RFE: CMC ECC

[pki-bot]

This issue was migrated from Pagure Issue #362. Originally filed by cfu (@cfu) on 2012-10-08 21:14:02:

• Closed as Fixed
• Assigned to cfu (@cfu)

---

Currently, all the CMC tools as well as the CA CMC enrollment do not support ECC.
This task encompass all necessary changes to allow the CMC tools and the server CMC-handing to work with ECC.

[pki-bot]

Comment from cfu (@cfu) at 2012-12-19 05:31:48

also added support for CMC revocation in CMCRequest as well as op flags in ECC key gen
CMC-ECC-forReview1.diff2

[pki-bot]

Comment from cfu (@cfu) at 2012-12-19 05:33:40

also added support for CMC revocation in CMCRequest as well as op flags in ECC key gen
CMC-ECC-forReview1.diff

[pki-bot]

Comment from cfu (@cfu) at 2012-12-19 06:02:41

The usages and examples for how to test each tool modified to work with CMC/ECC are to follow.

=============

PKCS10Client new usage:

Usage: PKCS10Client -d -h -p -a <algorithm: 'rsa' or 'ec'> -l -c -o -n

Optionally, for ECC key generation per definition in JSS pkcs11.PK11KeyPairGenerator:

-t <1 for temporary(session); 0 for permanent(token); default is 0>

-s <1 for sensitive; 0 for non-sensitive; -1 temporaryPairMode dependent; default is -1>

-e <1 for extractable; 0 for non-extractable; -1 token dependent; default is -1>

Also optional for ECC key generation:

-x <ture for SSL cert that does ECDH ECDSA; false otherwise; default false>

available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2

Example 1 shows how to generate an EC PKCS10 request then turn into a CMC request then submit to CA for issuance in different ways:

• generate a EC PKCS10 request:
• set up certicom token
• PKCS10Client -p mypasswd -d . -o DemoECpkcs10.b64 -n "CN=cfu DemoECpkcs10" -a ec -c nistp256 -t true -h "Certicom FIPS Cert/Key Services"
• create a CMC request config file (see next attachment: Demo_cmc_ECpkcs10.cfg)
• CMCRequest Demo_cmc_ECpkcs10.cfg
• careate a HttpClient config file (see next attchment: DemoHttpClient.cfg)
• set environment variable to do SSL with ECC certs:
  export NSS_USE_DECODED_CKA_EC_POINT=1
• submit request:
  HttpClient DemoHttpClient.cfg
• see CMC response:
  CMCResponse DemoECpkcs10.cmc.response

alternative, instead of HttpClient, you can copy the CMC request and paste it into EE page CMC profile:
Signed CMC-Authenticated User Certificate Enrollment

[pki-bot]

Comment from cfu (@cfu) at 2012-12-19 06:08:08

CMCRequest config file example for CMC EC PKCS10 request
Demo_cmc_ECpkcs10.cfg

[pki-bot]

Comment from cfu (@cfu) at 2012-12-19 06:09:44

HttpClient config file example to submit the CMC EC PKCS10 request from previous PKCS10Client and CMCRequest example
DemoHttpClient.cfg

[pki-bot]

Comment from cfu (@cfu) at 2012-12-19 06:23:10

CRMFPopClient new usage:

CRMF Proof Of Possession Utility....

Usage: CRMFPopClient -d -p -h -o -n -a <algorithm: 'rsa' or 'ec'> -l -c -m hostname:port -f <profile name; rsa default caEncUserCert; ec default caEncECUserCert> -u -r -q <POP_NONE, POP_SUCCESS, or POP_FAIL; default POP_SUCCESS>

Optionally, for ECC key generation per definition in JSS pkcs11.PK11KeyPairGenerator:

-t <1 for temporary(session); 0 for permanent(token); default is true>

-s <1 for sensitive; 0 for non-sensitive; -1 temporaryPairMode dependent; default is -1>

-e <1 for extractable; 0 for non-extractable; -1 token dependent; default is -1>

Also optional for ECC key generation:

-x <ture for SSL cert that does ECDH ECDSA; false otherwise; default false>

note: '-x true' can only be used with POP_NONE
available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2

IMPORTANT: The file "transport.txt" needs to be created to contain the
transport certificate in its base64 encoded format. This
file should consist of one line containing a single certificate
in base64 encoded format with the header and footer removed.

Example on how to run CRMFPopClient to generate an EC CRMF request and use CMCRequest to turn it into a CMC CRMF EC request:

• import a CA agent's pkcs12 into the ECC-capable token (I forgot to mention this in example 1)
• CRMFPopClient -d . -p myTokenPassword -h NHSM6000-OCS -o DemoECCRMF.b64 -n "cn=cfu DemoECCRMF" -a ec -c nistp256 -m myhost.example.com:9180 -u cfu -r cfu -t true -s -1 -e -1 -x false -q POP_SUCCESS

(NOTE: due to certicom private key issue, key archival can only work with conforming tokens such as nethsm; The example provided and in my own developer's test environment, I use nethsm)

