summaryrefslogtreecommitdiff
path: root/src/pki/commands
diff options
context:
space:
mode:
Diffstat (limited to 'src/pki/commands')
-rw-r--r--src/pki/commands/acert.c23
-rw-r--r--src/pki/commands/gen.c2
-rw-r--r--src/pki/commands/issue.c25
-rw-r--r--src/pki/commands/req.c45
-rw-r--r--src/pki/commands/self.c27
-rw-r--r--src/pki/commands/signcrl.c49
6 files changed, 118 insertions, 53 deletions
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index 9e6e80938..d1ea5c65e 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -33,6 +33,7 @@ static int acert()
{
cred_encoding_type_t form = CERT_ASN1_DER;
hash_algorithm_t digest = HASH_UNKNOWN;
+ signature_params_t *scheme = NULL;
certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
@@ -44,6 +45,8 @@ static int acert()
char *datenb = NULL, *datena = NULL, *dateform = NULL;
rng_t *rng;
char *arg;
+ bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
+ lib->ns);
groups = linked_list_create();
@@ -60,6 +63,17 @@ static int acert()
goto usage;
}
continue;
+ case 'R':
+ if (streq(arg, "pss"))
+ {
+ pss = TRUE;
+ }
+ else if (!streq(arg, "pkcs1"))
+ {
+ error = "invalid RSA padding";
+ goto usage;
+ }
+ continue;
case 'i':
file = arg;
continue;
@@ -162,10 +176,6 @@ static int acert()
error = "loading issuer private key failed";
goto end;
}
- if (digest == HASH_UNKNOWN)
- {
- digest = get_default_digest(private);
- }
if (!private->belongs_to(private, public))
{
error = "issuer private key does not match issuer certificate";
@@ -217,6 +227,7 @@ static int acert()
error = "parsing user certificate failed";
goto end;
}
+ scheme = get_signature_scheme(private, digest, pss);
ac = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509_AC,
@@ -227,6 +238,7 @@ static int acert()
BUILD_AC_GROUP_STRINGS, groups,
BUILD_SIGNING_CERT, issuer,
BUILD_SIGNING_KEY, private,
+ BUILD_SIGNATURE_SCHEME, scheme,
BUILD_END);
if (!ac)
{
@@ -252,6 +264,7 @@ end:
DESTROY_IF(public);
DESTROY_IF(private);
groups->destroy(groups);
+ signature_params_destroy(scheme);
free(encoding.ptr);
free(serial.ptr);
@@ -279,6 +292,7 @@ static void __attribute__ ((constructor))reg()
" --issuercert file [--serial hex] [--lifetime hours]",
" [--not-before datetime] [--not-after datetime] [--dateform form]",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--rsa-padding pkcs1|pss]",
"[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
@@ -293,6 +307,7 @@ static void __attribute__ ((constructor))reg()
{"not-after", 'T', 1, "date/time the validity of the AC ends"},
{"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
+ {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index 6f14b5276..203c76542 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -166,7 +166,7 @@ static void __attribute__ ((constructor))reg()
{
command_register((command_t) {
gen, 'g', "gen", "generate a new private key",
- {" [--type rsa|ecdsa|ed25519|bliss] [--size bits] [--safe-primes]",
+ {"[--type rsa|ecdsa|ed25519|bliss] [--size bits] [--safe-primes]",
"[--shares n] [--threshold l] [--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index e41c56d08..1ccbca89f 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -61,6 +61,7 @@ static int issue()
{
cred_encoding_type_t form = CERT_ASN1_DER;
hash_algorithm_t digest = HASH_UNKNOWN;
+ signature_params_t *scheme = NULL;
certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
@@ -84,6 +85,8 @@ static int issue()
x509_cert_policy_t *policy = NULL;
traffic_selector_t *ts;
char *arg;
+ bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
+ lib->ns);
san = linked_list_create();
cdps = linked_list_create();
@@ -143,6 +146,17 @@ static int issue()
goto usage;
}
continue;
+ case 'R':
+ if (streq(arg, "pss"))
+ {
+ pss = TRUE;
+ }
+ else if (!streq(arg, "pkcs1"))
+ {
