add -sigopt option to ca utility
This commit is contained in:
parent
8d207ee3d1
commit
4c623cddbe
4 changed files with 64 additions and 20 deletions
5
CHANGES
5
CHANGES
|
@ -4,6 +4,11 @@
|
|||
|
||||
Changes between 1.0.0 and 1.1.0 [xx XXX xxxx]
|
||||
|
||||
*) New -sigopt option to the req and x509 utilities. Additional
|
||||
signature parameters can be passed using this option and in
|
||||
particular PSS. Todo: ca support.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add RSA PSS signing function. This will generate and set the
|
||||
appropriate AlgorithmIdentifiers for PSS based on those in the
|
||||
corresponding EVP_MD_CTX structure. No application support yet.
|
||||
|
|
|
@ -321,6 +321,8 @@ int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
|
|||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
extern char *psk_key;
|
||||
#endif
|
||||
|
|
62
apps/ca.c
62
apps/ca.c
|
@ -197,26 +197,30 @@ extern int EF_ALIGNMENT;
|
|||
|
||||
static void lookup_fail(const char *name, const char *tag);
|
||||
static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
|
||||
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db,
|
||||
const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts,
|
||||
STACK_OF(CONF_VALUE) *policy,CA_DB *db,
|
||||
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate,
|
||||
char *enddate, long days, int batch, char *ext_sect, CONF *conf,
|
||||
int verbose, unsigned long certopt, unsigned long nameopt,
|
||||
int default_op, int ext_copy, int selfsign);
|
||||
static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
|
||||
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
|
||||
const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts,
|
||||
STACK_OF(CONF_VALUE) *policy,
|
||||
CA_DB *db, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn,
|
||||
char *startdate, char *enddate, long days, int batch,
|
||||
char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
|
||||
unsigned long nameopt, int default_op, int ext_copy,
|
||||
ENGINE *e);
|
||||
static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
|
||||
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
|
||||
const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts,
|
||||
STACK_OF(CONF_VALUE) *policy,
|
||||
CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, int email_dn,
|
||||
char *startdate, char *enddate, long days, char *ext_sect,
|
||||
CONF *conf, int verbose, unsigned long certopt,
|
||||
unsigned long nameopt, int default_op, int ext_copy);
|
||||
static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
|
||||
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts,
|
||||
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn,
|
||||
int email_dn, char *startdate, char *enddate, long days, int batch,
|
||||
int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
|
||||
|
@ -311,6 +315,7 @@ int MAIN(int argc, char **argv)
|
|||
const EVP_MD *dgst=NULL;
|
||||
STACK_OF(CONF_VALUE) *attribs=NULL;
|
||||
STACK_OF(X509) *cert_sk=NULL;
|
||||
STACK_OF(OPENSSL_STRING) *sigopts = NULL;
|
||||
#undef BSIZE
|
||||
#define BSIZE 256
|
||||
MS_STATIC char buf[3][BSIZE];
|
||||
|
@ -435,6 +440,15 @@ EF_ALIGNMENT=0;
|
|||
if (--argc < 1) goto bad;
|
||||
outdir= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-sigopt") == 0)
|
||||
{
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
if (!sigopts)
|
||||
sigopts = sk_OPENSSL_STRING_new_null();
|
||||
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
|
||||
goto bad;
|
||||
}
|
||||
else if (strcmp(*argv,"-notext") == 0)
|
||||
notext=1;
|
||||
else if (strcmp(*argv,"-batch") == 0)
|
||||
|
@ -1170,8 +1184,9 @@ bad:
|
|||
if (spkac_file != NULL)
|
||||
{
|
||||
total++;
|
||||
j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
|
||||
serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,extensions,
|
||||
j=certify_spkac(&x,spkac_file,pkey,x509,dgst,sigopts,
|
||||
attribs,db, serial,subj,chtype,multirdn,
|
||||
email_dn,startdate,enddate,days,extensions,
|
||||
conf,verbose,certopt,nameopt,default_op,ext_copy);
|
||||
if (j < 0) goto err;
|
||||
if (j > 0)
|
||||
|
@ -1194,7 +1209,8 @@ bad:
|
|||
if (ss_cert_file != NULL)
|
||||
{
|
||||
total++;
|
||||
j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
|
||||
j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,sigopts,
|
||||
attribs,
|
||||
db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
|
||||
extensions,conf,verbose, certopt, nameopt,
|
||||
default_op, ext_copy, e);
|
||||
|
@ -1214,7 +1230,7 @@ bad:
|
|||
if (infile != NULL)
|
||||
{
|
||||
total++;
|
||||
j=certify(&x,infile,pkey,x509p,dgst,attribs,db,
|
||||
j=certify(&x,infile,pkey,x509p,dgst,sigopts, attribs,db,
|
||||
serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
|
||||
extensions,conf,verbose, certopt, nameopt,
|
||||
default_op, ext_copy, selfsign);
|
||||
|
@ -1234,7 +1250,7 @@ bad:
|
|||
for (i=0; i<argc; i++)
|
||||
{
|
||||
total++;
|
||||
