new sigopt and PSS support for req and x509 utilities
authorDr. Stephen Henson <steve@openssl.org>
Fri, 12 Mar 2010 14:41:00 +0000 (14:41 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 12 Mar 2010 14:41:00 +0000 (14:41 +0000)
apps/apps.h
apps/req.c
apps/x509.c

index 596a39a..adfaa29 100644 (file)
@@ -317,6 +317,10 @@ int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
 int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
                        const char *algname, ENGINE *e, int do_param);
+int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
+                       STACK_OF(OPENSSL_STRING) *sigopts);
+int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
+                       STACK_OF(OPENSSL_STRING) *sigopts);
 #ifndef OPENSSL_NO_PSK
 extern char *psk_key;
 #endif
index 820cd18..37670a0 100644 (file)
@@ -165,7 +165,7 @@ int MAIN(int argc, char **argv)
        EVP_PKEY_CTX *genctx = NULL;
        const char *keyalg = NULL;
        char *keyalgstr = NULL;
-       STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
+       STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
        EVP_PKEY *pkey=NULL;
        int i=0,badops=0,newreq=0,verbose=0,pkey_type=-1;
        long newkey = -1;
@@ -310,6 +310,15 @@ int MAIN(int argc, char **argv)
                        if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv)))
                                goto bad;
                        }
+               else if (strcmp(*argv,"-sigopt") == 0)
+                       {
+                       if (--argc < 1)
+                               goto bad;
+                       if (!sigopts)
+                               sigopts = sk_OPENSSL_STRING_new_null();
+                       if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
+                               goto bad;
+                       }
                else if (strcmp(*argv,"-batch") == 0)
                        batch=1;
                else if (strcmp(*argv,"-newhdr") == 0)
@@ -858,8 +867,9 @@ loop:
                                        extensions);
                                goto end;
                                }
-                       
-                       if (!(i=X509_sign(x509ss,pkey,digest)))
+
+                       i=do_X509_sign(bio_err, x509ss, pkey, digest, sigopts);
+                       if (!i)
                                {
                                ERR_print_errors(bio_err);
                                goto end;
@@ -883,7 +893,8 @@ loop:
                                        req_exts);
                                goto end;
                                }
-                       if (!(i=X509_REQ_sign(req,pkey,digest)))
+                       i=do_X509_REQ_sign(bio_err, req, pkey, digest, sigopts);
+                       if (!i)
                                {
                                ERR_print_errors(bio_err);
                                goto end;
@@ -1084,6 +1095,8 @@ end:
                EVP_PKEY_CTX_free(genctx);
        if (pkeyopts)
                sk_OPENSSL_STRING_free(pkeyopts);
+       if (sigopts)
+               sk_OPENSSL_STRING_free(sigopts);
 #ifndef OPENSSL_NO_ENGINE
        if (gen_eng)
                ENGINE_free(gen_eng);
@@ -1756,3 +1769,53 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx)
 #endif
        return 1;
        }
+
+static int do_sign_init(BIO *err, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
+                       const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
+       {
+       EVP_PKEY_CTX *pkctx = NULL;
+       int i;
+       EVP_MD_CTX_init(ctx);
+       if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
+               return 0;
+       for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++)
+               {
+               char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
+               if (pkey_ctrl_string(pkctx, sigopt) <= 0)
+                       {
+                       BIO_printf(err, "parameter error \"%s\"\n", sigopt);
+                       ERR_print_errors(bio_err);
+                       return 0;
+                       }
+               }
+       return 1;
+       }
+
+int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
+                       STACK_OF(OPENSSL_STRING) *sigopts)
+       {
+       int rv;
+       EVP_MD_CTX mctx;
+       EVP_MD_CTX_init(&mctx);
+       rv = do_sign_init(err, &mctx, pkey, md, sigopts);
+       if (rv > 0)
+               rv = X509_sign_ctx(x, &mctx);
+       EVP_MD_CTX_cleanup(&mctx);
+       return rv > 0 ? 1 : 0;
+       }
+
+
+int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
+                       STACK_OF(OPENSSL_STRING) *sigopts)
+       {
+       int rv;
+       EVP_MD_CTX mctx;
+       EVP_MD_CTX_init(&mctx);
+       rv = do_sign_init(err, &mctx, pkey, md, sigopts);
+       if (rv > 0)
+               rv = X509_REQ_sign_ctx(x, &mctx);
+       EVP_MD_CTX_cleanup(&mctx);
+       return rv > 0 ? 1 : 0;
+       }
+               
+       
index e7e46d7..ff56f30 100644 (file)
@@ -157,9 +157,10 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
 static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest,
                                                CONF *conf, char *section);
 static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
-                        X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
-                        int create,int days, int clrext, CONF *conf, char *section,
-                                               ASN1_INTEGER *sno);
+                        X509 *x,X509 *xca,EVP_PKEY *pkey,
+                        STACK_OF(OPENSSL_STRING) *sigopts,
+                        char *serial, int create ,int days, int clrext,
+                        CONF *conf, char *section, ASN1_INTEGER *sno);
 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
 static int reqfile=0;
 
@@ -172,6 +173,7 @@ int MAIN(int argc, char **argv)
        X509_REQ *req=NULL;
        X509 *x=NULL,*xca=NULL;
        ASN1_OBJECT *objtmp;
+       STACK_OF(OPENSSL_STRING) *sigopts = NULL;
        EVP_PKEY *Upkey=NULL,*CApkey=NULL;
        ASN1_INTEGER *sno = NULL;
        int i,num,badops=0;
@@ -271,6 +273,15 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        CAkeyformat=str2fmt(*(++argv));
                        }
+               else if (strcmp(*argv,"-sigopt") == 0)
+                       {
+                       if (--argc < 1)
+                               goto bad;
+                       if (!sigopts)
+                               sigopts = sk_OPENSSL_STRING_new_null();
+                       if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
+                               goto bad;
+                       }
                else if (strcmp(*argv,"-days") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -972,7 +983,8 @@ bad:
                                
                                assert(need_rand);
                                if (!x509_certify(ctx,CAfile,digest,x,xca,
-                                       CApkey, CAserial,CA_createserial,days, clrext,
+                                       CApkey, sigopts,
+                                       CAserial,CA_createserial,days, clrext,
                                        extconf, extsect, sno))
                                        goto end;
                                }
@@ -1083,6 +1095,8 @@ end:
        X509_free(xca);
        EVP_PKEY_free(Upkey);
        EVP_PKEY_free(CApkey);
+       if (sigopts)
+               sk_OPENSSL_STRING_free(sigopts);
        X509_REQ_free(rq);
        ASN1_INTEGER_free(sno);
        sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
@@ -1133,8 +1147,11 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create
        }
 
 static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
-            X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create,
-            int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno)
+                       X509 *x, X509 *xca, EVP_PKEY *pkey,
+                       STACK_OF(OPENSSL_STRING) *sigopts,
+                       char *serialfile, int create,
+                       int days, int clrext, CONF *conf, char *section,
+                       ASN1_INTEGER *sno)
        {
        int ret=0;
        ASN1_INTEGER *bs=NULL;
@@ -1193,7 +1210,8 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
                 if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end;
                }
 
-       if (!X509_sign(x,pkey,digest)) goto end;
+       if (!do_X509_sign(bio_err, x, pkey, digest, sigopts))
+               goto end;
        ret=1;
 end:
        X509_STORE_CTX_cleanup(&xsc);