• create a CMCRequest config file (see attachment: Demo_cmc_ECCRMF.cfg)
• CMCRequest Demo_cmc_ECCRMF.cfg
• create a HttpClient config file (see attachment: DemoHttpClient_CRMF.cfg)
• before running HttpClient, attach certicom token to allow SSL with ECC keys
• HttpClient DemoHttpClient_CRMF.cfg
• go to CA and see that the cert has been issued
• or use CMCResponse to check the response:
  CMCResponse DemoECCRMF.cmc
• become a DRM agent and see that the key has been archived;

Alternative, instead of HttpClient, you can also paste the CMC request into EE page CMC enrollment profile:
Signed CMC-Authenticated User Certificate Enrollment

[pki-bot]

Comment from cfu (@cfu) at 2012-12-19 06:25:29

CMCRequest config file example for CMC EC CRMF request
Demo_cmc_ECCRMF.cfg

[pki-bot]

Comment from cfu (@cfu) at 2012-12-19 06:26:09

HttpClient config file example to submit the CMC EC CRMF request from previous CRMFPopClient and CMCRequest example
DemoHttpClient_CRMF.cfg

[pki-bot]

Comment from cfu (@cfu) at 2012-12-19 06:28:36

CMCRevoke's new usage:

Usage: CMCRevoke -d<dir to cert8.db, key3.db> -n -i -s -m -p -h -c

Example:
CMCRevoke -d. -n"cfu pkcs10nfast admin pki-ca-ecc-08202012 2" -i"CN=Certificate Authority,OU=pki-ca-ecc-08202012,O=DsdevSjcRedhat Domain ecc 08202012" -s130 -m2 -pxxxxx -hNHSM6000-OCS -ctestcomment

[pki-bot]

Comment from cfu (@cfu) at 2012-12-19 06:32:38

Example on how to use CMCRequest's support for CMC revocation (though CMCRevoke tool as shown above provides similar support):

CMCRequest Demo_cmc_ECpkcs10Revoke.cfg

see the following attachment: Demo_cmc_ECpkcs10Revoke.cfg

[pki-bot]

Comment from cfu (@cfu) at 2012-12-19 06:33:16

CMCRequest config file example for CMC revocation request
Demo_cmc_ECpkcs10Revoke.cfg

[pki-bot]

Comment from cfu (@cfu) at 2013-01-09 20:33:59

for 2nd review
CMC-ECC-forReview2.diff

[pki-bot]

Comment from cfu (@cfu) at 2013-01-10 04:57:59

checked into PKI_8_1_ERRATA_BRANCH:
Author: cfu
Date: 2013-01-10 02:39:49 +0000 (Thu, 10 Jan 2013)
New Revision: 2512

Modified:
branches/PKI_8_1_ERRATA_BRANCH/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg
branches/PKI_8_1_ERRATA_BRANCH/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
branches/PKI_8_1_ERRATA_BRANCH/pki/base/ca/shared/profiles/ca/caOtherCert.cfg
branches/PKI_8_1_ERRATA_BRANCH/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
branches/PKI_8_1_ERRATA_BRANCH/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java
branches/PKI_8_1_ERRATA_BRANCH/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
branches/PKI_8_1_ERRATA_BRANCH/pki/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java
branches/PKI_8_1_ERRATA_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
branches/PKI_8_1_ERRATA_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
branches/PKI_8_1_ERRATA_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
branches/PKI_8_1_ERRATA_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/HttpClient.java
branches/PKI_8_1_ERRATA_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
branches/PKI_8_1_ERRATA_BRANCH/pki/base/util/src/netscape/security/pkcs/PKCS10.java
branches/PKI_8_1_ERRATA_BRANCH/pki/base/util/src/netscape/security/x509/X509CRLImpl.java

[pki-bot]

Comment from cfu (@cfu) at 2013-01-10 04:58:41

checked into PKI_8_BRANCH:
Author: cfu
Date: 2013-01-10 02:53:00 +0000 (Thu, 10 Jan 2013)
New Revision: 2513

Modified:
branches/PKI_8_BRANCH/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg
branches/PKI_8_BRANCH/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
branches/PKI_8_BRANCH/pki/base/ca/shared/profiles/ca/caOtherCert.cfg
branches/PKI_8_BRANCH/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
branches/PKI_8_BRANCH/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java
branches/PKI_8_BRANCH/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
branches/PKI_8_BRANCH/pki/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java
branches/PKI_8_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
branches/PKI_8_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
branches/PKI_8_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
branches/PKI_8_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/HttpClient.java
branches/PKI_8_BRANCH/pki/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
branches/PKI_8_BRANCH/pki/base/util/src/netscape/security/pkcs/PKCS10.java
branches/PKI_8_BRANCH/pki/base/util/src/netscape/security/x509/X509CRLImpl.java

[pki-bot]

Comment from cfu (@cfu) at 2013-01-10 21:00:50

checked into DOGTAG_9_BRANCH:

• 93e6bfc

[pki-bot]

Comment from cfu (@cfu) at 2013-01-16 02:07:51

checked into master

• 98037df

[pki-bot]

Comment from cfu (@cfu) at 2013-01-25 02:31:29

Here is one example steps on how to put cert/keys info HSM to be used as an agent cert for the tools above when needed:

