pki: Query private key for supported signature schemes

2018-10-12 11:35:09 +02:00 · 2018-10-12 11:35:09 +02:00 · dd4bd21c5a
parent b88f2b3815
commit dd4bd21c5a
7 changed files with 53 additions and 3 deletions
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@ -228,6 +228,11 @@ static int acert()
 		goto end;
 	}
 	scheme = get_signature_scheme(private, digest, pss);
+	if (!scheme)
+	{
+		error = "no signature scheme found";
+		goto end;
+	}

 	ac = lib->creds->create(lib->creds,
 							CRED_CERTIFICATE, CERT_X509_AC,
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@ -536,6 +536,11 @@ static int issue()
 										chunk_from_chars(ASN1_SEQUENCE, 0));
 	}
 	scheme = get_signature_scheme(private, digest, pss);
+	if (!scheme)
+	{
+		error = "no signature scheme found";
+		goto end;
+	}

 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 					BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@ -168,6 +168,11 @@ static int req()
 		goto end;
 	}
 	scheme = get_signature_scheme(private, digest, pss);
+	if (!scheme)
+	{
+		error = "no signature scheme found";
+		goto end;
+	}

 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
 							  BUILD_SIGNING_KEY, private,
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@ -378,6 +378,11 @@ static int self()
 		rng->destroy(rng);
 	}
 	scheme = get_signature_scheme(private, digest, pss);
+	if (!scheme)
+	{
+		error = "no signature scheme found";
+		goto end;
+	}

 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 						BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@ -399,6 +399,12 @@ static int sign_crl()
 	chunk_increment(crl_serial);

 	scheme = get_signature_scheme(private, digest, pss);
+	if (!scheme)
+	{
+		error = "no signature scheme found";
+		goto error;
+	}
+
 	enumerator = enumerator_create_filter(list->create_enumerator(list),
 										  filter, NULL, NULL);
 	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2017 Tobias Brunner
+ * Copyright (C) 2012-2018 Tobias Brunner
 * Copyright (C) 2009 Martin Willi
 * HSR Hochschule fuer Technik Rapperswil
 *
@ -264,7 +264,30 @@ static hash_algorithm_t get_default_digest(private_key_t *private)
 signature_params_t *get_signature_scheme(private_key_t *private,
 										 hash_algorithm_t digest, bool pss)
 {
-	signature_params_t *scheme;
+	signature_params_t *scheme, *selected = NULL;
+	enumerator_t *enumerator;
+
+	if (private->supported_signature_schemes)
+	{
+		enumerator = private->supported_signature_schemes(private);
+		while (enumerator->enumerate(enumerator, &scheme))
+		{
+			if (private->get_type(private) == KEY_RSA &&
+				pss != (scheme->scheme == SIGN_RSA_EMSA_PSS))
+			{
+				continue;
+			}
+			if (digest == HASH_UNKNOWN ||
+				digest == hasher_from_signature_scheme(scheme->scheme,
+													   scheme->params))
+			{
+				selected = signature_params_clone(scheme);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		return selected;
+	}

 	if (digest == HASH_UNKNOWN)
 	{
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@ -65,7 +65,8 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc);
 * @param digest	hash algorithm (if HASH_UNKNOWN a default is determined
 *					based on the key)
 * @param pss		use PSS padding for RSA keys
- * @return			allocated signature scheme and parameters
+ * @return			allocated signature scheme and parameters (NULL if none
+ *					found)
 */
 signature_params_t *get_signature_scheme(private_key_t *private,
 										 hash_algorithm_t digest, bool pss);