add -sigopt option to ca utility

This commit is contained in:
Dr. Stephen Henson 2010-03-14 12:54:45 +00:00
parent 8d207ee3d1
commit 4c623cddbe
4 changed files with 64 additions and 20 deletions

View file

@ -4,6 +4,11 @@
Changes between 1.0.0 and 1.1.0 [xx XXX xxxx]
*) New -sigopt option to the req and x509 utilities. Additional
signature parameters can be passed using this option and in
particular PSS. Todo: ca support.
[Steve Henson]
*) Add RSA PSS signing function. This will generate and set the
appropriate AlgorithmIdentifiers for PSS based on those in the
corresponding EVP_MD_CTX structure. No application support yet.

View file

@ -321,6 +321,8 @@ int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts);
int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts);
int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts);
#ifndef OPENSSL_NO_PSK
extern char *psk_key;
#endif

View file

@ -197,26 +197,30 @@ extern int EF_ALIGNMENT;
static void lookup_fail(const char *name, const char *tag);
static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db,
const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy,CA_DB *db,
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate,
char *enddate, long days, int batch, char *ext_sect, CONF *conf,
int verbose, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign);
static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy,
CA_DB *db, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn,
char *startdate, char *enddate, long days, int batch,
char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy,
ENGINE *e);
static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy,
CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, int email_dn,
char *startdate, char *enddate, long days, char *ext_sect,
CONF *conf, int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy);
static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn,
int email_dn, char *startdate, char *enddate, long days, int batch,
int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
@ -311,6 +315,7 @@ int MAIN(int argc, char **argv)
const EVP_MD *dgst=NULL;
STACK_OF(CONF_VALUE) *attribs=NULL;
STACK_OF(X509) *cert_sk=NULL;
STACK_OF(OPENSSL_STRING) *sigopts = NULL;
#undef BSIZE
#define BSIZE 256
MS_STATIC char buf[3][BSIZE];
@ -435,6 +440,15 @@ EF_ALIGNMENT=0;
if (--argc < 1) goto bad;
outdir= *(++argv);
}
else if (strcmp(*argv,"-sigopt") == 0)
{
if (--argc < 1)
goto bad;
if (!sigopts)
sigopts = sk_OPENSSL_STRING_new_null();
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
goto bad;
}
else if (strcmp(*argv,"-notext") == 0)
notext=1;
else if (strcmp(*argv,"-batch") == 0)
@ -1170,8 +1184,9 @@ bad:
if (spkac_file != NULL)
{
total++;
j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,extensions,
j=certify_spkac(&x,spkac_file,pkey,x509,dgst,sigopts,
attribs,db, serial,subj,chtype,multirdn,
email_dn,startdate,enddate,days,extensions,
conf,verbose,certopt,nameopt,default_op,ext_copy);
if (j < 0) goto err;
if (j > 0)
@ -1194,7 +1209,8 @@ bad:
if (ss_cert_file != NULL)
{
total++;
j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,sigopts,
attribs,
db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy, e);
@ -1214,7 +1230,7 @@ bad:
if (infile != NULL)
{
total++;
j=certify(&x,infile,pkey,x509p,dgst,attribs,db,
j=certify(&x,infile,pkey,x509p,dgst,sigopts, attribs,db,
serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy, selfsign);
@ -1234,7 +1250,7 @@ bad:
for (i=0; i<argc; i++)
{
total++;
j=certify(&x,argv[i],pkey,x509p,dgst,attribs,db,
j=certify(&x,argv[i],pkey,x509p,dgst,sigopts,attribs,db,
serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy, selfsign);
@ -1483,7 +1499,7 @@ bad:
crlnumber = NULL;
}
if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
if (!do_X509_CRL_sign(bio_err,crl,pkey,dgst,sigopts)) goto err;
PEM_write_bio_X509_CRL(Sout,crl);
@ -1553,8 +1569,10 @@ static void lookup_fail(const char *name, const char *tag)
}
static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn,
int email_dn, char *startdate, char *enddate,
long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy, int selfsign)
@ -1610,7 +1628,8 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
else
BIO_printf(bio_err,"Signature ok\n");
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn, email_dn,
ok=do_body(xret,pkey,x509,dgst,sigopts, policy,db,serial,subj,chtype,
multirdn, email_dn,
startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
certopt, nameopt, default_op, ext_copy, selfsign);
@ -1621,7 +1640,8 @@ err:
}
static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, char *subj, unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
@ -1664,7 +1684,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
goto err;
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
ok=do_body(xret,pkey,x509,dgst,sigopts,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
ext_copy, 0);
@ -1675,7 +1695,8 @@ err:
}
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy,
CA_DB *db, BIGNUM *serial, char *subj,
unsigned long chtype, int multirdn,
int email_dn, char *startdate, char *enddate, long days, int batch,
int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
@ -2146,7 +2167,7 @@ again2:
EVP_PKEY_copy_parameters(pktmp,pkey);
EVP_PKEY_free(pktmp);
if (!X509_sign(ret,pkey,dgst))
if (!do_X509_sign(bio_err, ret,pkey,dgst, sigopts))
goto err;
/* We now just add it to the database */
@ -2240,7 +2261,8 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
}
static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy)
@ -2366,9 +2388,9 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
X509_REQ_set_pubkey(req,pktmp);
EVP_PKEY_free(pktmp);
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
ext_copy, 0);
ok=do_body(xret,pkey,x509,dgst,sigopts,policy,db,serial,subj,chtype,
multirdn,email_dn,startdate,enddate, days,1,verbose,req,
ext_sect,lconf, certopt, nameopt, default_op, ext_copy, 0);
err:
if (req != NULL) X509_REQ_free(req);
if (parms != NULL) CONF_free(parms);

View file

@ -1819,3 +1819,18 @@ int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
}
int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts)
{
int rv;
EVP_MD_CTX mctx;
EVP_MD_CTX_init(&mctx);
rv = do_sign_init(err, &mctx, pkey, md, sigopts);
if (rv > 0)
rv = X509_CRL_sign_ctx(x, &mctx);
EVP_MD_CTX_cleanup(&mctx);
return rv > 0 ? 1 : 0;
}