From e20b47275109aafc559446d731e6baad4a1f55d1 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Fri, 11 Sep 2015 16:58:57 +0100
Subject: Add support for signer_digest option in TS.

Based on PR#2145

Reviewed-by: Matt Caswell <matt@openssl.org>
---
 crypto/ts/ts_conf.c     | 25 +++++++++++++++++++++++++
 crypto/ts/ts_lcl.h      |  1 +
 crypto/ts/ts_rsp_sign.c | 10 +++++++++-
 3 files changed, 35 insertions(+), 1 deletion(-)

(limited to 'crypto/ts')

diff --git a/crypto/ts/ts_conf.c b/crypto/ts/ts_conf.c
index 27b3ff6eee..1aa1ab6a59 100644
--- a/crypto/ts/ts_conf.c
+++ b/crypto/ts/ts_conf.c
@@ -75,6 +75,7 @@
 #define ENV_SIGNER_CERT                 "signer_cert"
 #define ENV_CERTS                       "certs"
 #define ENV_SIGNER_KEY                  "signer_key"
+#define ENV_SIGNER_DIGEST               "signer_digest"
 #define ENV_DEFAULT_POLICY              "default_policy"
 #define ENV_OTHER_POLICIES              "other_policies"
 #define ENV_DIGESTS                     "digests"
@@ -304,6 +305,30 @@ int TS_CONF_set_signer_key(CONF *conf, const char *section,
     return ret;
 }
 
+int TS_CONF_set_signer_digest(CONF *conf, const char *section,
+                              const char *md, TS_RESP_CTX *ctx)
+{
+    int ret = 0;
+    const EVP_MD *sign_md = NULL;
+    if (md == NULL)
+        md = NCONF_get_string(conf, section, ENV_SIGNER_DIGEST);
+    if (md == NULL) {
+        ts_CONF_lookup_fail(section, ENV_SIGNER_DIGEST);
+        goto err;
+    }
+    sign_md = EVP_get_digestbyname(md);
+    if (sign_md == NULL) {
+        ts_CONF_invalid(section, ENV_SIGNER_DIGEST);
+        goto err;
+    }
+    if (!TS_RESP_CTX_set_signer_digest(ctx, sign_md))
+        goto err;
+
+    ret = 1;
+ err:
+    return ret;
+}
+
 int TS_CONF_set_def_policy(CONF *conf, const char *section,
                            const char *policy, TS_RESP_CTX *ctx)
 {
diff --git a/crypto/ts/ts_lcl.h b/crypto/ts/ts_lcl.h
index 7bd23e979c..da28ef1cb9 100644
--- a/crypto/ts/ts_lcl.h
+++ b/crypto/ts/ts_lcl.h
@@ -183,6 +183,7 @@ struct ESS_signing_cert {
 struct TS_resp_ctx {
     X509 *signer_cert;
     EVP_PKEY *signer_key;
+    const EVP_MD *signer_md;
     STACK_OF(X509) *certs;      /* Certs to include in signed data. */
     STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */
     ASN1_OBJECT *default_policy; /* It may appear in policies, too. */
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index c7738b8a51..f84555d8fc 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -169,6 +169,8 @@ TS_RESP_CTX *TS_RESP_CTX_new()
         return NULL;
     }
 
+    ctx->signer_md = EVP_sha256();
+
     ctx->serial_cb = def_serial_cb;
     ctx->time_cb = def_time_cb;
     ctx->extension_cb = def_extension_cb;
@@ -215,6 +217,12 @@ int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key)
     return 1;
 }
 
+int TS_RESP_CTX_set_signer_digest(TS_RESP_CTX *ctx, const EVP_MD *md)
+{
+    ctx->signer_md = md;
+    return 1;
+}
+
 int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy)
 {
     ASN1_OBJECT_free(ctx->default_policy);
@@ -700,7 +708,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
     }
 
     if ((si = PKCS7_add_signature(p7, ctx->signer_cert,
-                                  ctx->signer_key, EVP_sha1())) == NULL) {
+                                  ctx->signer_key, ctx->signer_md)) == NULL) {
         TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
         goto err;
     }
-- 
cgit v1.2.3