Skip to content

Commit

Permalink
Fix incorrect default signing algorithm
Browse files Browse the repository at this point in the history 
The PKIDeployer.update_system_cert() was incorrectly setting
the default signing algorithm param in CS.cfg for all certs
using the key algorithm param in pkispawn which could cause
a problem if the key algorithm and signing algorithm are not
the same.

The code has been modified to set the param properly using
the signing algorithm param in pkispawn for CA/OCSP/audit
signing certs only. This param is not used by other certs so
it does not need to be set for those certs.

The pki-server ca-config-show CLI has been updated to return
a non-zero code if the param being requested doesn't exist.

The tests have been updated to use different key and signing
algorithms.

#4518
  • Loading branch information
@edewata
edewata committed Aug 8, 2023
1 parent a69b35d commit 66cc88f
Show file tree
Hide file tree
Showing 6 changed files with 102 additions and 89 deletions.
36 changes: 19 additions & 17 deletions .github/workflows/ca-ecc-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
- name: Connect PKI container to network
run: docker network connect example pki --alias pki.example.com

- name: Install CA with SHA512withEC
- name: Install CA
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca-ecc.cfg \
Expand Down Expand Up @@ -88,17 +88,17 @@ jobs:
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_signing | tee output
# signing algorithm should be "X9.62 ECDSA signature with SHA512"
echo "X9.62 ECDSA signature with SHA512" > expected
# signing algorithm should be "X9.62 ECDSA signature with SHA384"
echo "X9.62 ECDSA signature with SHA384" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki openssl x509 -text -noout -in ca_signing.crt | tee output
# signing algorithm should be "ecdsa-with-SHA512"
echo "ecdsa-with-SHA512" > expected
# signing algorithm should be "ecdsa-with-SHA384"
echo "ecdsa-with-SHA384" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
Expand Down Expand Up @@ -126,8 +126,8 @@ jobs:
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# default signing algorithm should be "SHA512withEC"
echo "SHA512withEC" > expected
# default signing algorithm should be "SHA384withEC"
echo "SHA384withEC" > expected
docker exec pki pki-server ca-config-show ca.ocsp_signing.defaultSigningAlgorithm | tee actual
diff expected actual
Expand All @@ -150,8 +150,8 @@ jobs:
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# default signing algorithm should be "SHA512withEC"
echo "SHA512withEC" > expected
# default signing algorithm should be "SHA384withEC"
echo "SHA384withEC" > expected
docker exec pki pki-server ca-config-show ca.audit_signing.defaultSigningAlgorithm | tee actual
diff expected actual
Expand All @@ -174,10 +174,11 @@ jobs:
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# default signing algorithm should be "SHA512withEC"
echo "SHA512withEC" > expected
docker exec pki pki-server ca-config-show ca.subsystem.defaultSigningAlgorithm | tee actual
diff expected actual
# default signing algorithm should not exist
echo "ERROR: No such parameter: ca.subsystem.defaultSigningAlgorithm" > expected
docker exec pki pki-server ca-config-show ca.subsystem.defaultSigningAlgorithm \
> >(tee stdout) 2> >(tee stderr >&2) || true
diff expected stderr
- name: Check SSL server cert
run: |
Expand All @@ -198,10 +199,11 @@ jobs:
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# default signing algorithm should be "SHA512withEC"
echo "SHA512withEC" > expected
docker exec pki pki-server ca-config-show ca.sslserver.defaultSigningAlgorithm | tee actual
diff expected actual
# default signing algorithm should not exist
echo "ERROR: No such parameter: ca.sslserver.defaultSigningAlgorithm" > expected
docker exec pki pki-server ca-config-show ca.sslserver.defaultSigningAlgorithm \
> >(tee stdout) 2> >(tee stderr >&2) || true
diff expected stderr
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only
Expand Down
46 changes: 23 additions & 23 deletions .github/workflows/ca-rsa-pss-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,24 +50,22 @@ jobs:
- name: Connect PKI container to network
run: docker network connect example pki --alias pki.example.com

