0aef9858bc
- Support PKCS11 EC client certs in PKINIT Resolves: RHEL-74373 - kdb5_util: fix DB entry flags on modification Resolves: RHEL-56058 - Add ECDH support for PKINIT (RFC5349) Resolves: RHEL-71881 Signed-off-by: Julien Rische <jrische@redhat.com>
79 lines
2.7 KiB
Diff
79 lines
2.7 KiB
Diff
From dd015d2336fac235cb46943180949926ac91956c Mon Sep 17 00:00:00 2001
|
|
From: Julien Rische <jrische@redhat.com>
|
|
Date: Wed, 21 Jun 2023 18:27:11 +0200
|
|
Subject: [PATCH] Add ecdsa-with-sha512/256 to supportedCMSTypes
|
|
|
|
Elliptic curve certificates are already supported for PKINIT
|
|
pre-authentication, but their associated signature types aren't
|
|
advertized. Add ecdsa-with-sha512 and ecdsa-with-sha256 OIDs to the
|
|
supportedCMSTypes list sent by the client.
|
|
|
|
[ghudson@mit.edu: edited commit message]
|
|
|
|
ticket: 9100 (new)
|
|
(cherry picked from commit 9913e5c92c4e5cb76d6ae58386f744766d2e6454)
|
|
---
|
|
src/plugins/preauth/pkinit/pkinit_constants.c | 38 +++++++++++++++++++
|
|
1 file changed, 38 insertions(+)
|
|
|
|
diff --git a/src/plugins/preauth/pkinit/pkinit_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c
|
|
index 10f8688ec2..905e90d29c 100644
|
|
--- a/src/plugins/preauth/pkinit/pkinit_constants.c
|
|
+++ b/src/plugins/preauth/pkinit/pkinit_constants.c
|
|
@@ -64,14 +64,52 @@ static char sha512WithRSAEncr_oid[9] = {
|
|
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d
|
|
};
|
|
|
|
+/* RFC 3279 ecdsa-with-SHA1: iso(1) member-body(2) us(840) ansi-X9-62(10045)
|
|
+ * signatures(4) 1 */
|
|
+static char ecdsaWithSha1_oid[] = {
|
|
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01
|
|
+};
|
|
+
|
|
+/* RFC 5758 ecdsa-with-SHA256: iso(1) member-body(2) us(840) ansi-X9-62(10045)
|
|
+ * signatures(4) ecdsa-with-SHA2(3) 2 */
|
|
+static char ecdsaWithSha256_oid[] = {
|
|
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02
|
|
+};
|
|
+
|
|
+/* RFC 5758 ecdsa-with-SHA384: iso(1) member-body(2) us(840) ansi-X9-62(10045)
|
|
+ * signatures(4) ecdsa-with-SHA2(3) 3 */
|
|
+static char ecdsaWithSha384_oid[] = {
|
|
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03
|
|
+};
|
|
+
|
|
+/* RFC 5758 ecdsa-with-SHA512: iso(1) member-body(2) us(840) ansi-X9-62(10045)
|
|
+ * signatures(4) ecdsa-with-SHA2(3) 4 */
|
|
+static char ecdsaWithSha512_oid[] = {
|
|
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
|
|
+};
|
|
+
|
|
const krb5_data sha256WithRSAEncr_id = {
|
|
KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid
|
|
};
|
|
const krb5_data sha512WithRSAEncr_id = {
|
|
KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid
|
|
};
|
|
+const krb5_data ecdsaWithSha1_id = {
|
|
+ KV5M_DATA, sizeof(ecdsaWithSha1_oid), ecdsaWithSha1_oid
|
|
+};
|
|
+const krb5_data ecdsaWithSha256_id = {
|
|
+ KV5M_DATA, sizeof(ecdsaWithSha256_oid), ecdsaWithSha256_oid
|
|
+};
|
|
+const krb5_data ecdsaWithSha384_id = {
|
|
+ KV5M_DATA, sizeof(ecdsaWithSha384_oid), ecdsaWithSha384_oid
|
|
+};
|
|
+const krb5_data ecdsaWithSha512_id = {
|
|
+ KV5M_DATA, sizeof(ecdsaWithSha512_oid), ecdsaWithSha512_oid
|
|
+};
|
|
|
|
krb5_data const * const supported_cms_algs[] = {
|
|
+ &ecdsaWithSha512_id,
|
|
+ &ecdsaWithSha256_id,
|
|
&sha512WithRSAEncr_id,
|
|
&sha256WithRSAEncr_id,
|
|
NULL
|
|
--
|
|
2.47.1
|
|
|