Skip to content

Commit cc7126e

Browse files
agaragna77agaragna77
committed
Added new KeyConstraint parameters to profile configuration files
Enabled keys should now be enabled or disabled using params.allowedKeys.<alg>.<strength>=true/false. params.keyParameters is still considered valid for backword compatibility but is considered deprecated, mixing keyParameters and allowedKeys will result in an error. Includes an upgrade script. Assisted by Cursor
1 parent dd68d59 commit cc7126e

94 files changed

Lines changed: 974 additions & 125 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,3 +14,6 @@ base/tools/test/PKICertImport/dbs
1414
target/
1515
.flattened-pom.xml
1616
*.versionsBackup
17+
.configs
18+
.vscode
19+
.cursor/

base/ca/shared/profiles/ca/AdminCert.cfg

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,10 @@ policyset.adminCertSet.2.default.params.startTime=0
3131
policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
3232
policyset.adminCertSet.3.constraint.name=Key Constraint
3333
policyset.adminCertSet.3.constraint.params.keyType=RSA
34-
policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
34+
policyset.adminCertSet.3.constraint.params.allowedKeys.RSA.1024=true
35+
policyset.adminCertSet.3.constraint.params.allowedKeys.RSA.2048=true
36+
policyset.adminCertSet.3.constraint.params.allowedKeys.RSA.3072=true
37+
policyset.adminCertSet.3.constraint.params.allowedKeys.RSA.4096=true
3538
policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl
3639
policyset.adminCertSet.3.default.name=Key Default
3740
policyset.adminCertSet.4.constraint.class_id=noConstraintImpl

base/ca/shared/profiles/ca/ECAdminCert.cfg

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,9 @@ policyset.adminCertSet.2.default.params.startTime=0
3131
policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
3232
policyset.adminCertSet.3.constraint.name=Key Constraint
3333
policyset.adminCertSet.3.constraint.params.keyType=-
34-
policyset.adminCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
34+
policyset.adminCertSet.3.constraint.params.allowedKeys.EC.nistp256=true
35+
policyset.adminCertSet.3.constraint.params.allowedKeys.EC.nistp384=true
36+
policyset.adminCertSet.3.constraint.params.allowedKeys.EC.nistp521=true
3537
policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl
3638
policyset.adminCertSet.3.default.name=Key Default
3739
policyset.adminCertSet.4.constraint.class_id=noConstraintImpl

base/ca/shared/profiles/ca/acmeServerCert.cfg

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,9 @@ policyset.serverCertSet.9.default.name=SAN to CN Default
9696
policyset.serverCertSet.10.constraint.class_id=keyConstraintImpl
9797
policyset.serverCertSet.10.constraint.name=Key Constraint
9898
policyset.serverCertSet.10.constraint.params.keyType=RSA
99-
policyset.serverCertSet.10.constraint.params.keyParameters=2048,3072,4096
99+
policyset.serverCertSet.10.constraint.params.allowedKeys.RSA.2048=true
100+
policyset.serverCertSet.10.constraint.params.allowedKeys.RSA.3072=true
101+
policyset.serverCertSet.10.constraint.params.allowedKeys.RSA.4096=true
100102
policyset.serverCertSet.10.default.class_id=userKeyDefaultImpl
101103
policyset.serverCertSet.10.default.name=Key Default
102104
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl

base/ca/shared/profiles/ca/caAdminCert.cfg

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,10 @@ policyset.adminCertSet.2.default.params.startTime=0
3232
policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
3333
policyset.adminCertSet.3.constraint.name=Key Constraint
3434
policyset.adminCertSet.3.constraint.params.keyType=RSA
35-
policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
35+
policyset.adminCertSet.3.constraint.params.allowedKeys.RSA.1024=true
36+
policyset.adminCertSet.3.constraint.params.allowedKeys.RSA.2048=true
37+
policyset.adminCertSet.3.constraint.params.allowedKeys.RSA.3072=true
38+
policyset.adminCertSet.3.constraint.params.allowedKeys.RSA.4096=true
3639
policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl
3740
policyset.adminCertSet.3.default.name=Key Default
3841
policyset.adminCertSet.4.constraint.class_id=noConstraintImpl