+ error = "invalid RSA padding";
+ goto usage;
+ }
+ continue;
case 'i':
file = arg;
continue;
@@ -396,10 +410,6 @@ static int issue()
error = "loading CA private key failed";
goto end;
}
- if (digest == HASH_UNKNOWN)
- {
- digest = get_default_digest(private);
- }
if (!private->belongs_to(private, public))
{
error = "CA private key does not match CA certificate";
@@ -525,11 +535,12 @@ static int issue()
id = identification_create_from_encoding(ID_DER_ASN1_DN,
chunk_from_chars(ASN1_SEQUENCE, 0));
}
+ scheme = get_signature_scheme(private, digest, pss);
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
- BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
+ BUILD_NOT_BEFORE_TIME, not_before,
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
BUILD_PATHLEN, pathlen, BUILD_ADDRBLOCKS, addrblocks,
@@ -542,6 +553,7 @@ static int issue()
BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
BUILD_POLICY_INHIBIT_ANY, inhibit_any,
+ BUILD_SIGNATURE_SCHEME, scheme,
BUILD_END);
if (!cert)
{
@@ -575,6 +587,7 @@ end:
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
cdps->destroy_function(cdps, (void*)destroy_cdp);
ocsp->destroy(ocsp);
+ signature_params_destroy(scheme);
free(encoding.ptr);
free(serial.ptr);
@@ -614,6 +627,7 @@ static void __attribute__ ((constructor))reg()
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--rsa-padding pkcs1|pss]",
"[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
@@ -646,6 +660,7 @@ static void __attribute__ ((constructor))reg()
{"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
+ {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 7b87e6ca6..cfddbc455 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -30,6 +30,7 @@ static int req()
cred_encoding_type_t form = CERT_ASN1_DER;
key_type_t type = KEY_ANY;
hash_algorithm_t digest = HASH_UNKNOWN;
+ signature_params_t *scheme = NULL;
certificate_t *cert = NULL;
private_key_t *private = NULL;
char *file = NULL, *keyid = NULL, *dn = NULL, *error = NULL;
@@ -38,6 +39,8 @@ static int req()
chunk_t encoding = chunk_empty;
chunk_t challenge_password = chunk_empty;
char *arg;
+ bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
+ lib->ns);
san = linked_list_create();
@@ -77,6 +80,17 @@ static int req()
goto usage;
}
continue;
+ case 'R':
+ if (streq(arg, "pss"))
+ {
+ pss = TRUE;
+ }
+ else if (!streq(arg, "pkcs1"))
+ {
+ error = "invalid RSA padding";
+ goto usage;
+ }
+ continue;
case 'i':
file = arg;
continue;
@@ -153,16 +167,14 @@ static int req()
error = "parsing private key failed";
goto end;
}
- if (digest == HASH_UNKNOWN)
- {
- digest = get_default_digest(private);
- }
+ scheme = get_signature_scheme(private, digest, pss);
+
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
BUILD_SIGNING_KEY, private,
BUILD_SUBJECT, id,
BUILD_SUBJECT_ALTNAMES, san,
BUILD_CHALLENGE_PWD, challenge_password,
- BUILD_DIGEST_ALG, digest,
+ BUILD_SIGNATURE_SCHEME, scheme,
BUILD_END);
if (!cert)
{
@@ -186,6 +198,7 @@ end:
DESTROY_IF(cert);
DESTROY_IF(private);
san->destroy_offset(san, offsetof(identification_t, destroy));
+ signature_params_destroy(scheme);
free(encoding.ptr);
if (error)
@@ -208,20 +221,22 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
req, 'r', "req",
"create a PKCS#10 certificate request",
- {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
+ {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
"[--san subjectAltName]+ [--password challengePassword]",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--rsa-padding pkcs1|pss]",
"[--outform der|pem]"},
{
- {"help", 'h', 0, "show usage information"},
- {"in", 'i', 1, "private key input file, default: stdin"},
- {"keyid", 'x', 1, "smartcard or TPM private key object handle"},
- {"type", 't', 1, "type of input key, default: priv"},
