summaryrefslogtreecommitdiff
path: root/src/pki/commands/issue.c
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@corsac.net>2017-11-21 10:22:31 +0100
committerYves-Alexis Perez <corsac@corsac.net>2017-11-21 10:22:31 +0100
commite1d78dc2faaa06e7c3f71ef674a71e4de2f0758e (patch)
treeae0c8b5f4cd8289d0797882ea18969f33ea59a1e /src/pki/commands/issue.c
parent11d6b62db969bdd808d0f56706cb18f113927a31 (diff)
downloadvyos-strongswan-e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e.tar.gz
vyos-strongswan-e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e.zip
New upstream version 5.6.1
Diffstat (limited to 'src/pki/commands/issue.c')
-rw-r--r--src/pki/commands/issue.c25
1 files changed, 20 insertions, 5 deletions
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index e41c56d08..1ccbca89f 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -61,6 +61,7 @@ static int issue()
{
cred_encoding_type_t form = CERT_ASN1_DER;
hash_algorithm_t digest = HASH_UNKNOWN;
+ signature_params_t *scheme = NULL;
certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
@@ -84,6 +85,8 @@ static int issue()
x509_cert_policy_t *policy = NULL;
traffic_selector_t *ts;
char *arg;
+ bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
+ lib->ns);
san = linked_list_create();
cdps = linked_list_create();
@@ -143,6 +146,17 @@ static int issue()
goto usage;
}
continue;
+ case 'R':
+ if (streq(arg, "pss"))
+ {
+ pss = TRUE;
+ }
+ else if (!streq(arg, "pkcs1"))
+ {
+ error = "invalid RSA padding";
+ goto usage;
+ }
+ continue;
case 'i':
file = arg;
continue;
@@ -396,10 +410,6 @@ static int issue()
error = "loading CA private key failed";
goto end;
}
- if (digest == HASH_UNKNOWN)
- {
- digest = get_default_digest(private);
- }
if (!private->belongs_to(private, public))
{
error = "CA private key does not match CA certificate";
@@ -525,11 +535,12 @@ static int issue()
id = identification_create_from_encoding(ID_DER_ASN1_DN,
chunk_from_chars(ASN1_SEQUENCE, 0));
}
+ scheme = get_signature_scheme(private, digest, pss);
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
- BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
+ BUILD_NOT_BEFORE_TIME, not_before,
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
BUILD_PATHLEN, pathlen, BUILD_ADDRBLOCKS, addrblocks,
@@ -542,6 +553,7 @@ static int issue()
BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
BUILD_POLICY_INHIBIT_ANY, inhibit_any,
+ BUILD_SIGNATURE_SCHEME, scheme,
BUILD_END);
if (!cert)
{
@@ -575,6 +587,7 @@ end:
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
cdps->destroy_function(cdps, (void*)destroy_cdp);
ocsp->destroy(ocsp);
+ signature_params_destroy(scheme);
free(encoding.ptr);
free(serial.ptr);
@@ -614,6 +627,7 @@ static void __attribute__ ((constructor))reg()
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--rsa-padding pkcs1|pss]",
"[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
@@ -646,6 +660,7 @@ static void __attribute__ ((constructor))reg()
{"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
+ {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 08:01:15 +0000