08202012" -s130 -m2 -pxxxxx -hNHSM6000-OCS -ctestcomment

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-12-19 06:32:38

Example on how to use CMCRequest's support for CMC revocation (though CMCRevoke tool as shown above provides similar support):

CMCRequest Demo_cmc_ECpkcs10Revoke.cfg

see the following attachment: Demo_cmc_ECpkcs10Revoke.cfg

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-12-19 06:33:16

CMCRequest config file example for CMC revocation request Demo_cmc_ECpkcs10Revoke.cfg

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2013-01-09 20:33:59

for 2nd review CMC-ECC-forReview2.diff

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2013-01-10 04:57:59

checked into PKI_8_1_ERRATA_BRANCH: Author: cfu Date: 2013-01-10 02:39:49 +0000 (Thu, 10 Jan 2013) New Revision: 2512

Modified: branches/PKI_8_1_ERRATA_BRANCH/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg branches/PKI_8_1_ERRATA_BRANCH/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg branches/PKI_8_1_ERRATA_BRANCH/pki/base/ca/shared/profiles/ca/caOtherCert.cfg branches/PKI_8_1_ERRATA_BRANCH/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg branches/PKI_8_1_ERRATA_BRANCH/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java branches/PKI_8_1_ERRATA_BRANCH/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java branches/PKI_8_1_ERRATA_BRANCH/pki/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java branches/PKI_8_1_ERRATA_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CMCRequest.java branches/PKI_8_1_ERRATA_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java branches/PKI_8_1_ERRATA_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java branches/PKI_8_1_ERRATA_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/HttpClient.java branches/PKI_8_1_ERRATA_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java branches/PKI_8_1_ERRATA_BRANCH/pki/base/util/src/netscape/security/pkcs/PKCS10.java branches/PKI_8_1_ERRATA_BRANCH/pki/base/util/src/netscape/security/x509/X509CRLImpl.java

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2013-01-10 04:58:41

checked into PKI_8_BRANCH: Author: cfu Date: 2013-01-10 02:53:00 +0000 (Thu, 10 Jan 2013) New Revision: 2513

Modified: branches/PKI_8_BRANCH/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg branches/PKI_8_BRANCH/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg branches/PKI_8_BRANCH/pki/base/ca/shared/profiles/ca/caOtherCert.cfg branches/PKI_8_BRANCH/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg branches/PKI_8_BRANCH/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java branches/PKI_8_BRANCH/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java branches/PKI_8_BRANCH/pki/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java branches/PKI_8_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CMCRequest.java branches/PKI_8_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java branches/PKI_8_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java branches/PKI_8_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/HttpClient.java branches/PKI_8_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java branches/PKI_8_BRANCH/pki/base/util/src/netscape/security/pkcs/PKCS10.java branches/PKI_8_BRANCH/pki/base/util/src/netscape/security/x509/X509CRLImpl.java

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2013-01-10 21:00:50

checked into DOGTAG_9_BRANCH:

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2013-01-16 02:07:51

checked into master

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2013-01-25 02:31:29

Here is one example steps on how to put cert/keys info HSM to be used as an agent cert for the tools above when needed:

  1. generate csr:

    PKCS10Client -p redhat123 -d . -o pkcs10nfast3.csr -n "CN=Christina Fu nfast 3" -a ec -c nistp256 -t false -h "NHSM6000-OCS"

