Commit 03919683 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Add support for default public key digest type ctrl.

parent 5cda6c45
Loading
Loading
Loading
Loading
+10 −0
Original line number Diff line number Diff line
@@ -4,6 +4,16 @@

 Changes between 0.9.8a and 0.9.9  [xx XXX xxxx]

  *) Add a ctrl to asn1 method to allow a public key algorithm to express
     a default digest type to use. In most cases this will be SHA1 but some
     algorithms (such as GOST) need to specify an alternative digest. The
     return value indicates how strong the prefernce is 1 means optional and
     2 is mandatory (that is it is the only supported type). Modify
     ASN1_item_sign() to accept a NULL digest argument to indicate it should
     use the default md. Update openssl utilities to use the default digest
     type for signing if it is not explicitly indicated.
     [Steve Henson]

  *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New 
     EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
     signing method from the key type. This effectively removes the link
+11 −25
Original line number Diff line number Diff line
@@ -1016,6 +1016,17 @@ bad:
		goto err;
		}

	if (!strcmp(md, "default"))
		{
		int def_nid;
		if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0)
			{
			BIO_puts(bio_err,"no default digest\n");
			goto err;
			}
		md = (char *)OBJ_nid2sn(def_nid);
		}

	if ((dgst=EVP_get_digestbyname(md)) == NULL)
		{
		BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
@@ -1412,17 +1423,6 @@ bad:

		/* we now have a CRL */
		if (verbose) BIO_printf(bio_err,"signing CRL\n");
#if 0
#ifndef OPENSSL_NO_DSA
		if (pkey->type == EVP_PKEY_DSA) 
			dgst=EVP_dss1();
		else
#endif
#ifndef OPENSSL_NO_ECDSA
		if (pkey->type == EVP_PKEY_EC)
			dgst=EVP_ecdsa();
#endif
#endif

		/* Add any extensions asked for */

@@ -2101,25 +2101,11 @@ again2:
			}
		}


#ifndef OPENSSL_NO_DSA
	if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();
	pktmp=X509_get_pubkey(ret);
	if (EVP_PKEY_missing_parameters(pktmp) &&
		!EVP_PKEY_missing_parameters(pkey))
		EVP_PKEY_copy_parameters(pktmp,pkey);
	EVP_PKEY_free(pktmp);
#endif
#ifndef OPENSSL_NO_ECDSA
	if (pkey->type == EVP_PKEY_EC)
		dgst = EVP_ecdsa();
	pktmp=X509_get_pubkey(ret);
	if (EVP_PKEY_missing_parameters(pktmp) &&
		!EVP_PKEY_missing_parameters(pkey))
		EVP_PKEY_copy_parameters(pktmp,pkey);
	EVP_PKEY_free(pktmp);
#endif


	if (!X509_sign(ret,pkey,dgst))
		goto err;
+1 −1
Original line number Diff line number Diff line
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate field options

default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha1			# which md to use.
default_md	= default		# use public key default MD
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
+2 −11
Original line number Diff line number Diff line
@@ -193,7 +193,7 @@ int MAIN(int argc, char **argv)
	char *p;
	char *subj = NULL;
	int multirdn = 0;
	const EVP_MD *md_alg=NULL,*digest=EVP_sha1();
	const EVP_MD *md_alg=NULL,*digest=NULL;
	unsigned long chtype = MBSTRING_ASC;
#ifndef MONOLITH
	char *to_free;
@@ -894,16 +894,7 @@ loop:
			BIO_printf(bio_err,"you need to specify a private key\n");
			goto end;
			}
#if 0
#ifndef OPENSSL_NO_DSA
		if (pkey->type == EVP_PKEY_DSA)
			digest=EVP_dss1();
#endif
#ifndef OPENSSL_NO_ECDSA
		if (pkey->type == EVP_PKEY_EC)
			digest=EVP_ecdsa();
#endif
#endif

		if (req == NULL)
			{
			req=X509_REQ_new();
+7 −30
Original line number Diff line number Diff line
@@ -188,7 +188,7 @@ int MAIN(int argc, char **argv)
	X509_REQ *rq=NULL;
	int fingerprint=0;
	char buf[256];
	const EVP_MD *md_alg,*digest=EVP_sha1();
	const EVP_MD *md_alg,*digest=NULL;
	CONF *extconf = NULL;
	char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
	int need_rand = 0;
@@ -885,14 +885,18 @@ bad:
				int j;
				unsigned int n;
				unsigned char md[EVP_MAX_MD_SIZE];
				const EVP_MD *fdig = digest;

				if (!X509_digest(x,digest,md,&n))
				if (!fdig)
					fdig = EVP_sha1();

				if (!X509_digest(x,fdig,md,&n))
					{
					BIO_printf(bio_err,"out of memory\n");
					goto end;
					}
				BIO_printf(STDout,"%s Fingerprint=",
						OBJ_nid2sn(EVP_MD_type(digest)));
						OBJ_nid2sn(EVP_MD_type(fdig)));
				for (j=0; j<(int)n; j++)
					{
					BIO_printf(STDout,"%02X%c",md[j],
@@ -912,16 +916,6 @@ bad:
						passin, e, "Private key");
					if (Upkey == NULL) goto end;
					}
#if 0
#ifndef OPENSSL_NO_DSA
		                if (Upkey->type == EVP_PKEY_DSA)
		                        digest=EVP_dss1();
#endif
#ifndef OPENSSL_NO_ECDSA
				if (Upkey->type == EVP_PKEY_EC)
					digest=EVP_ecdsa();
#endif
#endif

				assert(need_rand);
				if (!sign(x,Upkey,days,clrext,digest,
@@ -938,14 +932,6 @@ bad:
						"CA Private Key");
					if (CApkey == NULL) goto end;
					}
#ifndef OPENSSL_NO_DSA
		                if (CApkey->type == EVP_PKEY_DSA)
		                        digest=EVP_dss1();
#endif
#ifndef OPENSSL_NO_ECDSA
				if (CApkey->type == EVP_PKEY_EC)
					digest = EVP_ecdsa();
#endif
				
				assert(need_rand);
				if (!x509_certify(ctx,CAfile,digest,x,xca,
@@ -973,15 +959,6 @@ bad:

				BIO_printf(bio_err,"Generating certificate request\n");

#ifndef OPENSSL_NO_DSA
		                if (pk->type == EVP_PKEY_DSA)
		                        digest=EVP_dss1();
#endif
#ifndef OPENSSL_NO_ECDSA
				if (pk->type == EVP_PKEY_EC)
					digest=EVP_ecdsa();
#endif

				rq=X509_to_X509_REQ(x,pk,digest);
				EVP_PKEY_free(pk);
				if (rq == NULL)
Loading