wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add -sigopt option to ca utility

Browse source
This commit is contained in:
Dr. Stephen Henson 2010-03-14 12:54:45 +00:00
parent 8d207ee3d1
commit 4c623cddbe
4 changed files with 64 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -4,6 +4,11 @@
Changes between 1.0.0 and 1.1.0 [xx XXX xxxx] Changes between 1.0.0 and 1.1.0 [xx XXX xxxx]
*) New -sigopt option to the req and x509 utilities. Additional
signature parameters can be passed using this option and in
particular PSS. Todo: ca support.
[Steve Henson]
*) Add RSA PSS signing function. This will generate and set the *) Add RSA PSS signing function. This will generate and set the
appropriate AlgorithmIdentifiers for PSS based on those in the appropriate AlgorithmIdentifiers for PSS based on those in the
corresponding EVP_MD_CTX structure. No application support yet. corresponding EVP_MD_CTX structure. No application support yet.

2
apps/apps.h
View file

@ -321,6 +321,8 @@ int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts); STACK_OF(OPENSSL_STRING) *sigopts);
int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts); STACK_OF(OPENSSL_STRING) *sigopts);
int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts);
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
extern char *psk_key; extern char *psk_key;
#endif #endif

62
apps/ca.c
View file

@ -197,26 +197,30 @@ extern int EF_ALIGNMENT;
static void lookup_fail(const char *name, const char *tag); static void lookup_fail(const char *name, const char *tag);
static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db, const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy,CA_DB *db,
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate,
char *enddate, long days, int batch, char *ext_sect, CONF *conf, char *enddate, long days, int batch, char *ext_sect, CONF *conf,
int verbose, unsigned long certopt, unsigned long nameopt, int verbose, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign); int default_op, int ext_copy, int selfsign);
static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy,
CA_DB *db, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, CA_DB *db, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn,
char *startdate, char *enddate, long days, int batch, char *startdate, char *enddate, long days, int batch,
char *ext_sect, CONF *conf,int verbose, unsigned long certopt, char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy, unsigned long nameopt, int default_op, int ext_copy,
ENGINE *e); ENGINE *e);
static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy,
CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, int email_dn, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, int email_dn,
char *startdate, char *enddate, long days, char *ext_sect, char *startdate, char *enddate, long days, char *ext_sect,
CONF *conf, int verbose, unsigned long certopt, CONF *conf, int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy); unsigned long nameopt, int default_op, int ext_copy);
static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn,
int email_dn, char *startdate, char *enddate, long days, int batch, int email_dn, char *startdate, char *enddate, long days, int batch,
int verbose, X509_REQ *req, char *ext_sect, CONF *conf, int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
@ -311,6 +315,7 @@ int MAIN(int argc, char **argv)
const EVP_MD *dgst=NULL; const EVP_MD *dgst=NULL;
STACK_OF(CONF_VALUE) *attribs=NULL; STACK_OF(CONF_VALUE) *attribs=NULL;
STACK_OF(X509) *cert_sk=NULL; STACK_OF(X509) *cert_sk=NULL;
STACK_OF(OPENSSL_STRING) *sigopts = NULL;
#undef BSIZE #undef BSIZE
#define BSIZE 256 #define BSIZE 256
MS_STATIC char buf[3][BSIZE]; MS_STATIC char buf[3][BSIZE];
@ -435,6 +440,15 @@ EF_ALIGNMENT=0;
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
outdir= *(++argv); outdir= *(++argv);
} }
else if (strcmp(*argv,"-sigopt") == 0)
{
if (--argc < 1)
goto bad;
if (!sigopts)
sigopts = sk_OPENSSL_STRING_new_null();
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
goto bad;
}
else if (strcmp(*argv,"-notext") == 0) else if (strcmp(*argv,"-notext") == 0)
notext=1; notext=1;
else if (strcmp(*argv,"-batch") == 0) else if (strcmp(*argv,"-batch") == 0)
@ -1170,8 +1184,9 @@ bad:
if (spkac_file != NULL) if (spkac_file != NULL)
{ {
total++; total++;
j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db, j=certify_spkac(&x,spkac_file,pkey,x509,dgst,sigopts,
serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,extensions, attribs,db, serial,subj,chtype,multirdn,
email_dn,startdate,enddate,days,extensions,
conf,verbose,certopt,nameopt,default_op,ext_copy); conf,verbose,certopt,nameopt,default_op,ext_copy);
if (j < 0) goto err; if (j < 0) goto err;
if (j > 0) if (j > 0)
@ -1194,7 +1209,8 @@ bad:
if (ss_cert_file != NULL) if (ss_cert_file != NULL)
{ {
total++; total++;
j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs, j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,sigopts,
attribs,