- {"dn", 'd', 1, "subject distinguished name"},
- {"san", 'a', 1, "subjectAltName to include in cert request"},
- {"password",'p', 1, "challengePassword to include in cert request"},
- {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
- {"outform", 'f', 1, "encoding of generated request, default: der"},
+ {"help", 'h', 0, "show usage information"},
+ {"in", 'i', 1, "private key input file, default: stdin"},
+ {"keyid", 'x', 1, "smartcard or TPM private key object handle"},
+ {"type", 't', 1, "type of input key, default: priv"},
+ {"dn", 'd', 1, "subject distinguished name"},
+ {"san", 'a', 1, "subjectAltName to include in cert request"},
+ {"password", 'p', 1, "challengePassword to include in cert request"},
+ {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
+ {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
+ {"outform", 'f', 1, "encoding of generated request, default: der"},
}
});
}
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index bdb22463e..6f7adef0f 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -52,6 +52,7 @@ static int self()
cred_encoding_type_t form = CERT_ASN1_DER;
key_type_t type = KEY_ANY;
hash_algorithm_t digest = HASH_UNKNOWN;
+ signature_params_t *scheme = NULL;
certificate_t *cert = NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
@@ -70,6 +71,8 @@ static int self()
x509_cert_policy_t *policy = NULL;
traffic_selector_t *ts;
char *arg;
+ bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
+ lib->ns);
san = linked_list_create();
ocsp = linked_list_create();
@@ -119,6 +122,17 @@ static int self()
goto usage;
}
continue;
+ case 'R':
+ if (streq(arg, "pss"))
+ {
+ pss = TRUE;
+ }
+ else if (!streq(arg, "pkcs1"))
+ {
+ error = "invalid RSA padding";
+ goto usage;
+ }
+ continue;
case 'i':
file = arg;
continue;
@@ -335,10 +349,6 @@ static int self()
error = "loading private key failed";
goto end;
}
- if (digest == HASH_UNKNOWN)
- {
- digest = get_default_digest(private);
- }
public = private->get_public_key(private);
if (!public)
{
@@ -367,11 +377,13 @@ static int self()
serial.ptr[0] &= 0x7F;
rng->destroy(rng);
}
+ scheme = get_signature_scheme(private, digest, pss);
+
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
- BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
+ BUILD_SIGNATURE_SCHEME, scheme, BUILD_X509_FLAG, flags,
BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
BUILD_ADDRBLOCKS, addrblocks,
BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
@@ -412,6 +424,7 @@ end:
policies->destroy_function(policies, (void*)destroy_cert_policy);
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
ocsp->destroy(ocsp);
+ signature_params_destroy(scheme);
free(encoding.ptr);
free(serial.ptr);
@@ -441,7 +454,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
self, 's', "self",
"create a self signed certificate",
- {" [--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]",
+ {"[--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]",
" --dn distinguished-name [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -450,6 +463,7 @@ static void __attribute__ ((constructor))reg()
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--rsa-padding pkcs1|pss]",
"[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
@@ -478,6 +492,7 @@ static void __attribute__ ((constructor))reg()
{"flag", 'e', 1, "include extendedKeyUsage flag"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
+ {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 25a3aac52..50f939687 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -109,15 +109,6 @@ static int read_serial(char *file, char *buf, int buflen)
}
/**
- * Destroy a CDP
- */
-static void cdp_destroy(x509_cdp_t *this)
-{
- free(this->uri);
- free(this);
-}
-
-/**
* Sign a CRL
*/
static int sign_crl()
