Add support for signer_digest option in TS.
Based on PR#2145 Reviewed-by: Matt Caswell <matt@openssl.org>
This commit is contained in:
parent
fa49924659
commit
e20b472751
@ -335,6 +335,7 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
||||
certs = $dir.cacert.pem] # Certificate chain to include in reply
|
||||
# (optional)
|
||||
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
|
||||
signer_digest = sha1 # Signing digest to use. (Optional)
|
||||
|
||||
default_policy = tsa_policy1 # Policy if request did not specify it
|
||||
# (optional)
|
||||
|
@ -335,7 +335,7 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
||||
certs = $dir/cacert.pem # Certificate chain to include in reply
|
||||
# (optional)
|
||||
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
|
||||
|
||||
signer_digest = sha1 # Signing digest to use. (Optional)
|
||||
default_policy = tsa_policy1 # Policy if request did not specify it
|
||||
# (optional)
|
||||
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
|
||||
|
30
apps/ts.c
30
apps/ts.c
@ -95,14 +95,14 @@ static ASN1_INTEGER *create_nonce(int bits);
|
||||
/* Reply related functions. */
|
||||
static int reply_command(CONF *conf, char *section, char *engine,
|
||||
char *queryfile, char *passin, char *inkey,
|
||||
char *signer, char *chain, const char *policy,
|
||||
char *in, int token_in, char *out, int token_out,
|
||||
int text);
|
||||
const EVP_MD *md, char *signer, char *chain,
|
||||
const char *policy, char *in, int token_in,
|
||||
char *out, int token_out, int text);
|
||||
static TS_RESP *read_PKCS7(BIO *in_bio);
|
||||
static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
|
||||
char *queryfile, char *passin,
|
||||
char *inkey, char *signer, char *chain,
|
||||
const char *policy);
|
||||
char *inkey, const EVP_MD *md, char *signer,
|
||||
char *chain, const char *policy);
|
||||
static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data);
|
||||
static ASN1_INTEGER *next_serial(const char *serialfile);
|
||||
static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
|
||||
@ -342,7 +342,7 @@ int ts_main(int argc, char **argv)
|
||||
goto opthelp;
|
||||
}
|
||||
ret = !reply_command(conf, section, engine, queryfile,
|
||||
password, inkey, signer, chain, policy,
|
||||
password, inkey, md, signer, chain, policy,
|
||||
in, token_in, out, token_out, text);
|
||||
break;
|
||||
case OPT_VERIFY:
|
||||
@ -583,8 +583,8 @@ static ASN1_INTEGER *create_nonce(int bits)
|
||||
|
||||
static int reply_command(CONF *conf, char *section, char *engine,
|
||||
char *queryfile, char *passin, char *inkey,
|
||||
char *signer, char *chain, const char *policy,
|
||||
char *in, int token_in,
|
||||
const EVP_MD *md, char *signer, char *chain,
|
||||
const char *policy, char *in, int token_in,
|
||||
char *out, int token_out, int text)
|
||||
{
|
||||
int ret = 0;
|
||||
@ -605,7 +605,7 @@ static int reply_command(CONF *conf, char *section, char *engine,
|
||||
}
|
||||
} else {
|
||||
response = create_response(conf, section, engine, queryfile,
|
||||
passin, inkey, signer, chain, policy);
|
||||
passin, inkey, md, signer, chain, policy);
|
||||
if (response)
|
||||
BIO_printf(bio_err, "Response has been generated.\n");
|
||||
else
|
||||
@ -691,8 +691,8 @@ static TS_RESP *read_PKCS7(BIO *in_bio)
|
||||
|
||||
static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
|
||||
char *queryfile, char *passin,
|
||||
char *inkey, char *signer, char *chain,
|
||||
const char *policy)
|
||||
char *inkey, const EVP_MD *md, char *signer,
|
||||
char *chain, const char *policy)
|
||||
{
|
||||
int ret = 0;
|
||||
TS_RESP *response = NULL;
|
||||
@ -717,6 +717,14 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
|
||||
goto end;
|
||||
if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
|
||||
goto end;
|
||||
|
||||
if (md) {
|
||||
if (!TS_RESP_CTX_set_signer_digest(resp_ctx, md))
|
||||
goto end;
|
||||
} else if (!TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx)) {
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
|
||||
goto end;
|
||||
if (!TS_CONF_set_policies(conf, section, resp_ctx))
|
||||
|
@ -75,6 +75,7 @@
|
||||
#define ENV_SIGNER_CERT "signer_cert"
|
||||
#define ENV_CERTS "certs"
|
||||
#define ENV_SIGNER_KEY "signer_key"
|
||||
#define ENV_SIGNER_DIGEST "signer_digest"
|
||||
#define ENV_DEFAULT_POLICY "default_policy"
|
||||
#define ENV_OTHER_POLICIES "other_policies"
|
||||
#define ENV_DIGESTS "digests"
|
||||
@ -304,6 +305,30 @@ int TS_CONF_set_signer_key(CONF *conf, const char *section,
|
||||
return ret;
|
||||
}
|
||||
|
||||
int TS_CONF_set_signer_digest(CONF *conf, const char *section,
|
||||
const char *md, TS_RESP_CTX *ctx)
|
||||
{
|
||||
int ret = 0;
|
||||
const EVP_MD *sign_md = NULL;
|
||||
if (md == NULL)
|
||||
md = NCONF_get_string(conf, section, ENV_SIGNER_DIGEST);
|
||||
if (md == NULL) {
|
||||
ts_CONF_lookup_fail(section, ENV_SIGNER_DIGEST);
|
||||
goto err;
|
||||
}
|
||||
sign_md = EVP_get_digestbyname(md);
|
||||
if (sign_md == NULL) {
|
||||
ts_CONF_invalid(section, ENV_SIGNER_DIGEST);
|
||||
goto err;
|
||||
}
|
||||
if (!TS_RESP_CTX_set_signer_digest(ctx, sign_md))
|
||||
goto err;
|
||||
|
||||
ret = 1;
|
||||
err:
|
||||
return ret;
|
||||
}
|
||||
|
||||
int TS_CONF_set_def_policy(CONF *conf, const char *section,
|
||||
const char *policy, TS_RESP_CTX *ctx)
|
||||
{
|
||||
|
@ -183,6 +183,7 @@ struct ESS_signing_cert {
|
||||
struct TS_resp_ctx {
|
||||
X509 *signer_cert;
|
||||
EVP_PKEY *signer_key;
|
||||
const EVP_MD *signer_md;
|
||||
STACK_OF(X509) *certs; /* Certs to include in signed data. */
|
||||
STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */
|
||||
ASN1_OBJECT *default_policy; /* It may appear in policies, too. */
|
||||
|
@ -169,6 +169,8 @@ TS_RESP_CTX *TS_RESP_CTX_new()
|
||||
return NULL;
|
||||
}
|
||||
|
||||
ctx->signer_md = EVP_sha256();
|
||||
|
||||
ctx->serial_cb = def_serial_cb;
|
||||
ctx->time_cb = def_time_cb;
|
||||
ctx->extension_cb = def_extension_cb;
|
||||
@ -215,6 +217,12 @@ int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key)
|
||||
return 1;
|
||||
}
|
||||
|
||||
int TS_RESP_CTX_set_signer_digest(TS_RESP_CTX *ctx, const EVP_MD *md)
|
||||
{
|
||||
ctx->signer_md = md;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy)
|
||||
{
|
||||
ASN1_OBJECT_free(ctx->default_policy);
|
||||
@ -700,7 +708,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
|
||||
}
|
||||
|
||||
if ((si = PKCS7_add_signature(p7, ctx->signer_cert,
|
||||
ctx->signer_key, EVP_sha1())) == NULL) {
|
||||
ctx->signer_key, ctx->signer_md)) == NULL) {
|
||||
TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
|
||||
goto err;
|
||||
}
|
||||
|
@ -28,6 +28,7 @@ B<-reply>
|
||||
[B<-passin> password_src]
|
||||
[B<-signer> tsa_cert.pem]
|
||||
[B<-inkey> private.pem]
|
||||
[B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>]
|
||||
[B<-chain> certs_file.pem]
|
||||
[B<-policy> object_id]
|
||||
[B<-in> response.tsr]
|
||||
@ -215,6 +216,11 @@ variable of the config file. (Optional)
|
||||
The signer private key of the TSA in PEM format. Overrides the
|
||||
B<signer_key> config file option. (Optional)
|
||||
|
||||
=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
|
||||
|
||||
Signing digest to use. Overrides the B<signer_digest> config file
|
||||
option. (Optional)
|
||||
|
||||
=item B<-chain> certs_file.pem
|
||||
|
||||
The collection of certificates in PEM format that will all
|
||||
@ -396,6 +402,12 @@ option. (Optional)
|
||||
The private key of the TSA in PEM format. The same as the B<-inkey>
|
||||
command line option. (Optional)
|
||||
|
||||
=item B<signer_digest>
|
||||
|
||||
Signing digest to use. The same as the
|
||||
B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
|
||||
command line option. (Optional)
|
||||
|
||||
=item B<default_policy>
|
||||
|
||||
The default policy to use when the request does not mandate any
|
||||
|
@ -371,6 +371,9 @@ int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer);
|
||||
/* This parameter must be set. */
|
||||
int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key);
|
||||
|
||||
int TS_RESP_CTX_set_signer_digest(TS_RESP_CTX *ctx,
|
||||
const EVP_MD *signer_digest);
|
||||
|
||||
/* This parameter must be set. */
|
||||
int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy);
|
||||
|
||||
@ -564,6 +567,8 @@ int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
|
||||
int TS_CONF_set_signer_key(CONF *conf, const char *section,
|
||||
const char *key, const char *pass,
|
||||
TS_RESP_CTX *ctx);
|
||||
int TS_CONF_set_signer_digest(CONF *conf, const char *section,
|
||||
const char *md, TS_RESP_CTX *ctx);
|
||||
int TS_CONF_set_def_policy(CONF *conf, const char *section,
|
||||
const char *policy, TS_RESP_CTX *ctx);
|
||||
int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx);
|
||||
|
@ -132,7 +132,7 @@ signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
|
||||
certs = $dir/tsaca.pem # Certificate chain to include in reply
|
||||
# (optional)
|
||||
signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
|
||||
|
||||
signer_digest = sha1 # Signing digest to use. (Optional)
|
||||
default_policy = tsa_policy1 # Policy if request did not specify it
|
||||
# (optional)
|
||||
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
|
||||
@ -156,7 +156,7 @@ signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
|
||||
certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
|
||||
# (optional)
|
||||
signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
|
||||
|
||||
signer_digest = sha1 # Signing digest to use. (Optional)
|
||||
default_policy = tsa_policy1 # Policy if request did not specify it
|
||||
# (optional)
|
||||
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
|
||||
|
Loading…
x
Reference in New Issue
Block a user