1. generate csr:

PKCS10Client -p redhat123 -d . -o pkcs10nfast3.csr -n "CN=Christina Fu nfast 3" -a ec -c nistp256 -t false -h "NHSM6000-OCS"

PKCS10Client: token NHSM6000-OCS logged in...
CryptoUtil: generateECCKeyPair: curve = nistp256
CryptoUtil: generateECCKeyPair: after KeyPairGenerator initialize with:nistp256
PKCS10Client: key pair generated.
PKCS10Client: pair.getPublic() called.
PKCS10Client: CertificationRequestInfo() created.
PKCS10Client: token is: NHSM6000-OCS
PKCS10Client: calling CryptoUtil.createCertificationRequest
PKCS10Client: created cert request
PKCS10Client: cert request not null
-----BEGIN NEW CERTIFICATE REQUEST-----
MIHcMIGBAgEAMB8xHTAbBgNVBAMTFENocmlzdGluYSBGdSBuZmFzdCAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvnUnL0tKylr/fGlYeaFofhUCcl/R2+kKMnFJym7Tp79J789mv8MlBEaNZ5bTdh+3eQ/U5PXvUAqmjCpQN8cbzqAAMAwGCCqGSM49BAMCBQADSAAwRQIhALcVh0PsWfOWJ8sUZU0RHAaX77vjFCj7hJO2GJIInOBWAiBBnXoGKwv3yFpZLgmcfVn8K/vErgdZSsRTXgBjtW8+pQ==
-----END NEW CERTIFICATE REQUEST-----
PKCS10Client: done. Request written to file: pkcs10nfast3.csr
2. go to ca ee , use "other" profile
3. go to agent to approve
4. copy the b64 cert into a file.. in my example for below: pkcs10nfast3.cert.txt
5. import it:
certutil -d . -h NHSM6000-OCS -A -t "u,u,u" -n "cfu pkcs10nfast3" -a -i pkcs10nfast3.cert.txt
6. see it:
certutil -d . -h NHSM6000-OCS -n "NHSM6000-OCS:cfu pkcs10nfast3" -L
Enter Password or Pin for "NHSM6000-OCS":
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 196 (0xc4)
Signature Algorithm: X9.62 ECDSA signature with SHA256
Issuer: "CN=Certificate Authority,OU=pki-ca-ecc-08202012,O=DsdevSjcRe
dhat Domain ecc 08202012"
Validity:
Not Before: Fri Jan 25 00:08:03 2013
Not After : Thu Jan 15 00:08:03 2015
Subject: "CN=Christina Fu nfast 3"
Subject Public Key Info:
Public Key Algorithm: X9.62 elliptic curve public key
Args:
06:08:2a:86:48:ce:3d:03:01:07
EC Public Key:
PublicValue:
04:be:75:27:2f:4b:4a:ca:5a:ff:7c:69:58:79:a1:68:
7e:15:02:72:5f:d1:db:e9:0a:32:71:49:ca:6e:d3:a7:
bf:49:ef:cf:66:bf:c3:25:04:46:8d:67:96:d3:76:1f:
b7:79:0f:d4:e4:f5:ef:50:0a:a6:8c:2a:50:37:c7:1b:
ce
Curve: ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256)
Signed Extensions:
Name: Certificate Authority Key Identifier
Key ID:
f7:b4:1a:ff:02:f1:56:8a:5a:41:a7:22:c0:24:e9:de:
b0:f3:8e:fe

        Name: Authority Information Access
        Method: PKIX Online Certificate Status Protocol
        Location:
            URI: "http://glyph.dsdev.sjc.redhat.com:9180/ca/ocsp"

        Name: Certificate Key Usage
        Critical: True
        Usages: Digital Signature
                Non-Repudiation
                Key Encipherment
                Data Encipherment

        Name: Extended Key Usage
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate

Signature Algorithm: X9.62 ECDSA signature with SHA256
Signature:
    30:44:02:20:49:f8:8d:7e:bd:48:3d:72:0f:b2:60:14:
    47:24:f9:3b:9c:ba:a3:9f:8a:dc:66:b9:40:77:14:80:
    7b:99:44:b8:02:20:1e:23:dc:86:df:49:96:55:a5:a4:
    a5:13:75:c7:66:0f:75:5b:df:d1:29:86:df:2c:7c:fe:
    d4:30:13:9c:86:5b
Fingerprint (MD5):
    BF:A9:FC:6F:FA:07:9A:1A:8F:EA:7C:2B:46:A7:68:C2
Fingerprint (SHA1):
    8A:E7:89:C2:2D:6F:1C:1A:5A:B7:B1:EA:40:C2:EA:5E:32:69:58:D7

Certificate Trust Flags:
    SSL Flags:
        User
    Email Flags:
        User
    Object Signing Flags:
        User

7. now you can just add the b64 to the new admin user via pkiconsole

[pki-bot]

Comment from cfu (@cfu) at 2017-02-27 14:12:11

Metadata Update from @cfu:

• Issue assigned to cfu
• Issue set to the milestone: ECC Effort