@@ -129,6 +120,7 @@ static int sign_crl()
crl_t *lastcrl = NULL;
x509_t *x509;
hash_algorithm_t digest = HASH_UNKNOWN;
+ signature_params_t *scheme = NULL;
char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
char *basecrl = NULL;
char serial[512], *keyid = NULL;
@@ -142,6 +134,8 @@ static int sign_crl()
x509_cdp_t *cdp;
chunk_t crl_serial = chunk_empty, baseCrlNumber = chunk_empty;
chunk_t encoding = chunk_empty;
+ bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
+ lib->ns);
list = linked_list_create();
cdps = linked_list_create();
@@ -159,6 +153,17 @@ static int sign_crl()
goto usage;
}
continue;
+ case 'R':
+ if (streq(arg, "pss"))
+ {
+ pss = TRUE;
+ }
+ else if (!streq(arg, "pkcs1"))
+ {
+ error = "invalid RSA padding";
+ goto usage;
+ }
+ continue;
case 'c':
cacert = arg;
continue;
@@ -341,10 +346,6 @@ static int sign_crl()
error = "loading CA private key failed";
goto error;
}
- if (digest == HASH_UNKNOWN)
- {
- digest = get_default_digest(private);
- }
if (!private->belongs_to(private, public))
{
error = "CA private key does not match CA certificate";
@@ -399,6 +400,7 @@ static int sign_crl()
/* increment the serial number by one */
chunk_increment(crl_serial);
+ scheme = get_signature_scheme(private, digest, pss);
enumerator = enumerator_create_filter(list->create_enumerator(list),
filter, NULL, NULL);
crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
@@ -406,7 +408,7 @@ static int sign_crl()
BUILD_SERIAL, crl_serial,
BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate,
BUILD_REVOKED_ENUMERATOR, enumerator,
- BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest,
+ BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_SIGNATURE_SCHEME, scheme,
BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber,
BUILD_END);
enumerator->destroy(enumerator);
@@ -436,10 +438,11 @@ error:
DESTROY_IF(private);
DESTROY_IF(ca);
DESTROY_IF(crl);
+ signature_params_destroy(scheme);
free(encoding.ptr);
free(baseCrlNumber.ptr);
list->destroy_function(list, (void*)revoked_destroy);
- cdps->destroy_function(cdps, (void*)cdp_destroy);
+ cdps->destroy_function(cdps, (void*)x509_cdp_destroy);
if (error)
{
fprintf(stderr, "%s\n", error);
@@ -449,7 +452,7 @@ error:
usage:
list->destroy_function(list, (void*)revoked_destroy);
- cdps->destroy_function(cdps, (void*)cdp_destroy);
+ cdps->destroy_function(cdps, (void*)x509_cdp_destroy);
return command_usage(error);
}
@@ -462,12 +465,13 @@ static void __attribute__ ((constructor))reg()
sign_crl, 'c', "signcrl",
"issue a CRL using a CA certificate and key",
{"--cacert file --cakey file|--cakeyid hex [--lifetime days]",
- " [--lastcrl crl] [--basecrl crl] [--crluri uri]+",
- " [[--reason key-compromise|ca-compromise|affiliation-changed|",
- " superseded|cessation-of-operation|certificate-hold]",
- " [--date timestamp] --cert file|--serial hex]*",
- " [--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
- " [--outform der|pem]"},
+ "[--lastcrl crl] [--basecrl crl] [--crluri uri]+",
+ "[[--reason key-compromise|ca-compromise|affiliation-changed|",
+ " superseded|cessation-of-operation|certificate-hold]",
+ " [--date timestamp] --cert file|--serial hex]*",
+ "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--rsa-padding pkcs1|pss]",
+ "[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"cacert", 'c', 1, "CA certificate file"},
@@ -485,6 +489,7 @@ static void __attribute__ ((constructor))reg()
{"reason", 'r', 1, "reason for certificate revocation"},
{"date", 'd', 1, "revocation date as unix timestamp, default: now"},
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
+ {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
{"outform", 'f', 1, "encoding of generated crl, default: der"},
}
});
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 08:25:35 +0000