Add support for signer_digest option in TS.

Based on PR#2145 Reviewed-by: Matt Caswell <matt@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2015-09-11 16:58:57 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2015-11-20 13:40:53 +0000
commit: e20b47275109aafc559446d731e6baad4a1f55d1 (patch)
tree: 81cb21ba12afa38fe00295ee9c7260ed22776559 /crypto/ts
parent: fa49924659f21454fba3d70b4f60ce76ee6059f8 (diff)
3 files changed, 35 insertions, 1 deletions
diff --git a/crypto/ts/ts_conf.c b/crypto/ts/ts_conf.c
index 27b3ff6eee..1aa1ab6a59 100644
--- a/crypto/ts/ts_conf.c
+++ b/crypto/ts/ts_conf.c
@@ -75,6 +75,7 @@
 #define ENV_SIGNER_CERT                 "signer_cert"
 #define ENV_CERTS                       "certs"
 #define ENV_SIGNER_KEY                  "signer_key"
+#define ENV_SIGNER_DIGEST               "signer_digest"
 #define ENV_DEFAULT_POLICY              "default_policy"
 #define ENV_OTHER_POLICIES              "other_policies"
 #define ENV_DIGESTS                     "digests"
@@ -304,6 +305,30 @@ int TS_CONF_set_signer_key(CONF *conf, const char *section,
     return ret;
 }
 
+int TS_CONF_set_signer_digest(CONF *conf, const char *section,
+                              const char *md, TS_RESP_CTX *ctx)
+{
+    int ret = 0;
+    const EVP_MD *sign_md = NULL;
+    if (md == NULL)
+        md = NCONF_get_string(conf, section, ENV_SIGNER_DIGEST);
+    if (md == NULL) {
+        ts_CONF_lookup_fail(section, ENV_SIGNER_DIGEST);
+        goto err;
+    }
+    sign_md = EVP_get_digestbyname(md);
+    if (sign_md == NULL) {
+        ts_CONF_invalid(section, ENV_SIGNER_DIGEST);
+        goto err;
+    }
+    if (!TS_RESP_CTX_set_signer_digest(ctx, sign_md))
+        goto err;
+
+    ret = 1;
+ err:
+    return ret;
+}
+
 int TS_CONF_set_def_policy(CONF *conf, const char *section,
                            const char *policy, TS_RESP_CTX *ctx)
 {
diff --git a/crypto/ts/ts_lcl.h b/crypto/ts/ts_lcl.h
index 7bd23e979c..da28ef1cb9 100644
--- a/crypto/ts/ts_lcl.h
+++ b/crypto/ts/ts_lcl.h
@@ -183,6 +183,7 @@ struct ESS_signing_cert {
 struct TS_resp_ctx {
     X509 *signer_cert;
     EVP_PKEY *signer_key;
+    const EVP_MD *signer_md;
     STACK_OF(X509) *certs;      /* Certs to include in signed data. */
     STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */
     ASN1_OBJECT *default_policy; /* It may appear in policies, too. */
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index c7738b8a51..f84555d8fc 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -169,6 +169,8 @@ TS_RESP_CTX *TS_RESP_CTX_new()
         return NULL;
     }
 
+    ctx->signer_md = EVP_sha256();
+
     ctx->serial_cb = def_serial_cb;
     ctx->time_cb = def_time_cb;
     ctx->extension_cb = def_extension_cb;
@@ -215,6 +217,12 @@ int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key)
     return 1;
 }
 
+int TS_RESP_CTX_set_signer_digest(TS_RESP_CTX *ctx, const EVP_MD *md)
+{
+    ctx->signer_md = md;
+    return 1;
+}
+
 int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy)
 {
     ASN1_OBJECT_free(ctx->default_policy);
@@ -700,7 +708,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
     }
 
     if ((si = PKCS7_add_signature(p7, ctx->signer_cert,
-                                  ctx->signer_key, EVP_sha1())) == NULL) {
+                                  ctx->signer_key, ctx->signer_md)) == NULL) {
         TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
         goto err;
     }
author	Dr. Stephen Henson <steve@openssl.org>	2015-09-11 16:58:57 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2015-11-20 13:40:53 +0000
commit	e20b47275109aafc559446d731e6baad4a1f55d1 (patch)
tree	81cb21ba12afa38fe00295ee9c7260ed22776559 /crypto/ts
parent	fa49924659f21454fba3d70b4f60ce76ee6059f8 (diff)