- name: Install CA with SHA512withRSA/PSS
- name: Install CA
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
-s CA \
-D pki_ds_url=ldap://ds.example.com:3389 \
-D pki_use_pss_rsa_signing_algorithm=True \
-D pki_ca_signing_key_algorithm=SHA512withRSA/PSS \
-D pki_ca_signing_key_algorithm=SHA384withRSA/PSS \
-D pki_ca_signing_signing_algorithm=SHA512withRSA/PSS \
-D pki_ocsp_signing_key_algorithm=SHA512withRSA/PSS \
-D pki_ocsp_signing_signing_algorithm=SHA512withRSA/PSS \
-D pki_audit_signing_key_algorithm=SHA512withRSA/PSS \
-D pki_audit_signing_signing_algorithm=SHA512withRSA/PSS \
-D pki_subsystem_key_algorithm=SHA512withRSA/PSS \
-D pki_subsystem_signing_algorithm=SHA512withRSA/PSS \
-D pki_sslserver_key_algorithm=SHA512withRSA/PSS \
-D pki_sslserver_signing_algorithm=SHA512withRSA/PSS \
-D pki_admin_key_algorithm=SHA512withRSA/PSS \
-D pki_ocsp_signing_key_algorithm=SHA384withRSA/PSS \
-D pki_ocsp_signing_signing_algorithm=SHA384withRSA/PSS \
-D pki_audit_signing_key_algorithm=SHA384withRSA/PSS \
-D pki_audit_signing_signing_algorithm=SHA384withRSA/PSS \
-D pki_subsystem_key_algorithm=SHA384withRSA/PSS \
-D pki_sslserver_key_algorithm=SHA384withRSA/PSS \
-D pki_admin_key_algorithm=SHA384withRSA/PSS \
-D pki_cert_id_generator=random \
-D pki_request_id_generator=random \
-v
Expand Down Expand Up @@ -137,8 +135,8 @@ jobs:
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# default signing algorithm should be "SHA512withRSA/PSS"
echo "SHA512withRSA/PSS" > expected
# default signing algorithm should be "SHA384withRSA/PSS"
echo "SHA384withRSA/PSS" > expected
docker exec pki pki-server ca-config-show ca.ocsp_signing.defaultSigningAlgorithm | tee actual
diff expected actual
Expand All @@ -161,8 +159,8 @@ jobs:
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# default signing algorithm should be "SHA512withRSA/PSS"
echo "SHA512withRSA/PSS" > expected
# default signing algorithm should be "SHA384withRSA/PSS"
echo "SHA384withRSA/PSS" > expected
docker exec pki pki-server ca-config-show ca.audit_signing.defaultSigningAlgorithm | tee actual
diff expected actual
Expand All @@ -185,10 +183,11 @@ jobs:
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# default signing algorithm should be "SHA512withRSA/PSS"
echo "SHA512withRSA/PSS" > expected
docker exec pki pki-server ca-config-show ca.subsystem.defaultSigningAlgorithm | tee actual
diff expected actual
# default signing algorithm should not exist
echo "ERROR: No such parameter: ca.subsystem.defaultSigningAlgorithm" > expected
docker exec pki pki-server ca-config-show ca.subsystem.defaultSigningAlgorithm \
> >(tee stdout) 2> >(tee stderr >&2) || true
diff expected stderr
- name: Check SSL server cert
run: |
Expand All @@ -209,10 +208,11 @@ jobs:
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# default signing algorithm should be "SHA512withRSA/PSS"
echo "SHA512withRSA/PSS" > expected
docker exec pki pki-server ca-config-show ca.sslserver.defaultSigningAlgorithm | tee actual
diff expected actual
# default signing algorithm should not exist
echo "ERROR: No such parameter: ca.sslserver.defaultSigningAlgorithm" > expected
docker exec pki pki-server ca-config-show ca.sslserver.defaultSigningAlgorithm \
> >(tee stdout) 2> >(tee stderr >&2) || true
diff expected stderr
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only
Expand Down
76 changes: 38 additions & 38 deletions .github/workflows/ca-rsa-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,22 +49,20 @@ jobs:
- name: Connect PKI container to network
run: docker network connect example pki --alias pki.example.com

