summaryrefslogtreecommitdiff
path: root/src/pki/commands/self.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/pki/commands/self.c')
-rw-r--r--src/pki/commands/self.c27
1 files changed, 21 insertions, 6 deletions
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index bdb22463e..6f7adef0f 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -52,6 +52,7 @@ static int self()
cred_encoding_type_t form = CERT_ASN1_DER;
key_type_t type = KEY_ANY;
hash_algorithm_t digest = HASH_UNKNOWN;
+ signature_params_t *scheme = NULL;
certificate_t *cert = NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
@@ -70,6 +71,8 @@ static int self()
x509_cert_policy_t *policy = NULL;
traffic_selector_t *ts;
char *arg;
+ bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
+ lib->ns);
san = linked_list_create();
ocsp = linked_list_create();
@@ -119,6 +122,17 @@ static int self()
goto usage;
}
continue;
+ case 'R':
+ if (streq(arg, "pss"))
+ {
+ pss = TRUE;
+ }
+ else if (!streq(arg, "pkcs1"))
+ {
+ error = "invalid RSA padding";
+ goto usage;
+ }
+ continue;
case 'i':
file = arg;
continue;
@@ -335,10 +349,6 @@ static int self()
error = "loading private key failed";
goto end;
}
- if (digest == HASH_UNKNOWN)
- {
- digest = get_default_digest(private);
- }
public = private->get_public_key(private);
if (!public)
{
@@ -367,11 +377,13 @@ static int self()
serial.ptr[0] &= 0x7F;
rng->destroy(rng);
}
+ scheme = get_signature_scheme(private, digest, pss);
+
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
- BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
+ BUILD_SIGNATURE_SCHEME, scheme, BUILD_X509_FLAG, flags,
BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
BUILD_ADDRBLOCKS, addrblocks,
BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
@@ -412,6 +424,7 @@ end:
policies->destroy_function(policies, (void*)destroy_cert_policy);
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
ocsp->destroy(ocsp);
+ signature_params_destroy(scheme);
free(encoding.ptr);
free(serial.ptr);
@@ -441,7 +454,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
self, 's', "self",
"create a self signed certificate",
- {" [--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]",
+ {"[--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]",
" --dn distinguished-name [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -450,6 +463,7 @@ static void __attribute__ ((constructor))reg()
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--rsa-padding pkcs1|pss]",
"[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
@@ -478,6 +492,7 @@ static void __attribute__ ((constructor))reg()
{"flag", 'e', 1, "include extendedKeyUsage flag"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
+ {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});