db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch, db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt, extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy, e); default_op, ext_copy, e);
@ -1214,7 +1230,7 @@ bad:
if (infile != NULL) if (infile != NULL)
{ {
total++; total++;
j=certify(&x,infile,pkey,x509p,dgst,attribs,db, j=certify(&x,infile,pkey,x509p,dgst,sigopts, attribs,db,
serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch, serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt, extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy, selfsign); default_op, ext_copy, selfsign);
@ -1234,7 +1250,7 @@ bad:
for (i=0; i<argc; i++) for (i=0; i<argc; i++)
{ {
total++; total++;
j=certify(&x,argv[i],pkey,x509p,dgst,attribs,db, j=certify(&x,argv[i],pkey,x509p,dgst,sigopts,attribs,db,
serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch, serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt, extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy, selfsign); default_op, ext_copy, selfsign);
@ -1483,7 +1499,7 @@ bad:
crlnumber = NULL; crlnumber = NULL;
} }
if (!X509_CRL_sign(crl,pkey,dgst)) goto err; if (!do_X509_CRL_sign(bio_err,crl,pkey,dgst,sigopts)) goto err;
PEM_write_bio_X509_CRL(Sout,crl); PEM_write_bio_X509_CRL(Sout,crl);
@ -1553,8 +1569,10 @@ static void lookup_fail(const char *name, const char *tag)
} }
static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn,
int email_dn, char *startdate, char *enddate,
long days, int batch, char *ext_sect, CONF *lconf, int verbose, long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op, unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy, int selfsign) int ext_copy, int selfsign)
@ -1610,7 +1628,8 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
else else
BIO_printf(bio_err,"Signature ok\n"); BIO_printf(bio_err,"Signature ok\n");
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn, email_dn, ok=do_body(xret,pkey,x509,dgst,sigopts, policy,db,serial,subj,chtype,
multirdn, email_dn,
startdate,enddate,days,batch,verbose,req,ext_sect,lconf, startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
certopt, nameopt, default_op, ext_copy, selfsign); certopt, nameopt, default_op, ext_copy, selfsign);
@ -1621,7 +1640,8 @@ err:
} }
static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, char *subj, unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, BIGNUM *serial, char *subj, unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
long days, int batch, char *ext_sect, CONF *lconf, int verbose, long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op, unsigned long certopt, unsigned long nameopt, int default_op,
@ -1664,7 +1684,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL) if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
goto err; goto err;
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate, ok=do_body(xret,pkey,x509,dgst,sigopts,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op, days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
ext_copy, 0); ext_copy, 0);
@ -1675,7 +1695,8 @@ err:
} }
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy,
CA_DB *db, BIGNUM *serial, char *subj,
unsigned long chtype, int multirdn, unsigned long chtype, int multirdn,
int email_dn, char *startdate, char *enddate, long days, int batch, int email_dn, char *startdate, char *enddate, long days, int batch,
int verbose, X509_REQ *req, char *ext_sect, CONF *lconf, int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
@ -2146,7 +2167,7 @@ again2:
EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_copy_parameters(pktmp,pkey);
EVP_PKEY_free(pktmp); EVP_PKEY_free(pktmp);
if (!X509_sign(ret,pkey,dgst)) if (!do_X509_sign(bio_err, ret,pkey,dgst, sigopts))
goto err; goto err;
/* We now just add it to the database */ /* We now just add it to the database */
@ -2240,7 +2261,8 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
} }
static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy) unsigned long nameopt, int default_op, int ext_copy)
@ -2366,9 +2388,9 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
X509_REQ_set_pubkey(req,pktmp); X509_REQ_set_pubkey(req,pktmp);
EVP_PKEY_free(pktmp); EVP_PKEY_free(pktmp);
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate, ok=do_body(xret,pkey,x509,dgst,sigopts,policy,db,serial,subj,chtype,
days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op, multirdn,email_dn,startdate,enddate, days,1,verbose,req,
ext_copy, 0); ext_sect,lconf, certopt, nameopt, default_op, ext_copy, 0);
err: err:
if (req != NULL) X509_REQ_free(req); if (req != NULL) X509_REQ_free(req);
if (parms != NULL) CONF_free(parms); if (parms != NULL) CONF_free(parms);

15
apps/req.c
View file

@ -1819,3 +1819,18 @@ int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
} }
int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts)
{
int rv;
EVP_MD_CTX mctx;
EVP_MD_CTX_init(&mctx);
rv = do_sign_init(err, &mctx, pkey, md, sigopts);
if (rv > 0)
rv = X509_CRL_sign_ctx(x, &mctx);
EVP_MD_CTX_cleanup(&mctx);
return rv > 0 ? 1 : 0;
}