From: Dr. Stephen Henson Date: Fri, 11 Sep 2015 15:58:57 +0000 (+0100) Subject: Add support for signer_digest option in TS. X-Git-Tag: OpenSSL_1_1_0-pre1~263 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=e20b47275109aafc559446d731e6baad4a1f55d1 Add support for signer_digest option in TS. Based on PR#2145 Reviewed-by: Matt Caswell --- diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index c0ded4a5f1..ba6977c01c 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -335,6 +335,7 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate certs = $dir.cacert.pem] # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha1 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 41c2a37426..473c884514 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -335,7 +335,7 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) - +signer_digest = sha1 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) diff --git a/apps/ts.c b/apps/ts.c index b58703a77b..ac91323ac6 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -95,14 +95,14 @@ static ASN1_INTEGER *create_nonce(int bits); /* Reply related functions. */ static int reply_command(CONF *conf, char *section, char *engine, char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy, - char *in, int token_in, char *out, int token_out, - int text); + const EVP_MD *md, char *signer, char *chain, + const char *policy, char *in, int token_in, + char *out, int token_out, int text); static TS_RESP *read_PKCS7(BIO *in_bio); static TS_RESP *create_response(CONF *conf, const char *section, char *engine, char *queryfile, char *passin, - char *inkey, char *signer, char *chain, - const char *policy); + char *inkey, const EVP_MD *md, char *signer, + char *chain, const char *policy); static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data); static ASN1_INTEGER *next_serial(const char *serialfile); static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial); @@ -342,7 +342,7 @@ int ts_main(int argc, char **argv) goto opthelp; } ret = !reply_command(conf, section, engine, queryfile, - password, inkey, signer, chain, policy, + password, inkey, md, signer, chain, policy, in, token_in, out, token_out, text); break; case OPT_VERIFY: @@ -583,8 +583,8 @@ static ASN1_INTEGER *create_nonce(int bits) static int reply_command(CONF *conf, char *section, char *engine, char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy, - char *in, int token_in, + const EVP_MD *md, char *signer, char *chain, + const char *policy, char *in, int token_in, char *out, int token_out, int text) { int ret = 0; @@ -605,7 +605,7 @@ static int reply_command(CONF *conf, char *section, char *engine, } } else { response = create_response(conf, section, engine, queryfile, - passin, inkey, signer, chain, policy); + passin, inkey, md, signer, chain, policy); if (response) BIO_printf(bio_err, "Response has been generated.\n"); else @@ -691,8 +691,8 @@ static TS_RESP *read_PKCS7(BIO *in_bio) static TS_RESP *create_response(CONF *conf, const char *section, char *engine, char *queryfile, char *passin, - char *inkey, char *signer, char *chain, - const char *policy) + char *inkey, const EVP_MD *md, char *signer, + char *chain, const char *policy) { int ret = 0; TS_RESP *response = NULL; @@ -717,6 +717,14 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine, goto end; if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx)) goto end; + + if (md) { + if (!TS_RESP_CTX_set_signer_digest(resp_ctx, md)) + goto end; + } else if (!TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx)) { + goto end; + } + if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx)) goto end; if (!TS_CONF_set_policies(conf, section, resp_ctx)) diff --git a/crypto/ts/ts_conf.c b/crypto/ts/ts_conf.c index 27b3ff6eee..1aa1ab6a59 100644 --- a/crypto/ts/ts_conf.c +++ b/crypto/ts/ts_conf.c @@ -75,6 +75,7 @@ #define ENV_SIGNER_CERT "signer_cert" #define ENV_CERTS "certs" #define ENV_SIGNER_KEY "signer_key" +#define ENV_SIGNER_DIGEST "signer_digest" #define ENV_DEFAULT_POLICY "default_policy" #define ENV_OTHER_POLICIES "other_policies" #define ENV_DIGESTS "digests" @@ -304,6 +305,30 @@ int TS_CONF_set_signer_key(CONF *conf, const char *section, return ret; } +int TS_CONF_set_signer_digest(CONF *conf, const char *section, + const char *md, TS_RESP_CTX *ctx) +{ + int ret = 0; + const EVP_MD *sign_md = NULL; + if (md == NULL) + md = NCONF_get_string(conf, section, ENV_SIGNER_DIGEST); + if (md == NULL) { + ts_CONF_lookup_fail(section, ENV_SIGNER_DIGEST); + goto err; + } + sign_md = EVP_get_digestbyname(md); + if (sign_md == NULL) { + ts_CONF_invalid(section, ENV_SIGNER_DIGEST); + goto err; + } + if (!TS_RESP_CTX_set_signer_digest(ctx, sign_md)) + goto err; + + ret = 1; + err: + return ret; +} + int TS_CONF_set_def_policy(CONF *conf, const char *section, const char *policy, TS_RESP_CTX *ctx) { diff --git a/crypto/ts/ts_lcl.h b/crypto/ts/ts_lcl.h index 7bd23e979c..da28ef1cb9 100644 --- a/crypto/ts/ts_lcl.h +++ b/crypto/ts/ts_lcl.h @@ -183,6 +183,7 @@ struct ESS_signing_cert { struct TS_resp_ctx { X509 *signer_cert; EVP_PKEY *signer_key; + const EVP_MD *signer_md; STACK_OF(X509) *certs; /* Certs to include in signed data. */ STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index c7738b8a51..f84555d8fc 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -169,6 +169,8 @@ TS_RESP_CTX *TS_RESP_CTX_new() return NULL; } + ctx->signer_md = EVP_sha256(); + ctx->serial_cb = def_serial_cb; ctx->time_cb = def_time_cb; ctx->extension_cb = def_extension_cb; @@ -215,6 +217,12 @@ int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key) return 1; } +int TS_RESP_CTX_set_signer_digest(TS_RESP_CTX *ctx, const EVP_MD *md) +{ + ctx->signer_md = md; + return 1; +} + int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy) { ASN1_OBJECT_free(ctx->default_policy); @@ -700,7 +708,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) } if ((si = PKCS7_add_signature(p7, ctx->signer_cert, - ctx->signer_key, EVP_sha1())) == NULL) { + ctx->signer_key, ctx->signer_md)) == NULL) { TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR); goto err; } diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod index e2b555a070..038dfae285 100644 --- a/doc/apps/ts.pod +++ b/doc/apps/ts.pod @@ -28,6 +28,7 @@ B<-reply> [B<-passin> password_src] [B<-signer> tsa_cert.pem] [B<-inkey> private.pem] +[B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>] [B<-chain> certs_file.pem] [B<-policy> object_id] [B<-in> response.tsr] @@ -215,6 +216,11 @@ variable of the config file. (Optional) The signer private key of the TSA in PEM format. Overrides the B config file option. (Optional) +=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...> + +Signing digest to use. Overrides the B config file +option. (Optional) + =item B<-chain> certs_file.pem The collection of certificates in PEM format that will all @@ -396,6 +402,12 @@ option. (Optional) The private key of the TSA in PEM format. The same as the B<-inkey> command line option. (Optional) +=item B + +Signing digest to use. The same as the +B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...> +command line option. (Optional) + =item B The default policy to use when the request does not mandate any diff --git a/include/openssl/ts.h b/include/openssl/ts.h index f74fce7591..3d4e4c0633 100644 --- a/include/openssl/ts.h +++ b/include/openssl/ts.h @@ -371,6 +371,9 @@ int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer); /* This parameter must be set. */ int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key); +int TS_RESP_CTX_set_signer_digest(TS_RESP_CTX *ctx, + const EVP_MD *signer_digest); + /* This parameter must be set. */ int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy); @@ -564,6 +567,8 @@ int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs, int TS_CONF_set_signer_key(CONF *conf, const char *section, const char *key, const char *pass, TS_RESP_CTX *ctx); +int TS_CONF_set_signer_digest(CONF *conf, const char *section, + const char *md, TS_RESP_CTX *ctx); int TS_CONF_set_def_policy(CONF *conf, const char *section, const char *policy, TS_RESP_CTX *ctx); int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx); diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf index 9bdc614163..95a21f98b8 100644 --- a/test/CAtsa.cnf +++ b/test/CAtsa.cnf @@ -132,7 +132,7 @@ signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate certs = $dir/tsaca.pem # Certificate chain to include in reply # (optional) signer_key = $dir/tsa_key1.pem # The TSA private key (optional) - +signer_digest = sha1 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) @@ -156,7 +156,7 @@ signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply # (optional) signer_key = $dir/tsa_key2.pem # The TSA private key (optional) - +signer_digest = sha1 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)