From 5ea26b4a26f3d7f5e12ee74a0b08c19afea30059 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@ladycfu.redhat.com>
Date: Tue, 28 Nov 2023 18:35:20 -0500
Subject: [PATCH] RHCS-4630 (part 2) Add SHA-2 support to Server-side Keygen

I'm adding support of SHA-2 to Server-Side keygen.
Since there was a recent ticket in similar area,
it could sort of be considered relating to it.

Adds SHA-2 support to https://bugzilla.redhat.com/show_bug.cgi?id=2246422
---
 .../cms/profile/common/CAEnrollProfile.java   | 40 ++++++++++++++++++-
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java
index ca6246a7c66..39fb01fd7db 100644
--- a/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java
+++ b/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java
@@ -329,13 +329,49 @@ public void execute(IRequest request)
                 // fake key replaced;
                 // need to compute/replace SKI as well if present
 
-                Extension ext = CertUtils.getExtension(PKIXExtensions.SubjectKey_Id.toString(), info);
+                SubjectKeyIdentifierExtension ext = (SubjectKeyIdentifierExtension) CertUtils.getExtension(PKIXExtensions.SubjectKey_Id.toString(), info);
                 if (ext != null) {
                     logger.debug(method + "found SubjectKey_Id extension");
+                    /*
+                     * determine message digest algorithm:
+                     * the "old_ski" was generated based on the profile
+                     * from the "fake key",
+                     * so we could use it's length to determine the size
+                     * of the new hash.
+                     *
+                     * Message digest can be controlled by the messageDigest
+                     * parameter in the subjectKeyIdentifier extension in a
+                     * profile. e.g.
+                     * policyset.caCertSet.8.default.params.messageDigest=SHA-256
+                     */
+                    String messageDigest = "SHA-1"; // default; len==20
+                    KeyIdentifier old_ski = null;
+                    try {
+                        old_ski = (KeyIdentifier) ext.get(SubjectKeyIdentifierExtension.KEY_ID);
+                    } catch (IOException e) {
+                        old_ski = null;
+                    }
+                    if (old_ski != null) { 
+                        byte[] old_ski_val = old_ski.getIdentifier();
+                        if (old_ski_val != null) {
+                            int old_ski_len = old_ski_val.length;
+
+                            if (old_ski_len == 32) {
+                                messageDigest = "SHA-256";
+                            } else if (old_ski_len == 48) {
+                                messageDigest = "SHA-384";
+                            } else if (old_ski_len == 64) {
+                                messageDigest = "SHA-512";
+                            }
+                        }
+                    }
+                    logger.debug(method + "ServerSideKeygen message digest alg == " + messageDigest);
                     // compute keyId
                     X509Key realkey = (X509Key)
                             certKey.get(CertificateX509Key.KEY);
-                    byte[] hash = CryptoUtil.generateKeyIdentifier(realkey.getKey());
+                    byte[] hash = CryptoUtil.generateKeyIdentifier(realkey.getKey(), messageDigest);
+                    int new_ski_len = hash.length;
+                    logger.debug(method + "ServerSideKeygen hash len = " + new_ski_len);
                     KeyIdentifier id = new KeyIdentifier(hash);
                     SubjectKeyIdentifierExtension skiExt =
                             new SubjectKeyIdentifierExtension(id.getIdentifier());