From dd4bd21c5a22c9eb8ecc23a6ece907e95c793136 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 12 Oct 2018 11:35:09 +0200 Subject: [PATCH] pki: Query private key for supported signature schemes --- src/pki/commands/acert.c | 5 +++++ src/pki/commands/issue.c | 5 +++++ src/pki/commands/req.c | 5 +++++ src/pki/commands/self.c | 5 +++++ src/pki/commands/signcrl.c | 6 ++++++ src/pki/pki.c | 27 +++++++++++++++++++++++++-- src/pki/pki.h | 3 ++- 7 files changed, 53 insertions(+), 3 deletions(-) diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c index d1ea5c65e..4cbe06c9e 100644 --- a/src/pki/commands/acert.c +++ b/src/pki/commands/acert.c @@ -228,6 +228,11 @@ static int acert() goto end; } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } ac = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 1ccbca89f..b117fa171 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -536,6 +536,11 @@ static int issue() chunk_from_chars(ASN1_SEQUENCE, 0)); } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index cfddbc455..8f5380a4a 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -168,6 +168,11 @@ static int req() goto end; } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, BUILD_SIGNING_KEY, private, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index 6f7adef0f..a08ee9931 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -378,6 +378,11 @@ static int self() rng->destroy(rng); } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public, diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index ca208a5cf..a399d21be 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -399,6 +399,12 @@ static int sign_crl() chunk_increment(crl_serial); scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto error; + } + enumerator = enumerator_create_filter(list->create_enumerator(list), filter, NULL, NULL); crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, diff --git a/src/pki/pki.c b/src/pki/pki.c index ec60f7d42..e647cea69 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2017 Tobias Brunner + * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -264,7 +264,30 @@ static hash_algorithm_t get_default_digest(private_key_t *private) signature_params_t *get_signature_scheme(private_key_t *private, hash_algorithm_t digest, bool pss) { - signature_params_t *scheme; + signature_params_t *scheme, *selected = NULL; + enumerator_t *enumerator; + + if (private->supported_signature_schemes) + { + enumerator = private->supported_signature_schemes(private); + while (enumerator->enumerate(enumerator, &scheme)) + { + if (private->get_type(private) == KEY_RSA && + pss != (scheme->scheme == SIGN_RSA_EMSA_PSS)) + { + continue; + } + if (digest == HASH_UNKNOWN || + digest == hasher_from_signature_scheme(scheme->scheme, + scheme->params)) + { + selected = signature_params_clone(scheme); + break; + } + } + enumerator->destroy(enumerator); + return selected; + } if (digest == HASH_UNKNOWN) { diff --git a/src/pki/pki.h b/src/pki/pki.h index 3f0793cfd..3976c33b7 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -65,7 +65,8 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc); * @param digest hash algorithm (if HASH_UNKNOWN a default is determined * based on the key) * @param pss use PSS padding for RSA keys - * @return allocated signature scheme and parameters + * @return allocated signature scheme and parameters (NULL if none + * found) */ signature_params_t *get_signature_scheme(private_key_t *private, hash_algorithm_t digest, bool pss);