RHCS-4630 (part 2) Add SHA-2 support to Server-side Keygen

I'm adding support of SHA-2 to Server-Side keygen. Since there was a recent ticket in similar area, it could sort of be considered relating to it. Adds SHA-2 support to https://bugzilla.redhat.com/show_bug.cgi?id=2246422
ladycfu · Nov 28, 2023 · c4e38ab · c4e38ab
1 parent 22a1d0f
commit c4e38ab
Showing 1 changed file with 21 additions and 2 deletions.
diff --git a/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java
@@ -329,13 +329,32 @@ public void execute(IRequest request)
                 // fake key replaced;
                 // need to compute/replace SKI as well if present
 
-                Extension ext = CertUtils.getExtension(PKIXExtensions.SubjectKey_Id.toString(), info);
+                 SubjectKeyIdentifierExtension ext = (SubjectKeyIdentifierExtension) CertUtils.getExtension(PKIXExtensions.SubjectKey_Id.toString(), info);
                 if (ext != null) {
                     logger.debug(method + "found SubjectKey_Id extension");
+                    KeyIdentifier old_ski = (KeyIdentifier) ext.get(SubjectKeyIdentifierExtension.KEY_ID);
+                    byte[] old_ski_val = old_ski.getIdentifier();
+                    int old_ski_len = old_ski_val.length;
+
+                    // determine message digest algorithm:
+                    // the "old_ski" was generated based on the profile
+                    // so we could use it's length to determine the size
+                    // of the new hash
+                    String messageDigest = "SHA-1"; // default; len==20
+                    if (old_ski_len == 32) {
+                        messageDigest = "SHA-256";
+                    } else if (old_ski_len == 48) {
+                        messageDigest = "SHA-384";
+                    } else if (old_ski_len == 64) {
+                        messageDigest = "SHA-512";
+                    }
+                    logger.debug(method + "ServerSideKeygen message digest alg == " + messageDigest);
                     // compute keyId
                     X509Key realkey = (X509Key)
                             certKey.get(CertificateX509Key.KEY);
-                    byte[] hash = CryptoUtil.generateKeyIdentifier(realkey.getKey());
+                    byte[] hash = CryptoUtil.generateKeyIdentifier(realkey.getKey(), messageDigest);
+                    int new_ski_len = hash.length;
+                    logger.debug(method + "ServerSideKeygen hash len = " + new_ski_len);
                     KeyIdentifier id = new KeyIdentifier(hash);
                     SubjectKeyIdentifierExtension skiExt =
                             new SubjectKeyIdentifierExtension(id.getIdentifier());