CFSSL config vs. OpenSSL config

Question

Does anyone know if all the fields you can specify in an OpenSSL config file are available in Cloudflare's CFSSL's certificate authority toolkit? There are certain fields (such as default_md or specifying that countries must match) that appear to be missing from the options that CFSSL recognizes in its JSON config files (of which the following is an excerpt):

type CAConstraint struct {
    IsCA           bool `json:"is_ca"`
    MaxPathLen     int  `json:"max_path_len"`
    MaxPathLenZero bool `json:"max_path_len_zero"`
}

// A SigningProfile stores information that the CA needs to store
// signature policy.
type SigningProfile struct {
    Usage               []string     `json:"usages"`
    IssuerURL           []string     `json:"issuer_urls"`
    OCSP                string       `json:"ocsp_url"`
    CRL                 string       `json:"crl_url"`
    CAConstraint        CAConstraint `json:"ca_constraint"`
    OCSPNoCheck         bool         `json:"ocsp_no_check"`
    ExpiryString        string       `json:"expiry"`
    BackdateString      string       `json:"backdate"`
    AuthKeyName         string       `json:"auth_key"`
    RemoteName          string       `json:"remote"`
    NotBefore           time.Time    `json:"not_before"`
    NotAfter            time.Time    `json:"not_after"`
    NameWhitelistString string       `json:"name_whitelist"`
    AuthRemote          AuthRemote   `json:"auth_remote"`
    CTLogServers        []string     `json:"ct_log_servers"`
    AllowedExtensions   []OID        `json:"allowed_extensions"`
    CertStore           string       `json:"cert_store"`

    Policies                    []CertificatePolicy
    Expiry                      time.Duration
    Backdate                    time.Duration
    Provider                    auth.Provider
    RemoteProvider              auth.Provider
    RemoteServer                string
    RemoteCAs                   *x509.CertPool
    ClientCert                  *tls.Certificate
    CSRWhitelist                *CSRWhitelist
    NameWhitelist               *regexp.Regexp
    ExtensionWhitelist          map[string]bool
    ClientProvidesSerialNumbers bool
}

Does CFSSL abstract away many of the OpenSSL configuration options or am I just not seeing where you can specify them?

Answer 1

It seems that the message digest algorithm is being selected dynamically and depends on the length of the CA private key.

func DefaultSigAlgo(priv crypto.Signer) x509.SignatureAlgorithm {
    pub := priv.Public()
    switch pub := pub.(type) {
    case *rsa.PublicKey:
        keySize := pub.N.BitLen()
        switch {
        case keySize >= 4096:
            return x509.SHA512WithRSA
        case keySize >= 3072:
            return x509.SHA384WithRSA
        case keySize >= 2048:
            return x509.SHA256WithRSA
        default:
            return x509.SHA1WithRSA
        } ...

Based on what I found in the CFSSL source on Github.

Regarding the counties, I was not able to find any restrictions in the code that limits or configures it, could assume that that all countries are allowed.

Answer 2

If you want different signature algorithm and message digest, Then that is not possible in CFSSL. But If that is the deal breaker you can achieve this by generating CSR using openssl and sign using CFSSL.

cfssl sign -ca ca/ca.pem -ca-key ca/ca-key.pem \
      -config config/signing-profiles.json \
      -profile client-server server.csr | cfssljson -bare ca/server

Similar issue reported https://github.com/cloudflare/cfssl/issues/904