1 files changed, 19 insertions, 4 deletions

diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index 9e6e80938..d1ea5c65e 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -33,6 +33,7 @@ static int acert()
 {
 	cred_encoding_type_t form = CERT_ASN1_DER;
 	hash_algorithm_t digest = HASH_UNKNOWN;
+	signature_params_t *scheme = NULL;
 	certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
 	private_key_t *private = NULL;
 	public_key_t *public = NULL;
@@ -44,6 +45,8 @@ static int acert()
 	char *datenb = NULL, *datena = NULL, *dateform = NULL;
 	rng_t *rng;
 	char *arg;
+	bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
+									   lib->ns);
 
 	groups = linked_list_create();
 
@@ -60,6 +63,17 @@ static int acert()
 					goto usage;
 				}
 				continue;
+			case 'R':
+				if (streq(arg, "pss"))
+				{
+					pss = TRUE;
+				}
+				else if (!streq(arg, "pkcs1"))
+				{
+					error = "invalid RSA padding";
+					goto usage;
+				}
+				continue;
 			case 'i':
 				file = arg;
 				continue;
@@ -162,10 +176,6 @@ static int acert()
 		error = "loading issuer private key failed";
 		goto end;
 	}
-	if (digest == HASH_UNKNOWN)
-	{
-		digest = get_default_digest(private);
-	}
 	if (!private->belongs_to(private, public))
 	{
 		error = "issuer private key does not match issuer certificate";
@@ -217,6 +227,7 @@ static int acert()
 		error = "parsing user certificate failed";
 		goto end;
 	}
+	scheme = get_signature_scheme(private, digest, pss);
 
 	ac = lib->creds->create(lib->creds,
 							CRED_CERTIFICATE, CERT_X509_AC,
@@ -227,6 +238,7 @@ static int acert()
 							BUILD_AC_GROUP_STRINGS, groups,
 							BUILD_SIGNING_CERT, issuer,
 							BUILD_SIGNING_KEY, private,
+							BUILD_SIGNATURE_SCHEME, scheme,
 							BUILD_END);
 	if (!ac)
 	{
@@ -252,6 +264,7 @@ end:
 	DESTROY_IF(public);
 	DESTROY_IF(private);
 	groups->destroy(groups);
+	signature_params_destroy(scheme);
 	free(encoding.ptr);
 	free(serial.ptr);
 
@@ -279,6 +292,7 @@ static void __attribute__ ((constructor))reg()
 		 " --issuercert file [--serial hex] [--lifetime hours]",
 		 " [--not-before datetime] [--not-after datetime] [--dateform form]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+		 "[--rsa-padding pkcs1|pss]",
 		 "[--outform der|pem]"},
 		{
 			{"help",			'h', 0, "show usage information"},
@@ -293,6 +307,7 @@ static void __attribute__ ((constructor))reg()
 			{"not-after",		'T', 1, "date/time the validity of the AC ends"},
 			{"dateform",		'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
 			{"digest",			'g', 1, "digest for signature creation, default: key-specific"},
+			{"rsa-padding",		'R', 1, "padding for RSA signatures, default: pkcs1"},
 			{"outform",			'f', 1, "encoding of generated cert, default: der"},
 		}
 	});