Add support for default public key digest type ctrl.

This commit is contained in:
Dr. Stephen Henson 2006-05-07 17:09:39 +00:00
parent 5cda6c4582
commit 03919683f9
13 changed files with 70 additions and 67 deletions

10
CHANGES
View file

@ -4,6 +4,16 @@
Changes between 0.9.8a and 0.9.9 [xx XXX xxxx] Changes between 0.9.8a and 0.9.9 [xx XXX xxxx]
*) Add a ctrl to asn1 method to allow a public key algorithm to express
a default digest type to use. In most cases this will be SHA1 but some
algorithms (such as GOST) need to specify an alternative digest. The
return value indicates how strong the prefernce is 1 means optional and
2 is mandatory (that is it is the only supported type). Modify
ASN1_item_sign() to accept a NULL digest argument to indicate it should
use the default md. Update openssl utilities to use the default digest
type for signing if it is not explicitly indicated.
[Steve Henson]
*) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
signing method from the key type. This effectively removes the link signing method from the key type. This effectively removes the link

View file

@ -1016,6 +1016,17 @@ bad:
goto err; goto err;
} }
if (!strcmp(md, "default"))
{
int def_nid;
if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0)
{
BIO_puts(bio_err,"no default digest\n");
goto err;
}
md = (char *)OBJ_nid2sn(def_nid);
}
if ((dgst=EVP_get_digestbyname(md)) == NULL) if ((dgst=EVP_get_digestbyname(md)) == NULL)
{ {
BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
@ -1412,17 +1423,6 @@ bad:
/* we now have a CRL */ /* we now have a CRL */
if (verbose) BIO_printf(bio_err,"signing CRL\n"); if (verbose) BIO_printf(bio_err,"signing CRL\n");
#if 0
#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
dgst=EVP_dss1();
else
#endif
#ifndef OPENSSL_NO_ECDSA
if (pkey->type == EVP_PKEY_EC)
dgst=EVP_ecdsa();
#endif
#endif
/* Add any extensions asked for */ /* Add any extensions asked for */
@ -2101,25 +2101,11 @@ again2:
} }
} }
#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();
pktmp=X509_get_pubkey(ret); pktmp=X509_get_pubkey(ret);
if (EVP_PKEY_missing_parameters(pktmp) && if (EVP_PKEY_missing_parameters(pktmp) &&
!EVP_PKEY_missing_parameters(pkey)) !EVP_PKEY_missing_parameters(pkey))
EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_copy_parameters(pktmp,pkey);
EVP_PKEY_free(pktmp); EVP_PKEY_free(pktmp);
#endif
#ifndef OPENSSL_NO_ECDSA
if (pkey->type == EVP_PKEY_EC)
dgst = EVP_ecdsa();
pktmp = X509_get_pubkey(ret);
if (EVP_PKEY_missing_parameters(pktmp) &&
!EVP_PKEY_missing_parameters(pkey))
EVP_PKEY_copy_parameters(pktmp, pkey);
EVP_PKEY_free(pktmp);
#endif
if (!X509_sign(ret,pkey,dgst)) if (!X509_sign(ret,pkey,dgst))
goto err; goto err;

View file

@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use. default_md = default # use public key default MD
preserve = no # keep passed DN ordering preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look # A few difference way of specifying how similar the request should look

View file

@ -193,7 +193,7 @@ int MAIN(int argc, char **argv)
char *p; char *p;
char *subj = NULL; char *subj = NULL;
int multirdn = 0; int multirdn = 0;
const EVP_MD *md_alg=NULL,*digest=EVP_sha1(); const EVP_MD *md_alg=NULL,*digest=NULL;
unsigned long chtype = MBSTRING_ASC; unsigned long chtype = MBSTRING_ASC;
#ifndef MONOLITH #ifndef MONOLITH
char *to_free; char *to_free;
@ -894,16 +894,7 @@ loop:
BIO_printf(bio_err,"you need to specify a private key\n"); BIO_printf(bio_err,"you need to specify a private key\n");
goto end; goto end;
} }
#if 0
#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
digest=EVP_dss1();
#endif
#ifndef OPENSSL_NO_ECDSA
if (pkey->type == EVP_PKEY_EC)
digest=EVP_ecdsa();
#endif
#endif
if (req == NULL) if (req == NULL)
{ {
req=X509_REQ_new(); req=X509_REQ_new();