j=certify(&x,argv[i],pkey,x509p,dgst,attribs,db,
|
||||
j=certify(&x,argv[i],pkey,x509p,dgst,sigopts,attribs,db,
|
||||
serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
|
||||
extensions,conf,verbose, certopt, nameopt,
|
||||
default_op, ext_copy, selfsign);
|
||||
|
@ -1483,7 +1499,7 @@ bad:
|
|||
crlnumber = NULL;
|
||||
}
|
||||
|
||||
if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
|
||||
if (!do_X509_CRL_sign(bio_err,crl,pkey,dgst,sigopts)) goto err;
|
||||
|
||||
PEM_write_bio_X509_CRL(Sout,crl);
|
||||
|
||||
|
@ -1553,8 +1569,10 @@ static void lookup_fail(const char *name, const char *tag)
|
|||
}
|
||||
|
||||
static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
|
||||
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
|
||||
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
|
||||
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
|
||||
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
|
||||
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn,
|
||||
int email_dn, char *startdate, char *enddate,
|
||||
long days, int batch, char *ext_sect, CONF *lconf, int verbose,
|
||||
unsigned long certopt, unsigned long nameopt, int default_op,
|
||||
int ext_copy, int selfsign)
|
||||
|
@ -1610,7 +1628,8 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
|
|||
else
|
||||
BIO_printf(bio_err,"Signature ok\n");
|
||||
|
||||
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn, email_dn,
|
||||
ok=do_body(xret,pkey,x509,dgst,sigopts, policy,db,serial,subj,chtype,
|
||||
multirdn, email_dn,
|
||||
startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
|
||||
certopt, nameopt, default_op, ext_copy, selfsign);
|
||||
|
||||
|
@ -1621,7 +1640,8 @@ err:
|
|||
}
|
||||
|
||||
static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
|
||||
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
|
||||
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
|
||||
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
|
||||
BIGNUM *serial, char *subj, unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
|
||||
long days, int batch, char *ext_sect, CONF *lconf, int verbose,
|
||||
unsigned long certopt, unsigned long nameopt, int default_op,
|
||||
|
@ -1664,7 +1684,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
|
|||
if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
|
||||
goto err;
|
||||
|
||||
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
|
||||
ok=do_body(xret,pkey,x509,dgst,sigopts,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
|
||||
days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
|
||||
ext_copy, 0);
|
||||
|
||||
|
@ -1675,7 +1695,8 @@ err:
|
|||
}
|
||||
|
||||
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
|
||||
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy,
|
||||
CA_DB *db, BIGNUM *serial, char *subj,
|
||||
unsigned long chtype, int multirdn,
|
||||
int email_dn, char *startdate, char *enddate, long days, int batch,
|
||||
int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
|
||||
|
@ -2146,7 +2167,7 @@ again2:
|
|||
EVP_PKEY_copy_parameters(pktmp,pkey);
|
||||
EVP_PKEY_free(pktmp);
|
||||
|
||||
if (!X509_sign(ret,pkey,dgst))
|
||||
if (!do_X509_sign(bio_err, ret,pkey,dgst, sigopts))
|
||||
goto err;
|
||||
|
||||
/* We now just add it to the database */
|
||||
|
@ -2240,7 +2261,8 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
|
|||
}
|
||||
|
||||
static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
|
||||
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
|
||||
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
|
||||
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
|
||||
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
|
||||
long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
|
||||
unsigned long nameopt, int default_op, int ext_copy)
|
||||
|
@ -2366,9 +2388,9 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
|
|||
|
||||
X509_REQ_set_pubkey(req,pktmp);
|
||||
EVP_PKEY_free(pktmp);
|
||||
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
|
||||
days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
|
||||
ext_copy, 0);
|
||||
ok=do_body(xret,pkey,x509,dgst,sigopts,policy,db,serial,subj,chtype,
|
||||
multirdn,email_dn,startdate,enddate, days,1,verbose,req,
|
||||
ext_sect,lconf, certopt, nameopt, default_op, ext_copy, 0);
|
||||
err:
|
||||
if (req != NULL) X509_REQ_free(req);
|
||||
if (parms != NULL) CONF_free(parms);
|
||||
|
|
15
apps/req.c
15
apps/req.c
|
@ -1819,3 +1819,18 @@ int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
|
|||
}
|
||||
|
||||
|
||||
|
||||
int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts)
|
||||
{
|
||||
int rv;
|
||||
EVP_MD_CTX mctx;
|
||||
EVP_MD_CTX_init(&mctx);
|
||||
rv = do_sign_init(err, &mctx, pkey, md, sigopts);
|
||||
if (rv > 0)
|
||||
rv = X509_CRL_sign_ctx(x, &mctx);
|
||||
EVP_MD_CTX_cleanup(&mctx);
|
||||
return rv > 0 ? 1 : 0;
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue