summaryrefslogtreecommitdiff
path: root/src/pki/commands/signcrl.c
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@corsac.net>2017-11-21 10:22:31 +0100
committerYves-Alexis Perez <corsac@corsac.net>2017-11-21 10:22:31 +0100
commite1d78dc2faaa06e7c3f71ef674a71e4de2f0758e (patch)
treeae0c8b5f4cd8289d0797882ea18969f33ea59a1e /src/pki/commands/signcrl.c
parent11d6b62db969bdd808d0f56706cb18f113927a31 (diff)
downloadvyos-strongswan-e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e.tar.gz
vyos-strongswan-e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e.zip
New upstream version 5.6.1
Diffstat (limited to 'src/pki/commands/signcrl.c')
-rw-r--r--src/pki/commands/signcrl.c49
1 files changed, 27 insertions, 22 deletions
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 25a3aac52..50f939687 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -109,15 +109,6 @@ static int read_serial(char *file, char *buf, int buflen)
}
/**
- * Destroy a CDP
- */
-static void cdp_destroy(x509_cdp_t *this)
-{
- free(this->uri);
- free(this);
-}
-
-/**
* Sign a CRL
*/
static int sign_crl()
@@ -129,6 +120,7 @@ static int sign_crl()
crl_t *lastcrl = NULL;
x509_t *x509;
hash_algorithm_t digest = HASH_UNKNOWN;
+ signature_params_t *scheme = NULL;
char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
char *basecrl = NULL;
char serial[512], *keyid = NULL;
@@ -142,6 +134,8 @@ static int sign_crl()
x509_cdp_t *cdp;
chunk_t crl_serial = chunk_empty, baseCrlNumber = chunk_empty;
chunk_t encoding = chunk_empty;
+ bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
+ lib->ns);
list = linked_list_create();
cdps = linked_list_create();
@@ -159,6 +153,17 @@ static int sign_crl()
goto usage;
}
continue;
+ case 'R':
+ if (streq(arg, "pss"))
+ {
+ pss = TRUE;
+ }
+ else if (!streq(arg, "pkcs1"))
+ {
+ error = "invalid RSA padding";
+ goto usage;
+ }
+ continue;
case 'c':
cacert = arg;
continue;
@@ -341,10 +346,6 @@ static int sign_crl()
error = "loading CA private key failed";
goto error;
}
- if (digest == HASH_UNKNOWN)
- {
- digest = get_default_digest(private);
- }
if (!private->belongs_to(private, public))
{
error = "CA private key does not match CA certificate";
@@ -399,6 +400,7 @@ static int sign_crl()
/* increment the serial number by one */
chunk_increment(crl_serial);
+ scheme = get_signature_scheme(private, digest, pss);
enumerator = enumerator_create_filter(list->create_enumerator(list),
filter, NULL, NULL);
crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
@@ -406,7 +408,7 @@ static int sign_crl()
BUILD_SERIAL, crl_serial,
BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate,
BUILD_REVOKED_ENUMERATOR, enumerator,
- BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest,
+ BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_SIGNATURE_SCHEME, scheme,
BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber,
BUILD_END);
enumerator->destroy(enumerator);
@@ -436,10 +438,11 @@ error:
DESTROY_IF(private);
DESTROY_IF(ca);
DESTROY_IF(crl);
+ signature_params_destroy(scheme);
free(encoding.ptr);
free(baseCrlNumber.ptr);
list->destroy_function(list, (void*)revoked_destroy);
- cdps->destroy_function(cdps, (void*)cdp_destroy);
+ cdps->destroy_function(cdps, (void*)x509_cdp_destroy);
if (error)
{
fprintf(stderr, "%s\n", error);
@@ -449,7 +452,7 @@ error:
usage:
list->destroy_function(list, (void*)revoked_destroy);
- cdps->destroy_function(cdps, (void*)cdp_destroy);
+ cdps->destroy_function(cdps, (void*)x509_cdp_destroy);
return command_usage(error);
}
@@ -462,12 +465,13 @@ static void __attribute__ ((constructor))reg()
sign_crl, 'c', "signcrl",
"issue a CRL using a CA certificate and key",
{"--cacert file --cakey file|--cakeyid hex [--lifetime days]",
- " [--lastcrl crl] [--basecrl crl] [--crluri uri]+",
- " [[--reason key-compromise|ca-compromise|affiliation-changed|",
- " superseded|cessation-of-operation|certificate-hold]",
- " [--date timestamp] --cert file|--serial hex]*",
- " [--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
- " [--outform der|pem]"},
+ "[--lastcrl crl] [--basecrl crl] [--crluri uri]+",
+ "[[--reason key-compromise|ca-compromise|affiliation-changed|",
+ " superseded|cessation-of-operation|certificate-hold]",
+ " [--date timestamp] --cert file|--serial hex]*",
+ "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--rsa-padding pkcs1|pss]",
+ "[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"cacert", 'c', 1, "CA certificate file"},
@@ -485,6 +489,7 @@ static void __attribute__ ((constructor))reg()
{"reason", 'r', 1, "reason for certificate revocation"},
{"date", 'd', 1, "revocation date as unix timestamp, default: now"},
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
+ {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
{"outform", 'f', 1, "encoding of generated crl, default: der"},
}
});