View file

@ -188,7 +188,7 @@ int MAIN(int argc, char **argv)
X509_REQ *rq=NULL; X509_REQ *rq=NULL;
int fingerprint=0; int fingerprint=0;
char buf[256]; char buf[256];
const EVP_MD *md_alg,*digest=EVP_sha1(); const EVP_MD *md_alg,*digest=NULL;
CONF *extconf = NULL; CONF *extconf = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
int need_rand = 0; int need_rand = 0;
@ -885,14 +885,18 @@ bad:
int j; int j;
unsigned int n; unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE]; unsigned char md[EVP_MAX_MD_SIZE];
const EVP_MD *fdig = digest;
if (!X509_digest(x,digest,md,&n)) if (!fdig)
fdig = EVP_sha1();
if (!X509_digest(x,fdig,md,&n))
{ {
BIO_printf(bio_err,"out of memory\n"); BIO_printf(bio_err,"out of memory\n");
goto end; goto end;
} }
BIO_printf(STDout,"%s Fingerprint=", BIO_printf(STDout,"%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(digest))); OBJ_nid2sn(EVP_MD_type(fdig)));
for (j=0; j<(int)n; j++) for (j=0; j<(int)n; j++)
{ {
BIO_printf(STDout,"%02X%c",md[j], BIO_printf(STDout,"%02X%c",md[j],
@ -912,16 +916,6 @@ bad:
passin, e, "Private key"); passin, e, "Private key");
if (Upkey == NULL) goto end; if (Upkey == NULL) goto end;
} }
#if 0
#ifndef OPENSSL_NO_DSA
if (Upkey->type == EVP_PKEY_DSA)
digest=EVP_dss1();
#endif
#ifndef OPENSSL_NO_ECDSA
if (Upkey->type == EVP_PKEY_EC)
digest=EVP_ecdsa();
#endif
#endif
assert(need_rand); assert(need_rand);
if (!sign(x,Upkey,days,clrext,digest, if (!sign(x,Upkey,days,clrext,digest,
@ -938,14 +932,6 @@ bad:
"CA Private Key"); "CA Private Key");
if (CApkey == NULL) goto end; if (CApkey == NULL) goto end;
} }
#ifndef OPENSSL_NO_DSA
if (CApkey->type == EVP_PKEY_DSA)
digest=EVP_dss1();
#endif
#ifndef OPENSSL_NO_ECDSA
if (CApkey->type == EVP_PKEY_EC)
digest = EVP_ecdsa();
#endif
assert(need_rand); assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca, if (!x509_certify(ctx,CAfile,digest,x,xca,
@ -973,15 +959,6 @@ bad:
BIO_printf(bio_err,"Generating certificate request\n"); BIO_printf(bio_err,"Generating certificate request\n");
#ifndef OPENSSL_NO_DSA
if (pk->type == EVP_PKEY_DSA)
digest=EVP_dss1();
#endif
#ifndef OPENSSL_NO_ECDSA
if (pk->type == EVP_PKEY_EC)
digest=EVP_ecdsa();
#endif
rq=X509_to_X509_REQ(x,pk,digest); rq=X509_to_X509_REQ(x,pk,digest);
EVP_PKEY_free(pk); EVP_PKEY_free(pk);
if (rq == NULL) if (rq == NULL)

View file

@ -222,6 +222,19 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
int inl=0,outl=0,outll=0; int inl=0,outl=0,outll=0;
int signid, paramtype; int signid, paramtype;
if (type == NULL)
{
int def_nid;
if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) > 0)
type = EVP_get_digestbynid(def_nid);
}
if (type == NULL)
{
ASN1err(ASN1_F_ASN1_ITEM_SIGN, ASN1_R_NO_DEFAULT_DIGEST);
return 0;
}
if (type->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) if (type->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE)
{ {
if (!pkey->ameth || if (!pkey->ameth ||