base/ca/shared/profiles/ca/caAgentFileSigning.cfg

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,10 @@ policyset.serverCertSet.2.default.params.startTime=0
3131
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
3232
policyset.serverCertSet.3.constraint.name=Key Constraint
3333
policyset.serverCertSet.3.constraint.params.keyType=RSA
34-
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
34+
policyset.serverCertSet.3.constraint.params.allowedKeys.RSA.1024=true
35+
policyset.serverCertSet.3.constraint.params.allowedKeys.RSA.2048=true
36+
policyset.serverCertSet.3.constraint.params.allowedKeys.RSA.3072=true
37+
policyset.serverCertSet.3.constraint.params.allowedKeys.RSA.4096=true
3538
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
3639
policyset.serverCertSet.3.default.name=Key Default
3740
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl

base/ca/shared/profiles/ca/caAgentServerCert.cfg

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,10 @@ policyset.serverCertSet.2.default.params.startTime=0
3030
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
3131
policyset.serverCertSet.3.constraint.name=Key Constraint
3232
policyset.serverCertSet.3.constraint.params.keyType=RSA
33-
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
33+
policyset.serverCertSet.3.constraint.params.allowedKeys.RSA.1024=true
34+
policyset.serverCertSet.3.constraint.params.allowedKeys.RSA.2048=true
35+
policyset.serverCertSet.3.constraint.params.allowedKeys.RSA.3072=true
36+
policyset.serverCertSet.3.constraint.params.allowedKeys.RSA.4096=true
3437
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
3538
policyset.serverCertSet.3.default.name=Key Default
3639
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl

base/ca/shared/profiles/ca/caAuditSigningCert.cfg

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,12 @@ policyset.auditSigningCertSet.2.default.params.startTime=0
3131
policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
3232
policyset.auditSigningCertSet.3.constraint.name=Key Constraint
3333
policyset.auditSigningCertSet.3.constraint.params.keyType=-
34-
policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
34+
policyset.auditSigningCertSet.3.constraint.params.allowedKeys.RSA.1024=true
35+
policyset.auditSigningCertSet.3.constraint.params.allowedKeys.RSA.2048=true
36+
policyset.auditSigningCertSet.3.constraint.params.allowedKeys.RSA.3072=true
37+
policyset.auditSigningCertSet.3.constraint.params.allowedKeys.RSA.4096=true
38+
policyset.auditSigningCertSet.3.constraint.params.allowedKeys.EC.nistp256=true
39+
policyset.auditSigningCertSet.3.constraint.params.allowedKeys.EC.nistp521=true
3540
policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
3641
policyset.auditSigningCertSet.3.default.name=Key Default
3742
policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl

base/ca/shared/profiles/ca/caCACert.cfg

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,13 @@ policyset.caCertSet.2.default.params.startTime=0
3030
policyset.caCertSet.3.constraint.class_id=keyConstraintImpl
3131
policyset.caCertSet.3.constraint.name=Key Constraint
3232
policyset.caCertSet.3.constraint.params.keyType=-
33-
policyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
33+
policyset.caCertSet.3.constraint.params.allowedKeys.RSA.1024=true
34+
policyset.caCertSet.3.constraint.params.allowedKeys.RSA.2048=true
35+
policyset.caCertSet.3.constraint.params.allowedKeys.RSA.3072=true
36+
policyset.caCertSet.3.constraint.params.allowedKeys.RSA.4096=true
37+
policyset.caCertSet.3.constraint.params.allowedKeys.EC.nistp256=true
38+
policyset.caCertSet.3.constraint.params.allowedKeys.EC.nistp384=true
39+
policyset.caCertSet.3.constraint.params.allowedKeys.EC.nistp521=true
3440
policyset.caCertSet.3.default.class_id=userKeyDefaultImpl
3541
policyset.caCertSet.3.default.name=Key Default
3642
policyset.caCertSet.4.constraint.class_id=noConstraintImpl

base/ca/shared/profiles/ca/caCMCECUserCert.cfg

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,8 @@ policyset.cmcUserCertSet.2.default.params.startTime=0
3030
policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
3131
policyset.cmcUserCertSet.3.constraint.name=Key Constraint
3232
policyset.cmcUserCertSet.3.constraint.params.keyType=EC
33-
policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521
33+
policyset.cmcUserCertSet.3.constraint.params.allowedKeys.EC.nistp256=true
34+
policyset.cmcUserCertSet.3.constraint.params.allowedKeys.EC.nistp521=true
3435
policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
3536
policyset.cmcUserCertSet.3.default.name=Key Default
3637
policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl

0 commit comments

Comments
 (0)