- name: Install CA with SHA384withRSA
- name: Install CA
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
-s CA \
-D pki_ds_url=ldap://ds.example.com:3389 \
-D pki_ca_signing_key_algorithm=SHA384withRSA \
-D pki_ca_signing_signing_algorithm=SHA384withRSA \
-D pki_ca_signing_signing_algorithm=SHA512withRSA \
-D pki_ocsp_signing_key_algorithm=SHA384withRSA \
-D pki_ocsp_signing_signing_algorithm=SHA384withRSA \
-D pki_audit_signing_key_algorithm=SHA384withRSA \
-D pki_audit_signing_signing_algorithm=SHA384withRSA \
-D pki_subsystem_key_algorithm=SHA384withRSA \
-D pki_subsystem_signing_algorithm=SHA384withRSA \
-D pki_sslserver_key_algorithm=SHA384withRSA \
-D pki_sslserver_signing_algorithm=SHA384withRSA \
-D pki_admin_key_algorithm=SHA384withRSA \
-D pki_cert_id_generator=random \
-D pki_request_id_generator=random \
Expand Down Expand Up @@ -112,8 +110,8 @@ jobs:
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# default signing algorithm should be "SHA384withRSA"
echo "SHA384withRSA" > expected
# default signing algorithm should be "SHA512withRSA"
echo "SHA512withRSA" > expected
docker exec pki pki-server ca-config-show ca.signing.defaultSigningAlgorithm | tee actual
diff expected actual
Expand All @@ -122,17 +120,17 @@ jobs:
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_ocsp_signing | tee output
# signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption"
echo "PKCS #1 SHA-384 With RSA Encryption" > expected
# signing algorithm should be "PKCS #1 SHA-512 With RSA Encryption"
echo "PKCS #1 SHA-512 With RSA Encryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt
docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt | tee output
# signing algorithm should be "sha384WithRSAEncryption"
echo "sha384WithRSAEncryption" > expected
# signing algorithm should be "sha512WithRSAEncryption"
echo "sha512WithRSAEncryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
Expand All @@ -146,17 +144,17 @@ jobs:
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_audit_signing | tee output
# signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption"
echo "PKCS #1 SHA-384 With RSA Encryption" > expected
# signing algorithm should be "PKCS #1 SHA-512 With RSA Encryption"
echo "PKCS #1 SHA-512 With RSA Encryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt
docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt | tee output
# signing algorithm should be "sha384WithRSAEncryption"
echo "sha384WithRSAEncryption" > expected
# signing algorithm should be "sha512WithRSAEncryption"
echo "sha512WithRSAEncryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
Expand All @@ -170,48 +168,50 @@ jobs:
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n subsystem | tee output
# signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption"
echo "PKCS #1 SHA-384 With RSA Encryption" > expected
# signing algorithm should be "PKCS #1 SHA-512 With RSA Encryption"
echo "PKCS #1 SHA-512 With RSA Encryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export subsystem --cert-file subsystem.crt
docker exec pki openssl x509 -text -noout -in subsystem.crt | tee output
# signing algorithm should be "sha384WithRSAEncryption"
echo "sha384WithRSAEncryption" > expected
# signing algorithm should be "sha512WithRSAEncryption"
echo "sha512WithRSAEncryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# default signing algorithm should be "SHA384withRSA"
echo "SHA384withRSA" > expected
docker exec pki pki-server ca-config-show ca.subsystem.defaultSigningAlgorithm | tee actual
diff expected actual
# default signing algorithm should not exist
echo "ERROR: No such parameter: ca.subsystem.defaultSigningAlgorithm" > expected
docker exec pki pki-server ca-config-show ca.subsystem.defaultSigningAlgorithm \
> >(tee stdout) 2> >(tee stderr >&2) || true
diff expected stderr
- name: Check SSL server cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n sslserver | tee output
# signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption"
echo "PKCS #1 SHA-384 With RSA Encryption" > expected
# signing algorithm should be "PKCS #1 SHA-512 With RSA Encryption"
echo "PKCS #1 SHA-512 With RSA Encryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export sslserver --cert-file sslserver.crt
docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
# signing algorithm should be "sha384WithRSAEncryption"
echo "sha384WithRSAEncryption" > expected
# signing algorithm should be "sha512WithRSAEncryption"
echo "sha512WithRSAEncryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# default signing algorithm should be "SHA384withRSA"
echo "SHA384withRSA" > expected
docker exec pki pki-server ca-config-show ca.sslserver.defaultSigningAlgorithm | tee actual
diff expected actual
# default signing algorithm should not exist
echo "ERROR: No such parameter: ca.sslserver.defaultSigningAlgorithm" > expected
docker exec pki pki-server ca-config-show ca.sslserver.defaultSigningAlgorithm \
> >(tee stdout) 2> >(tee stderr >&2) || true
diff expected stderr
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only
Expand All @@ -230,16 +230,16 @@ jobs:
# inspect cert with certutil
docker exec pki certutil -L -d /root/.dogtag/nssdb -n caadmin | tee output
# signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption"
echo "PKCS #1 SHA-384 With RSA Encryption" > expected
# signing algorithm should be "PKCS #1 SHA-512 With RSA Encryption"
echo "PKCS #1 SHA-512 With RSA Encryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert | tee output
# signing algorithm should be "sha384WithRSAEncryption"
echo "sha384WithRSAEncryption" > expected
# signing algorithm should be "sha512WithRSAEncryption"
echo "sha512WithRSAEncryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
Expand All @@ -251,16 +251,16 @@ jobs:
# inspect cert with certutil
docker exec pki certutil -L -d /root/.dogtag/nssdb -n sslserver | tee output
# signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption"
echo "PKCS #1 SHA-384 With RSA Encryption" > expected
# signing algorithm should be "PKCS #1 SHA-512 With RSA Encryption"
echo "PKCS #1 SHA-512 With RSA Encryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
# signing algorithm should be "sha384WithRSAEncryption"
echo "sha384WithRSAEncryption" > expected
# signing algorithm should be "sha512WithRSAEncryption"
echo "sha512WithRSAEncryption" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
Expand Down
Loading

0 comments on commit 66cc88f

Please sign in to comment.