View file

@ -1228,6 +1228,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_NON_HEX_CHARACTERS 141 #define ASN1_R_NON_HEX_CHARACTERS 141
#define ASN1_R_NOT_ASCII_FORMAT 190 #define ASN1_R_NOT_ASCII_FORMAT 190
#define ASN1_R_NOT_ENOUGH_DATA 142 #define ASN1_R_NOT_ENOUGH_DATA 142
#define ASN1_R_NO_DEFAULT_DIGEST 201
#define ASN1_R_NO_MATCHING_CHOICE_TYPE 143 #define ASN1_R_NO_MATCHING_CHOICE_TYPE 143
#define ASN1_R_NULL_IS_WRONG_LENGTH 144 #define ASN1_R_NULL_IS_WRONG_LENGTH 144
#define ASN1_R_OBJECT_NOT_ASCII_FORMAT 191 #define ASN1_R_OBJECT_NOT_ASCII_FORMAT 191

View file

@ -248,6 +248,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
{ERR_REASON(ASN1_R_NON_HEX_CHARACTERS) ,"non hex characters"}, {ERR_REASON(ASN1_R_NON_HEX_CHARACTERS) ,"non hex characters"},
{ERR_REASON(ASN1_R_NOT_ASCII_FORMAT) ,"not ascii format"}, {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT) ,"not ascii format"},
{ERR_REASON(ASN1_R_NOT_ENOUGH_DATA) ,"not enough data"}, {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA) ,"not enough data"},
{ERR_REASON(ASN1_R_NO_DEFAULT_DIGEST) ,"no default digest"},
{ERR_REASON(ASN1_R_NO_MATCHING_CHOICE_TYPE),"no matching choice type"}, {ERR_REASON(ASN1_R_NO_MATCHING_CHOICE_TYPE),"no matching choice type"},
{ERR_REASON(ASN1_R_NULL_IS_WRONG_LENGTH) ,"null is wrong length"}, {ERR_REASON(ASN1_R_NULL_IS_WRONG_LENGTH) ,"null is wrong length"},
{ERR_REASON(ASN1_R_OBJECT_NOT_ASCII_FORMAT),"object not ascii format"}, {ERR_REASON(ASN1_R_OBJECT_NOT_ASCII_FORMAT),"object not ascii format"},

View file

@ -544,6 +544,10 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
} }
return 1; return 1;
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
*(int *)arg2 = NID_sha1;
return 2;
default: default:
return -2; return -2;

View file

@ -586,6 +586,10 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
} }
return 1; return 1;
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
*(int *)arg2 = NID_sha1;
return 2;
default: default:
return -2; return -2;

View file

@ -770,6 +770,8 @@ int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey,
int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey, int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey,
int indent, ASN1_PCTX *pctx); int indent, ASN1_PCTX *pctx);
int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
int EVP_CIPHER_type(const EVP_CIPHER *ctx); int EVP_CIPHER_type(const EVP_CIPHER *ctx);
/* calls methods */ /* calls methods */
@ -805,6 +807,7 @@ void EVP_PBE_cleanup(void);
#define ASN1_PKEY_CTRL_PKCS7_SIGN 0x1 #define ASN1_PKEY_CTRL_PKCS7_SIGN 0x1
#define ASN1_PKEY_CTRL_PKCS7_ENCRYPT 0x2 #define ASN1_PKEY_CTRL_PKCS7_ENCRYPT 0x2
#define ASN1_PKEY_CTRL_DEFAULT_MD_NID 0x3
int EVP_PKEY_asn1_get_count(void); int EVP_PKEY_asn1_get_count(void);
const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx); const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx);

View file

@ -361,3 +361,12 @@ int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey,
return pkey->ameth->param_print(out, pkey, indent, pctx); return pkey->ameth->param_print(out, pkey, indent, pctx);
return unsup_alg(out, pkey, indent, "Parameters"); return unsup_alg(out, pkey, indent, "Parameters");
} }
int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid)
{
if (!pkey->ameth || !pkey->ameth->pkey_ctrl)
return -2;
return pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_DEFAULT_MD_NID,
0, pnid);
}

View file

@ -287,6 +287,10 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
} }
return 1; return 1;
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
*(int *)arg2 = NID_sha1;
return 1;
default: default:
return -2; return -2;