Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need ECC-specific Enrollment Profiles for standard conformance #3068

Closed
pki-bot opened this issue Oct 3, 2020 · 9 comments
Closed

Need ECC-specific Enrollment Profiles for standard conformance #3068

pki-bot opened this issue Oct 3, 2020 · 9 comments
Labels
Closed: Fixed
Milestone
10.5.7

Comments

@pki-bot
Copy link

pki-bot commented Oct 3, 2020

This issue was migrated from Pagure Issue #2950. Originally filed by cfu (@cfu) on 2018-03-01 18:13:46:

Currently many of the enrollment profiles are shared between RSA and ECC certificates. As such the keyUsage extension is not conforming.

This task is to add needed ECC-specific enrollment profiles and make needed adjustments to existing ones for standard conformance.
@pki-bot pki-bot added this to the 10.5.7 milestone Oct 3, 2020
@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from cfu (@cfu) at 2018-03-01 18:16:49

Metadata Update from @cfu:

  • Custom field component adjusted to None
  • Custom field feature adjusted to None
  • Custom field origin adjusted to None
  • Custom field proposedmilestone adjusted to None
  • Custom field proposedpriority adjusted to None
  • Custom field reviewer adjusted to None
  • Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1550739
  • Custom field type adjusted to None
  • Custom field version adjusted to None

@pki-bot pki-bot closed this as completed Oct 3, 2020
@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2018-03-01 19:04:15

Metadata Update from @mharmsen:

  • Issue set to the milestone: 10.5 (was: 10.6)

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2018-03-06 14:35:16

Metadata Update from @mharmsen:

  • Issue assigned to cfu

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from cfu (@cfu) at 2018-03-12 18:04:25

commit 27cf99e
Author: Christina Fu cfu@redhat.com
Date: Wed Mar 7 14:56:44 2018 -0800

Ticket 2950 Need ECC-specific Enrollment Profiles for standard conformance

This patch adds ECC-specific enrollment profiles where the Key Usage Extension
bits for SSL server and client certificates are notably different per RFC 6960:

       new file:   base/ca/shared/conf/ECadminCert.profile
       new file:   base/ca/shared/conf/ECserverCert.profile
       new file:   base/ca/shared/conf/ECsubsystemCert.profile
       new file:   base/ca/shared/profiles/ca/ECAdminCert.cfg
       new file:   base/ca/shared/profiles/ca/caCMCECUserCert.cfg
       new file:   base/ca/shared/profiles/ca/caCMCECserverCert.cfg
       new file:   base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
       new file:   base/ca/shared/profiles/ca/caECAdminCert.cfg
       new file:   base/ca/shared/profiles/ca/caECAgentServerCert.cfg
       new file:   base/ca/shared/profiles/ca/caECDirPinUserCert.cfg
       new file:   base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
       new file:   base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg
       new file:   base/ca/shared/profiles/ca/caECServerCert.cfg
       new file:   base/ca/shared/profiles/ca/caECSubsystemCert.cfg
       new file:   base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
       new file:   base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
       new file:   base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
       new file:   base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg

In addition, some existing enrollment profiles are adjusted.
And while in there, signing algorithms with SHA1, MD2, and MD5 are removed

No attempt has been made for TPS enrollment profiles in this round.
No attempt has been made for adding ECDH-appropriate profile.

This patch addresses: https://pagure.io/dogtagpki/issue/2950

Change-Id: I26e7f9888372acbab4fbd185883427ef030d5e8d

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from cfu (@cfu) at 2018-03-12 18:04:26

Metadata Update from @cfu:

  • Issue close_status updated to: fixed
  • Issue set to the milestone: 10.5.7 (was: 10.5)
  • Issue status updated to: Closed (was: Open)

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from cfu (@cfu) at 2018-03-12 18:06:06

just for the record:
https://review.gerrithub.io/#/c/403217/

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2018-03-28 21:24:41

Metadata Update from @mharmsen:

  • Issue priority set to: critical

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2018-04-05 18:02:44

commit 9956821
Author: Christina Fu cfu@redhat.com
Date: Thu Mar 29 09:59:02 2018 -0700

quick fix on wrong keyType in profile

Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2018-04-10 20:57:46

Metadata Update from @mharmsen:

  • Custom field fixedinversion adjusted to pki-core-10.5.7-2.fc27

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Closed: Fixed
Projects
None yet
Milestone
10.5.7
Development

No branches or pull requests
1 participant
@pki-bot