diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2015-09-11 16:58:57 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2015-11-20 13:40:53 +0000 |
commit | e20b47275109aafc559446d731e6baad4a1f55d1 (patch) | |
tree | 81cb21ba12afa38fe00295ee9c7260ed22776559 /apps | |
parent | fa49924659f21454fba3d70b4f60ce76ee6059f8 (diff) |
Add support for signer_digest option in TS.
Based on PR#2145
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'apps')
-rw-r--r-- | apps/openssl-vms.cnf | 1 | ||||
-rw-r--r-- | apps/openssl.cnf | 2 | ||||
-rw-r--r-- | apps/ts.c | 30 |
3 files changed, 21 insertions, 12 deletions
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index c0ded4a5f1..ba6977c01c 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -335,6 +335,7 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate certs = $dir.cacert.pem] # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha1 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 41c2a37426..473c884514 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -335,7 +335,7 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) - +signer_digest = sha1 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) @@ -95,14 +95,14 @@ static ASN1_INTEGER *create_nonce(int bits); /* Reply related functions. */ static int reply_command(CONF *conf, char *section, char *engine, char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy, - char *in, int token_in, char *out, int token_out, - int text); + const EVP_MD *md, char *signer, char *chain, + const char *policy, char *in, int token_in, + char *out, int token_out, int text); static TS_RESP *read_PKCS7(BIO *in_bio); static TS_RESP *create_response(CONF *conf, const char *section, char *engine, char *queryfile, char *passin, - char *inkey, char *signer, char *chain, - const char *policy); + char *inkey, const EVP_MD *md, char *signer, + char *chain, const char *policy); static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data); static ASN1_INTEGER *next_serial(const char *serialfile); static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial); @@ -342,7 +342,7 @@ int ts_main(int argc, char **argv) goto opthelp; } ret = !reply_command(conf, section, engine, queryfile, - password, inkey, signer, chain, policy, + password, inkey, md, signer, chain, policy, in, token_in, out, token_out, text); break; case OPT_VERIFY: @@ -583,8 +583,8 @@ static ASN1_INTEGER *create_nonce(int bits) static int reply_command(CONF *conf, char *section, char *engine, char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy, - char *in, int token_in, + const EVP_MD *md, char *signer, char *chain, + const char *policy, char *in, int token_in, char *out, int token_out, int text) { int ret = 0; @@ -605,7 +605,7 @@ static int reply_command(CONF *conf, char *section, char *engine, } } else { response = create_response(conf, section, engine, queryfile, - passin, inkey, signer, chain, policy); + passin, inkey, md, signer, chain, policy); if (response) BIO_printf(bio_err, "Response has been generated.\n"); else @@ -691,8 +691,8 @@ static TS_RESP *read_PKCS7(BIO *in_bio) static TS_RESP *create_response(CONF *conf, const char *section, char *engine, char *queryfile, char *passin, - char *inkey, char *signer, char *chain, - const char *policy) + char *inkey, const EVP_MD *md, char *signer, + char *chain, const char *policy) { int ret = 0; TS_RESP *response = NULL; @@ -717,6 +717,14 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine, goto end; if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx)) goto end; + + if (md) { + if (!TS_RESP_CTX_set_signer_digest(resp_ctx, md)) + goto end; + } else if (!TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx)) { + goto end; + } + if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx)) goto end; if (!TS_CONF_set_policies(conf, section, resp_ctx)) |