PKCS10Client: token NHSM6000-OCS logged in... CryptoUtil: generateECCKeyPair: curve = nistp256 CryptoUtil: generateECCKeyPair: after KeyPairGenerator initialize with:nistp256 PKCS10Client: key pair generated. PKCS10Client: pair.getPublic() called. PKCS10Client: CertificationRequestInfo() created. PKCS10Client: token is: NHSM6000-OCS PKCS10Client: calling CryptoUtil.createCertificationRequest PKCS10Client: created cert request PKCS10Client: cert request not null -----BEGIN NEW CERTIFICATE REQUEST----- MIHcMIGBAgEAMB8xHTAbBgNVBAMTFENocmlzdGluYSBGdSBuZmFzdCAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvnUnL0tKylr/fGlYeaFofhUCcl/R2+kKMnFJym7Tp79J789mv8MlBEaNZ5bTdh+3eQ/U5PXvUAqmjCpQN8cbzqAAMAwGCCqGSM49BAMCBQADSAAwRQIhALcVh0PsWfOWJ8sUZU0RHAaX77vjFCj7hJO2GJIInOBWAiBBnXoGKwv3yFpZLgmcfVn8K/vErgdZSsRTXgBjtW8+pQ== -----END NEW CERTIFICATE REQUEST----- PKCS10Client: done. Request written to file: pkcs10nfast3.csr

  1. go to ca ee , use "other" profile
  2. go to agent to approve
  3. copy the b64 cert into a file.. in my example for below: pkcs10nfast3.cert.txt
  4. import it: certutil -d . -h NHSM6000-OCS -A -t "u,u,u" -n "cfu pkcs10nfast3" -a -i pkcs10nfast3.cert.txt

  5. see it: certutil -d . -h NHSM6000-OCS -n "NHSM6000-OCS:cfu pkcs10nfast3" -L Enter Password or Pin for "NHSM6000-OCS": Certificate: Data: Version: 3 (0x2) Serial Number: 196 (0xc4) Signature Algorithm: X9.62 ECDSA signature with SHA256 Issuer: "CN=Certificate Authority,OU=pki-ca-ecc-08202012,O=DsdevSjcRe dhat Domain ecc 08202012" Validity: Not Before: Fri Jan 25 00:08:03 2013 Not After : Thu Jan 15 00:08:03 2015 Subject: "CN=Christina Fu nfast 3" Subject Public Key Info: Public Key Algorithm: X9.62 elliptic curve public key Args: 06:08:2a:86:48:ce:3d:03:01:07 EC Public Key: PublicValue: 04:be:75:27:2f:4b:4a:ca:5a:ff:7c:69:58:79:a1:68: 7e:15:02:72:5f:d1:db:e9:0a:32:71:49:ca:6e:d3:a7: bf:49:ef:cf:66:bf:c3:25:04:46:8d:67:96:d3:76:1f: b7:79:0f:d4:e4:f5:ef:50:0a:a6:8c:2a:50:37:c7:1b: ce Curve: ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: f7:b4:1a:ff:02:f1:56:8a:5a:41:a7:22:c0:24:e9:de: b0:f3:8e:fe

        Name: Authority Information Access
    Method: PKIX Online Certificate Status Protocol
    Location:
        URI: "http://glyph.dsdev.sjc.redhat.com:9180/ca/ocsp"

    Name: Certificate Key Usage
    Critical: True
    Usages: Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

    Name: Extended Key Usage
        TLS Web Server Authentication Certificate
        TLS Web Client Authentication Certificate

    Signature Algorithm: X9.62 ECDSA signature with SHA256 Signature: 30:44:02:20:49:f8:8d:7e:bd:48:3d:72:0f:b2:60:14: 47:24:f9:3b:9c:ba:a3:9f:8a:dc:66:b9:40:77:14:80: 7b:99:44:b8:02:20:1e:23:dc:86:df:49:96:55:a5:a4: a5:13:75:c7:66:0f:75:5b:df:d1:29:86:df:2c:7c:fe: d4:30:13:9c:86:5b Fingerprint (MD5): BF:A9:FC:6F:FA:07:9A:1A:8F:EA:7C:2B:46:A7:68:C2 Fingerprint (SHA1): 8A:E7:89:C2:2D:6F:1C:1A:5A:B7:B1:EA:40:C2:EA:5E:32:69:58:D7

    Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User

  6. now you can just add the b64 to the new admin user via pkiconsole
pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2017-02-27 14:12:11

Metadata Update from @cfu: