pki: Optionally generate RSA/PSS signatures
This commit is contained in:
parent
9b828ee85f
commit
d57af8dde0
|
@ -34,7 +34,7 @@
|
||||||
/**
|
/**
|
||||||
* Maximum number of usage summary lines (+1)
|
* Maximum number of usage summary lines (+1)
|
||||||
*/
|
*/
|
||||||
#define MAX_LINES 11
|
#define MAX_LINES 12
|
||||||
|
|
||||||
typedef struct command_t command_t;
|
typedef struct command_t command_t;
|
||||||
typedef struct command_option_t command_option_t;
|
typedef struct command_option_t command_option_t;
|
||||||
|
|
|
@ -33,6 +33,7 @@ static int acert()
|
||||||
{
|
{
|
||||||
cred_encoding_type_t form = CERT_ASN1_DER;
|
cred_encoding_type_t form = CERT_ASN1_DER;
|
||||||
hash_algorithm_t digest = HASH_UNKNOWN;
|
hash_algorithm_t digest = HASH_UNKNOWN;
|
||||||
|
signature_params_t *scheme = NULL;
|
||||||
certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
|
certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
|
||||||
private_key_t *private = NULL;
|
private_key_t *private = NULL;
|
||||||
public_key_t *public = NULL;
|
public_key_t *public = NULL;
|
||||||
|
@ -44,6 +45,7 @@ static int acert()
|
||||||
char *datenb = NULL, *datena = NULL, *dateform = NULL;
|
char *datenb = NULL, *datena = NULL, *dateform = NULL;
|
||||||
rng_t *rng;
|
rng_t *rng;
|
||||||
char *arg;
|
char *arg;
|
||||||
|
bool pss = FALSE;
|
||||||
|
|
||||||
groups = linked_list_create();
|
groups = linked_list_create();
|
||||||
|
|
||||||
|
@ -60,6 +62,17 @@ static int acert()
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
continue;
|
continue;
|
||||||
|
case 'R':
|
||||||
|
if (streq(arg, "pss"))
|
||||||
|
{
|
||||||
|
pss = TRUE;
|
||||||
|
}
|
||||||
|
else if (!streq(arg, "pkcs1"))
|
||||||
|
{
|
||||||
|
error = "invalid RSA padding";
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
case 'i':
|
case 'i':
|
||||||
file = arg;
|
file = arg;
|
||||||
continue;
|
continue;
|
||||||
|
@ -162,10 +175,6 @@ static int acert()
|
||||||
error = "loading issuer private key failed";
|
error = "loading issuer private key failed";
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
if (digest == HASH_UNKNOWN)
|
|
||||||
{
|
|
||||||
digest = get_default_digest(private);
|
|
||||||
}
|
|
||||||
if (!private->belongs_to(private, public))
|
if (!private->belongs_to(private, public))
|
||||||
{
|
{
|
||||||
error = "issuer private key does not match issuer certificate";
|
error = "issuer private key does not match issuer certificate";
|
||||||
|
@ -217,6 +226,7 @@ static int acert()
|
||||||
error = "parsing user certificate failed";
|
error = "parsing user certificate failed";
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
|
scheme = get_signature_scheme(private, digest, pss);
|
||||||
|
|
||||||
ac = lib->creds->create(lib->creds,
|
ac = lib->creds->create(lib->creds,
|
||||||
CRED_CERTIFICATE, CERT_X509_AC,
|
CRED_CERTIFICATE, CERT_X509_AC,
|
||||||
|
@ -227,7 +237,7 @@ static int acert()
|
||||||
BUILD_AC_GROUP_STRINGS, groups,
|
BUILD_AC_GROUP_STRINGS, groups,
|
||||||
BUILD_SIGNING_CERT, issuer,
|
BUILD_SIGNING_CERT, issuer,
|
||||||
BUILD_SIGNING_KEY, private,
|
BUILD_SIGNING_KEY, private,
|
||||||
BUILD_DIGEST_ALG, digest,
|
BUILD_SIGNATURE_SCHEME, scheme,
|
||||||
BUILD_END);
|
BUILD_END);
|
||||||
if (!ac)
|
if (!ac)
|
||||||
{
|
{
|
||||||
|
@ -253,6 +263,7 @@ end:
|
||||||
DESTROY_IF(public);
|
DESTROY_IF(public);
|
||||||
DESTROY_IF(private);
|
DESTROY_IF(private);
|
||||||
groups->destroy(groups);
|
groups->destroy(groups);
|
||||||
|
signature_params_destroy(scheme);
|
||||||
free(encoding.ptr);
|
free(encoding.ptr);
|
||||||
free(serial.ptr);
|
free(serial.ptr);
|
||||||
|
|
||||||
|
@ -280,6 +291,7 @@ static void __attribute__ ((constructor))reg()
|
||||||
" --issuercert file [--serial hex] [--lifetime hours]",
|
" --issuercert file [--serial hex] [--lifetime hours]",
|
||||||
" [--not-before datetime] [--not-after datetime] [--dateform form]",
|
" [--not-before datetime] [--not-after datetime] [--dateform form]",
|
||||||
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
|
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
|
||||||
|
"[--rsa-padding pkcs1|pss]",
|
||||||
"[--outform der|pem]"},
|
"[--outform der|pem]"},
|
||||||
{
|
{
|
||||||
{"help", 'h', 0, "show usage information"},
|
{"help", 'h', 0, "show usage information"},
|
||||||
|
@ -294,6 +306,7 @@ static void __attribute__ ((constructor))reg()
|
||||||
{"not-after", 'T', 1, "date/time the validity of the AC ends"},
|
{"not-after", 'T', 1, "date/time the validity of the AC ends"},
|
||||||
{"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
|
{"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
|
||||||
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
|
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
|
||||||
|
{"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
|
||||||
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
|
@ -61,12 +61,13 @@ static int issue()
|
||||||
{
|
{
|
||||||
cred_encoding_type_t form = CERT_ASN1_DER;
|
cred_encoding_type_t form = CERT_ASN1_DER;
|
||||||
hash_algorithm_t digest = HASH_UNKNOWN;
|
hash_algorithm_t digest = HASH_UNKNOWN;
|
||||||
|
signature_params_t *scheme = NULL;
|
||||||
certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
|
certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
|
||||||
private_key_t *private = NULL;
|
private_key_t *private = NULL;
|
||||||
public_key_t *public = NULL;
|
public_key_t *public = NULL;
|
||||||
credential_type_t type = CRED_PUBLIC_KEY;
|
credential_type_t type = CRED_PUBLIC_KEY;
|
||||||
key_type_t subtype = KEY_ANY;
|
key_type_t subtype = KEY_ANY;
|
||||||
bool pkcs10 = FALSE;
|
bool pkcs10 = FALSE, pss = FALSE;
|
||||||
char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
|
char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
|
||||||
char *error = NULL, *keyid = NULL;
|
char *error = NULL, *keyid = NULL;
|
||||||
identification_t *id = NULL;
|
identification_t *id = NULL;
|
||||||
|
@ -143,6 +144,17 @@ static int issue()
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
continue;
|
continue;
|
||||||
|
case 'R':
|
||||||
|
if (streq(arg, "pss"))
|
||||||
|
{
|
||||||
|
pss = TRUE;
|
||||||
|
}
|
||||||
|
else if (!streq(arg, "pkcs1"))
|
||||||
|
{
|
||||||
|
error = "invalid RSA padding";
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
case 'i':
|
case 'i':
|
||||||
file = arg;
|
file = arg;
|
||||||
continue;
|
continue;
|
||||||
|
@ -396,10 +408,6 @@ static int issue()
|
||||||
error = "loading CA private key failed";
|
error = "loading CA private key failed";
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
if (digest == HASH_UNKNOWN)
|
|
||||||
{
|
|
||||||
digest = get_default_digest(private);
|
|
||||||
}
|
|
||||||
if (!private->belongs_to(private, public))
|
if (!private->belongs_to(private, public))
|
||||||
{
|
{
|
||||||
error = "CA private key does not match CA certificate";
|
error = "CA private key does not match CA certificate";
|
||||||
|
@ -525,11 +533,12 @@ static int issue()
|
||||||
id = identification_create_from_encoding(ID_DER_ASN1_DN,
|
id = identification_create_from_encoding(ID_DER_ASN1_DN,
|
||||||
chunk_from_chars(ASN1_SEQUENCE, 0));
|
chunk_from_chars(ASN1_SEQUENCE, 0));
|
||||||
}
|
}
|
||||||
|
scheme = get_signature_scheme(private, digest, pss);
|
||||||
|
|
||||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||||
BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
|
BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
|
||||||
BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
|
BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
|
||||||
BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
|
BUILD_NOT_BEFORE_TIME, not_before,
|
||||||
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
|
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
|
||||||
BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
|
BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
|
||||||
BUILD_PATHLEN, pathlen, BUILD_ADDRBLOCKS, addrblocks,
|
BUILD_PATHLEN, pathlen, BUILD_ADDRBLOCKS, addrblocks,
|
||||||
|
@ -542,6 +551,7 @@ static int issue()
|
||||||
BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
|
BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
|
||||||
BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
|
BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
|
||||||
BUILD_POLICY_INHIBIT_ANY, inhibit_any,
|
BUILD_POLICY_INHIBIT_ANY, inhibit_any,
|
||||||
|
BUILD_SIGNATURE_SCHEME, scheme,
|
||||||
BUILD_END);
|
BUILD_END);
|
||||||
if (!cert)
|
if (!cert)
|
||||||
{
|
{
|
||||||
|
@ -575,6 +585,7 @@ end:
|
||||||
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
|
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
|
||||||
cdps->destroy_function(cdps, (void*)destroy_cdp);
|
cdps->destroy_function(cdps, (void*)destroy_cdp);
|
||||||
ocsp->destroy(ocsp);
|
ocsp->destroy(ocsp);
|
||||||
|
signature_params_destroy(scheme);
|
||||||
free(encoding.ptr);
|
free(encoding.ptr);
|
||||||
free(serial.ptr);
|
free(serial.ptr);
|
||||||
|
|
||||||
|
@ -614,6 +625,7 @@ static void __attribute__ ((constructor))reg()
|
||||||
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
|
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
|
||||||
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
|
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
|
||||||
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
|
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
|
||||||
|
"[--rsa-padding pkcs1|pss]",
|
||||||
"[--outform der|pem]"},
|
"[--outform der|pem]"},
|
||||||
{
|
{
|
||||||
{"help", 'h', 0, "show usage information"},
|
{"help", 'h', 0, "show usage information"},
|
||||||
|
@ -646,6 +658,7 @@ static void __attribute__ ((constructor))reg()
|
||||||
{"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
|
{"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
|
||||||
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
|
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
|
||||||
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
|
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
|
||||||
|
{"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
|
||||||
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
|
@ -30,6 +30,7 @@ static int req()
|
||||||
cred_encoding_type_t form = CERT_ASN1_DER;
|
cred_encoding_type_t form = CERT_ASN1_DER;
|
||||||
key_type_t type = KEY_ANY;
|
key_type_t type = KEY_ANY;
|
||||||
hash_algorithm_t digest = HASH_UNKNOWN;
|
hash_algorithm_t digest = HASH_UNKNOWN;
|
||||||
|
signature_params_t *scheme = NULL;
|
||||||
certificate_t *cert = NULL;
|
certificate_t *cert = NULL;
|
||||||
private_key_t *private = NULL;
|
private_key_t *private = NULL;
|
||||||
char *file = NULL, *keyid = NULL, *dn = NULL, *error = NULL;
|
char *file = NULL, *keyid = NULL, *dn = NULL, *error = NULL;
|
||||||
|
@ -38,6 +39,7 @@ static int req()
|
||||||
chunk_t encoding = chunk_empty;
|
chunk_t encoding = chunk_empty;
|
||||||
chunk_t challenge_password = chunk_empty;
|
chunk_t challenge_password = chunk_empty;
|
||||||
char *arg;
|
char *arg;
|
||||||
|
bool pss = FALSE;
|
||||||
|
|
||||||
san = linked_list_create();
|
san = linked_list_create();
|
||||||
|
|
||||||
|
@ -77,6 +79,17 @@ static int req()
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
continue;
|
continue;
|
||||||
|
case 'R':
|
||||||
|
if (streq(arg, "pss"))
|
||||||
|
{
|
||||||
|
pss = TRUE;
|
||||||
|
}
|
||||||
|
else if (!streq(arg, "pkcs1"))
|
||||||
|
{
|
||||||
|
error = "invalid RSA padding";
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
case 'i':
|
case 'i':
|
||||||
file = arg;
|
file = arg;
|
||||||
continue;
|
continue;
|
||||||
|
@ -153,16 +166,14 @@ static int req()
|
||||||
error = "parsing private key failed";
|
error = "parsing private key failed";
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
if (digest == HASH_UNKNOWN)
|
scheme = get_signature_scheme(private, digest, pss);
|
||||||
{
|
|
||||||
digest = get_default_digest(private);
|
|
||||||
}
|
|
||||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
|
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
|
||||||
BUILD_SIGNING_KEY, private,
|
BUILD_SIGNING_KEY, private,
|
||||||
BUILD_SUBJECT, id,
|
BUILD_SUBJECT, id,
|
||||||
BUILD_SUBJECT_ALTNAMES, san,
|
BUILD_SUBJECT_ALTNAMES, san,
|
||||||
BUILD_CHALLENGE_PWD, challenge_password,
|
BUILD_CHALLENGE_PWD, challenge_password,
|
||||||
BUILD_DIGEST_ALG, digest,
|
BUILD_SIGNATURE_SCHEME, scheme,
|
||||||
BUILD_END);
|
BUILD_END);
|
||||||
if (!cert)
|
if (!cert)
|
||||||
{
|
{
|
||||||
|
@ -186,6 +197,7 @@ end:
|
||||||
DESTROY_IF(cert);
|
DESTROY_IF(cert);
|
||||||
DESTROY_IF(private);
|
DESTROY_IF(private);
|
||||||
san->destroy_offset(san, offsetof(identification_t, destroy));
|
san->destroy_offset(san, offsetof(identification_t, destroy));
|
||||||
|
signature_params_destroy(scheme);
|
||||||
free(encoding.ptr);
|
free(encoding.ptr);
|
||||||
|
|
||||||
if (error)
|
if (error)
|
||||||
|
@ -211,17 +223,19 @@ static void __attribute__ ((constructor))reg()
|
||||||
{"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
|
{"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
|
||||||
"[--san subjectAltName]+ [--password challengePassword]",
|
"[--san subjectAltName]+ [--password challengePassword]",
|
||||||
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
|
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
|
||||||
|
"[--rsa-padding pkcs1|pss]",
|
||||||
"[--outform der|pem]"},
|
"[--outform der|pem]"},
|
||||||
{
|
{
|
||||||
{"help", 'h', 0, "show usage information"},
|
{"help", 'h', 0, "show usage information"},
|
||||||
{"in", 'i', 1, "private key input file, default: stdin"},
|
{"in", 'i', 1, "private key input file, default: stdin"},
|
||||||
{"keyid", 'x', 1, "smartcard or TPM private key object handle"},
|
{"keyid", 'x', 1, "smartcard or TPM private key object handle"},
|
||||||
{"type", 't', 1, "type of input key, default: priv"},
|
{"type", 't', 1, "type of input key, default: priv"},
|
||||||
{"dn", 'd', 1, "subject distinguished name"},
|
{"dn", 'd', 1, "subject distinguished name"},
|
||||||
{"san", 'a', 1, "subjectAltName to include in cert request"},
|
{"san", 'a', 1, "subjectAltName to include in cert request"},
|
||||||
{"password",'p', 1, "challengePassword to include in cert request"},
|
{"password", 'p', 1, "challengePassword to include in cert request"},
|
||||||
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
|
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
|
||||||
{"outform", 'f', 1, "encoding of generated request, default: der"},
|
{"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
|
||||||
|
{"outform", 'f', 1, "encoding of generated request, default: der"},
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
|
@ -52,6 +52,7 @@ static int self()
|
||||||
cred_encoding_type_t form = CERT_ASN1_DER;
|
cred_encoding_type_t form = CERT_ASN1_DER;
|
||||||
key_type_t type = KEY_ANY;
|
key_type_t type = KEY_ANY;
|
||||||
hash_algorithm_t digest = HASH_UNKNOWN;
|
hash_algorithm_t digest = HASH_UNKNOWN;
|
||||||
|
signature_params_t *scheme = NULL;
|
||||||
certificate_t *cert = NULL;
|
certificate_t *cert = NULL;
|
||||||
private_key_t *private = NULL;
|
private_key_t *private = NULL;
|
||||||
public_key_t *public = NULL;
|
public_key_t *public = NULL;
|
||||||
|
@ -70,6 +71,7 @@ static int self()
|
||||||
x509_cert_policy_t *policy = NULL;
|
x509_cert_policy_t *policy = NULL;
|
||||||
traffic_selector_t *ts;
|
traffic_selector_t *ts;
|
||||||
char *arg;
|
char *arg;
|
||||||
|
bool pss = FALSE;
|
||||||
|
|
||||||
san = linked_list_create();
|
san = linked_list_create();
|
||||||
ocsp = linked_list_create();
|
ocsp = linked_list_create();
|
||||||
|
@ -119,6 +121,17 @@ static int self()
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
continue;
|
continue;
|
||||||
|
case 'R':
|
||||||
|
if (streq(arg, "pss"))
|
||||||
|
{
|
||||||
|
pss = TRUE;
|
||||||
|
}
|
||||||
|
else if (!streq(arg, "pkcs1"))
|
||||||
|
{
|
||||||
|
error = "invalid RSA padding";
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
case 'i':
|
case 'i':
|
||||||
file = arg;
|
file = arg;
|
||||||
continue;
|
continue;
|
||||||
|
@ -335,10 +348,6 @@ static int self()
|
||||||
error = "loading private key failed";
|
error = "loading private key failed";
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
if (digest == HASH_UNKNOWN)
|
|
||||||
{
|
|
||||||
digest = get_default_digest(private);
|
|
||||||
}
|
|
||||||
public = private->get_public_key(private);
|
public = private->get_public_key(private);
|
||||||
if (!public)
|
if (!public)
|
||||||
{
|
{
|
||||||
|
@ -367,11 +376,13 @@ static int self()
|
||||||
serial.ptr[0] &= 0x7F;
|
serial.ptr[0] &= 0x7F;
|
||||||
rng->destroy(rng);
|
rng->destroy(rng);
|
||||||
}
|
}
|
||||||
|
scheme = get_signature_scheme(private, digest, pss);
|
||||||
|
|
||||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||||
BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
|
BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
|
||||||
BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
|
BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
|
||||||
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
|
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
|
||||||
BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
|
BUILD_SIGNATURE_SCHEME, scheme, BUILD_X509_FLAG, flags,
|
||||||
BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
|
BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
|
||||||
BUILD_ADDRBLOCKS, addrblocks,
|
BUILD_ADDRBLOCKS, addrblocks,
|
||||||
BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
|
BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
|
||||||
|
@ -412,6 +423,7 @@ end:
|
||||||
policies->destroy_function(policies, (void*)destroy_cert_policy);
|
policies->destroy_function(policies, (void*)destroy_cert_policy);
|
||||||
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
|
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
|
||||||
ocsp->destroy(ocsp);
|
ocsp->destroy(ocsp);
|
||||||
|
signature_params_destroy(scheme);
|
||||||
free(encoding.ptr);
|
free(encoding.ptr);
|
||||||
free(serial.ptr);
|
free(serial.ptr);
|
||||||
|
|
||||||
|
@ -450,6 +462,7 @@ static void __attribute__ ((constructor))reg()
|
||||||
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
|
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
|
||||||
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
|
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
|
||||||
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
|
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
|
||||||
|
"[--rsa-padding pkcs1|pss]",
|
||||||
"[--outform der|pem]"},
|
"[--outform der|pem]"},
|
||||||
{
|
{
|
||||||
{"help", 'h', 0, "show usage information"},
|
{"help", 'h', 0, "show usage information"},
|
||||||
|
@ -478,6 +491,7 @@ static void __attribute__ ((constructor))reg()
|
||||||
{"flag", 'e', 1, "include extendedKeyUsage flag"},
|
{"flag", 'e', 1, "include extendedKeyUsage flag"},
|
||||||
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
|
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
|
||||||
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
|
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
|
||||||
|
{"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
|
||||||
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
|
@ -120,6 +120,7 @@ static int sign_crl()
|
||||||
crl_t *lastcrl = NULL;
|
crl_t *lastcrl = NULL;
|
||||||
x509_t *x509;
|
x509_t *x509;
|
||||||
hash_algorithm_t digest = HASH_UNKNOWN;
|
hash_algorithm_t digest = HASH_UNKNOWN;
|
||||||
|
signature_params_t *scheme = NULL;
|
||||||
char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
|
char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
|
||||||
char *basecrl = NULL;
|
char *basecrl = NULL;
|
||||||
char serial[512], *keyid = NULL;
|
char serial[512], *keyid = NULL;
|
||||||
|
@ -133,6 +134,7 @@ static int sign_crl()
|
||||||
x509_cdp_t *cdp;
|
x509_cdp_t *cdp;
|
||||||
chunk_t crl_serial = chunk_empty, baseCrlNumber = chunk_empty;
|
chunk_t crl_serial = chunk_empty, baseCrlNumber = chunk_empty;
|
||||||
chunk_t encoding = chunk_empty;
|
chunk_t encoding = chunk_empty;
|
||||||
|
bool pss = FALSE;
|
||||||
|
|
||||||
list = linked_list_create();
|
list = linked_list_create();
|
||||||
cdps = linked_list_create();
|
cdps = linked_list_create();
|
||||||
|
@ -150,6 +152,17 @@ static int sign_crl()
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
continue;
|
continue;
|
||||||
|
case 'R':
|
||||||
|
if (streq(arg, "pss"))
|
||||||
|
{
|
||||||
|
pss = TRUE;
|
||||||
|
}
|
||||||
|
else if (!streq(arg, "pkcs1"))
|
||||||
|
{
|
||||||
|
error = "invalid RSA padding";
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
case 'c':
|
case 'c':
|
||||||
cacert = arg;
|
cacert = arg;
|
||||||
continue;
|
continue;
|
||||||
|
@ -332,10 +345,6 @@ static int sign_crl()
|
||||||
error = "loading CA private key failed";
|
error = "loading CA private key failed";
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
if (digest == HASH_UNKNOWN)
|
|
||||||
{
|
|
||||||
digest = get_default_digest(private);
|
|
||||||
}
|
|
||||||
if (!private->belongs_to(private, public))
|
if (!private->belongs_to(private, public))
|
||||||
{
|
{
|
||||||
error = "CA private key does not match CA certificate";
|
error = "CA private key does not match CA certificate";
|
||||||
|
@ -390,6 +399,7 @@ static int sign_crl()
|
||||||
/* increment the serial number by one */
|
/* increment the serial number by one */
|
||||||
chunk_increment(crl_serial);
|
chunk_increment(crl_serial);
|
||||||
|
|
||||||
|
scheme = get_signature_scheme(private, digest, pss);
|
||||||
enumerator = enumerator_create_filter(list->create_enumerator(list),
|
enumerator = enumerator_create_filter(list->create_enumerator(list),
|
||||||
filter, NULL, NULL);
|
filter, NULL, NULL);
|
||||||
crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
|
crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
|
||||||
|
@ -397,7 +407,7 @@ static int sign_crl()
|
||||||
BUILD_SERIAL, crl_serial,
|
BUILD_SERIAL, crl_serial,
|
||||||
BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate,
|
BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate,
|
||||||
BUILD_REVOKED_ENUMERATOR, enumerator,
|
BUILD_REVOKED_ENUMERATOR, enumerator,
|
||||||
BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest,
|
BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_SIGNATURE_SCHEME, scheme,
|
||||||
BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber,
|
BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber,
|
||||||
BUILD_END);
|
BUILD_END);
|
||||||
enumerator->destroy(enumerator);
|
enumerator->destroy(enumerator);
|
||||||
|
@ -427,6 +437,7 @@ error:
|
||||||
DESTROY_IF(private);
|
DESTROY_IF(private);
|
||||||
DESTROY_IF(ca);
|
DESTROY_IF(ca);
|
||||||
DESTROY_IF(crl);
|
DESTROY_IF(crl);
|
||||||
|
signature_params_destroy(scheme);
|
||||||
free(encoding.ptr);
|
free(encoding.ptr);
|
||||||
free(baseCrlNumber.ptr);
|
free(baseCrlNumber.ptr);
|
||||||
list->destroy_function(list, (void*)revoked_destroy);
|
list->destroy_function(list, (void*)revoked_destroy);
|
||||||
|
@ -458,6 +469,7 @@ static void __attribute__ ((constructor))reg()
|
||||||
" superseded|cessation-of-operation|certificate-hold]",
|
" superseded|cessation-of-operation|certificate-hold]",
|
||||||
" [--date timestamp] --cert file|--serial hex]*",
|
" [--date timestamp] --cert file|--serial hex]*",
|
||||||
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
|
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
|
||||||
|
"[--rsa-padding pkcs1|pss]",
|
||||||
"[--outform der|pem]"},
|
"[--outform der|pem]"},
|
||||||
{
|
{
|
||||||
{"help", 'h', 0, "show usage information"},
|
{"help", 'h', 0, "show usage information"},
|
||||||
|
@ -476,6 +488,7 @@ static void __attribute__ ((constructor))reg()
|
||||||
{"reason", 'r', 1, "reason for certificate revocation"},
|
{"reason", 'r', 1, "reason for certificate revocation"},
|
||||||
{"date", 'd', 1, "revocation date as unix timestamp, default: now"},
|
{"date", 'd', 1, "revocation date as unix timestamp, default: now"},
|
||||||
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
|
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
|
||||||
|
{"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
|
||||||
{"outform", 'f', 1, "encoding of generated crl, default: der"},
|
{"outform", 'f', 1, "encoding of generated crl, default: der"},
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
|
@ -16,6 +16,7 @@ pki \-\-acert \- Issue an attribute certificate
|
||||||
.OP \-\-not-after datetime
|
.OP \-\-not-after datetime
|
||||||
.OP \-\-serial hex
|
.OP \-\-serial hex
|
||||||
.OP \-\-digest digest
|
.OP \-\-digest digest
|
||||||
|
.OP \-\-rsa\-padding padding
|
||||||
.OP \-\-outform encoding
|
.OP \-\-outform encoding
|
||||||
.OP \-\-debug level
|
.OP \-\-debug level
|
||||||
.YS
|
.YS
|
||||||
|
@ -103,6 +104,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
|
||||||
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
|
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
|
||||||
determined based on the type and size of the signature key.
|
determined based on the type and size of the signature key.
|
||||||
.TP
|
.TP
|
||||||
|
.BI "\-R, \-\-rsa\-padding " padding
|
||||||
|
Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults
|
||||||
|
to \fIpkcs1\fR.
|
||||||
|
.TP
|
||||||
.BI "\-f, \-\-outform " encoding
|
.BI "\-f, \-\-outform " encoding
|
||||||
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
||||||
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
|
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
|
||||||
|
|
|
@ -19,6 +19,7 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key
|
||||||
.OP \-\-serial hex
|
.OP \-\-serial hex
|
||||||
.OP \-\-flag flag
|
.OP \-\-flag flag
|
||||||
.OP \-\-digest digest
|
.OP \-\-digest digest
|
||||||
|
.OP \-\-rsa\-padding padding
|
||||||
.OP \-\-ca
|
.OP \-\-ca
|
||||||
.OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR]
|
.OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR]
|
||||||
.OP \-\-ocsp uri
|
.OP \-\-ocsp uri
|
||||||
|
@ -129,6 +130,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
|
||||||
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
|
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
|
||||||
determined based on the type and size of the signature key.
|
determined based on the type and size of the signature key.
|
||||||
.TP
|
.TP
|
||||||
|
.BI "\-R, \-\-rsa\-padding " padding
|
||||||
|
Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults
|
||||||
|
to \fIpkcs1\fR.
|
||||||
|
.TP
|
||||||
.BI "\-f, \-\-outform " encoding
|
.BI "\-f, \-\-outform " encoding
|
||||||
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
||||||
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
|
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
|
||||||
|
|
|
@ -15,6 +15,7 @@ pki \-\-req \- Create a PKCS#10 certificate request
|
||||||
.OP \-\-san subjectAltName
|
.OP \-\-san subjectAltName
|
||||||
.OP \-\-password password
|
.OP \-\-password password
|
||||||
.OP \-\-digest digest
|
.OP \-\-digest digest
|
||||||
|
.OP \-\-rsa\-padding padding
|
||||||
.OP \-\-outform encoding
|
.OP \-\-outform encoding
|
||||||
.OP \-\-debug level
|
.OP \-\-debug level
|
||||||
.YS
|
.YS
|
||||||
|
@ -72,6 +73,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
|
||||||
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
|
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
|
||||||
determined based on the type and size of the signature key.
|
determined based on the type and size of the signature key.
|
||||||
.TP
|
.TP
|
||||||
|
.BI "\-R, \-\-rsa\-padding " padding
|
||||||
|
Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults
|
||||||
|
to \fIpkcs1\fR.
|
||||||
|
.TP
|
||||||
.BI "\-f, \-\-outform " encoding
|
.BI "\-f, \-\-outform " encoding
|
||||||
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
||||||
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
|
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
|
||||||
|
|
|
@ -19,6 +19,7 @@ pki \-\-self \- Create a self-signed certificate
|
||||||
.OP \-\-serial hex
|
.OP \-\-serial hex
|
||||||
.OP \-\-flag flag
|
.OP \-\-flag flag
|
||||||
.OP \-\-digest digest
|
.OP \-\-digest digest
|
||||||
|
.OP \-\-rsa\-padding padding
|
||||||
.OP \-\-ca
|
.OP \-\-ca
|
||||||
.OP \-\-ocsp uri
|
.OP \-\-ocsp uri
|
||||||
.OP \-\-pathlen len
|
.OP \-\-pathlen len
|
||||||
|
@ -115,6 +116,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
|
||||||
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
|
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
|
||||||
determined based on the type and size of the signature key.
|
determined based on the type and size of the signature key.
|
||||||
.TP
|
.TP
|
||||||
|
.BI "\-R, \-\-rsa\-padding " padding
|
||||||
|
Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults
|
||||||
|
to \fIpkcs1\fR.
|
||||||
|
.TP
|
||||||
.BI "\-f, \-\-outform " encoding
|
.BI "\-f, \-\-outform " encoding
|
||||||
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
||||||
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
|
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
|
||||||
|
|
|
@ -16,6 +16,7 @@ pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certific
|
||||||
.OP \-\-basecrl crl
|
.OP \-\-basecrl crl
|
||||||
.OP \-\-crluri uri
|
.OP \-\-crluri uri
|
||||||
.OP \-\-digest digest
|
.OP \-\-digest digest
|
||||||
|
.OP \-\-rsa\-padding padding
|
||||||
.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR
|
.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR
|
||||||
.OP \-\-outform encoding
|
.OP \-\-outform encoding
|
||||||
.OP \-\-debug level
|
.OP \-\-debug level
|
||||||
|
@ -102,6 +103,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
|
||||||
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
|
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
|
||||||
determined based on the type and size of the signature key.
|
determined based on the type and size of the signature key.
|
||||||
.TP
|
.TP
|
||||||
|
.BI "\-R, \-\-rsa\-padding " padding
|
||||||
|
Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults
|
||||||
|
to \fIpkcs1\fR.
|
||||||
|
.TP
|
||||||
.BI "\-f, \-\-outform " encoding
|
.BI "\-f, \-\-outform " encoding
|
||||||
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
||||||
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
|
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 2012-2014 Tobias Brunner
|
* Copyright (C) 2012-2017 Tobias Brunner
|
||||||
* Copyright (C) 2009 Martin Willi
|
* Copyright (C) 2009 Martin Willi
|
||||||
* Hochschule fuer Technik Rapperswil
|
* HSR Hochschule fuer Technik Rapperswil
|
||||||
*
|
*
|
||||||
* This program is free software; you can redistribute it and/or modify it
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
* under the terms of the GNU General Public License as published by the
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
@ -237,10 +237,10 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc)
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/**
|
||||||
* Described in header
|
* Determine a default hash algorithm for the given key
|
||||||
*/
|
*/
|
||||||
hash_algorithm_t get_default_digest(private_key_t *private)
|
static hash_algorithm_t get_default_digest(private_key_t *private)
|
||||||
{
|
{
|
||||||
enumerator_t *enumerator;
|
enumerator_t *enumerator;
|
||||||
signature_params_t *params;
|
signature_params_t *params;
|
||||||
|
@ -258,6 +258,42 @@ hash_algorithm_t get_default_digest(private_key_t *private)
|
||||||
return alg == HASH_UNKNOWN ? HASH_SHA256 : alg;
|
return alg == HASH_UNKNOWN ? HASH_SHA256 : alg;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Described in header
|
||||||
|
*/
|
||||||
|
signature_params_t *get_signature_scheme(private_key_t *private,
|
||||||
|
hash_algorithm_t digest, bool pss)
|
||||||
|
{
|
||||||
|
signature_params_t *scheme;
|
||||||
|
|
||||||
|
if (digest == HASH_UNKNOWN)
|
||||||
|
{
|
||||||
|
digest = get_default_digest(private);
|
||||||
|
}
|
||||||
|
if (private->get_type(private) == KEY_RSA && pss)
|
||||||
|
{
|
||||||
|
rsa_pss_params_t pss_params = {
|
||||||
|
.hash = digest,
|
||||||
|
.mgf1_hash = digest,
|
||||||
|
.salt_len = RSA_PSS_SALT_LEN_DEFAULT,
|
||||||
|
};
|
||||||
|
signature_params_t pss_scheme = {
|
||||||
|
.scheme = SIGN_RSA_EMSA_PSS,
|
||||||
|
.params = &pss_params,
|
||||||
|
};
|
||||||
|
scheme = signature_params_clone(&pss_scheme);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
INIT(scheme,
|
||||||
|
.scheme = signature_scheme_from_oid(
|
||||||
|
hasher_signature_algorithm_to_oid(digest,
|
||||||
|
private->get_type(private))),
|
||||||
|
);
|
||||||
|
}
|
||||||
|
return scheme;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Described in header
|
* Described in header
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
/*
|
/*
|
||||||
|
* Copyright (C) 2015-2017 Tobias Brunner
|
||||||
* Copyright (C) 2009 Martin Willi
|
* Copyright (C) 2009 Martin Willi
|
||||||
* Hochschule fuer Technik Rapperswil
|
* HSR Hochschule fuer Technik Rapperswil
|
||||||
*
|
*
|
||||||
* This program is free software; you can redistribute it and/or modify it
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
* under the terms of the GNU General Public License as published by the
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
@ -57,12 +58,17 @@ bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span,
|
||||||
void set_file_mode(FILE *stream, cred_encoding_type_t enc);
|
void set_file_mode(FILE *stream, cred_encoding_type_t enc);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Select default digest for signatures with the given key
|
* Determine the signature scheme and parameters for the given private key and
|
||||||
|
* hash algorithm and whether to use PSS padding for RSA.
|
||||||
*
|
*
|
||||||
* @param private private key
|
* @param private private key
|
||||||
* @return hash algorithm
|
* @param digest hash algorithm (if HASH_UNKNOWN a default is determined
|
||||||
|
* based on the key)
|
||||||
|
* @param pss use PSS padding for RSA keys
|
||||||
|
* @return allocated signature scheme and parameters
|
||||||
*/
|
*/
|
||||||
hash_algorithm_t get_default_digest(private_key_t *private);
|
signature_params_t *get_signature_scheme(private_key_t *private,
|
||||||
|
hash_algorithm_t digest, bool pss);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create a traffic selector from a CIDR or range string.
|
* Create a traffic selector from a CIDR or range string.
|
||||||
|
|
Loading…
Reference in New Issue