Add support for signer_digest option in TS. (e20b4727) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

apps/openssl-vms.cnf

+1 −0

Original line number	Diff line number	Diff line
		@@ -335,6 +335,7 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate
		certs = $dir.cacert.pem] # Certificate chain to include in reply
		# (optional)
		signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
		signer_digest = sha1 # Signing digest to use. (Optional)

		default_policy = tsa_policy1 # Policy if request did not specify it
		# (optional)

apps/openssl.cnf

+1 −1

Original line number	Diff line number	Diff line
		@@ -335,7 +335,7 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate
		certs = $dir/cacert.pem # Certificate chain to include in reply
		# (optional)
		signer_key = $dir/private/tsakey.pem # The TSA private key (optional)

		signer_digest = sha1 # Signing digest to use. (Optional)
		default_policy = tsa_policy1 # Policy if request did not specify it
		# (optional)
		other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)

apps/ts.c

+19 −11

Original line number	Diff line number	Diff line
		@@ -95,14 +95,14 @@ static ASN1_INTEGER *create_nonce(int bits);
		/* Reply related functions. */
		static int reply_command(CONF conf, char section, char *engine,
		char queryfile, char passin, char *inkey,
		char signer, char chain, const char *policy,
		char in, int token_in, char out, int token_out,
		int text);
		const EVP_MD md, char signer, char *chain,
		const char policy, char in, int token_in,
		char *out, int token_out, int text);
		static TS_RESP read_PKCS7(BIO in_bio);
		static TS_RESP create_response(CONF conf, const char section, char engine,
		char queryfile, char passin,
		char inkey, char signer, char *chain,
		const char *policy);
		char inkey, const EVP_MD md, char *signer,
		char chain, const char policy);
		static ASN1_INTEGER serial_cb(TS_RESP_CTX ctx, void *data);
		static ASN1_INTEGER next_serial(const char serialfile);
		static int save_ts_serial(const char serialfile, ASN1_INTEGER serial);
		@@ -342,7 +342,7 @@ int ts_main(int argc, char **argv)
		goto opthelp;
		}
		ret = !reply_command(conf, section, engine, queryfile,
		password, inkey, signer, chain, policy,
		password, inkey, md, signer, chain, policy,
		in, token_in, out, token_out, text);
		break;
		case OPT_VERIFY:
		@@ -583,8 +583,8 @@ static ASN1_INTEGER *create_nonce(int bits)

		static int reply_command(CONF conf, char section, char *engine,
		char queryfile, char passin, char *inkey,
		char signer, char chain, const char *policy,
		char *in, int token_in,
		const EVP_MD md, char signer, char *chain,
		const char policy, char in, int token_in,
		char *out, int token_out, int text)
		{
		int ret = 0;
		@@ -605,7 +605,7 @@ static int reply_command(CONF conf, char section, char *engine,
		}
		} else {
		response = create_response(conf, section, engine, queryfile,
		passin, inkey, signer, chain, policy);
		passin, inkey, md, signer, chain, policy);
		if (response)
		BIO_printf(bio_err, "Response has been generated.\n");
		else
		@@ -691,8 +691,8 @@ static TS_RESP read_PKCS7(BIO in_bio)

		static TS_RESP create_response(CONF conf, const char section, char engine,
		char queryfile, char passin,
		char inkey, char signer, char *chain,
		const char *policy)
		char inkey, const EVP_MD md, char *signer,
		char chain, const char policy)
		{
		int ret = 0;
		TS_RESP *response = NULL;
		@@ -717,6 +717,14 @@ static TS_RESP create_response(CONF conf, const char section, char engine,
		goto end;
		if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
		goto end;

		if (md) {
		if (!TS_RESP_CTX_set_signer_digest(resp_ctx, md))
		goto end;
		} else if (!TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx)) {
		goto end;
		}

		if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
		goto end;
		if (!TS_CONF_set_policies(conf, section, resp_ctx))

crypto/ts/ts_conf.c

+25 −0

Original line number	Diff line number	Diff line
		@@ -75,6 +75,7 @@
		#define ENV_SIGNER_CERT "signer_cert"
		#define ENV_CERTS "certs"
		#define ENV_SIGNER_KEY "signer_key"
		#define ENV_SIGNER_DIGEST "signer_digest"
		#define ENV_DEFAULT_POLICY "default_policy"
		#define ENV_OTHER_POLICIES "other_policies"
		#define ENV_DIGESTS "digests"
		@@ -304,6 +305,30 @@ int TS_CONF_set_signer_key(CONF conf, const char section,
		return ret;
		}

		int TS_CONF_set_signer_digest(CONF conf, const char section,
		const char md, TS_RESP_CTX ctx)
		{
		int ret = 0;
		const EVP_MD *sign_md = NULL;
		if (md == NULL)
		md = NCONF_get_string(conf, section, ENV_SIGNER_DIGEST);
		if (md == NULL) {
		ts_CONF_lookup_fail(section, ENV_SIGNER_DIGEST);
		goto err;
		}
		sign_md = EVP_get_digestbyname(md);
		if (sign_md == NULL) {
		ts_CONF_invalid(section, ENV_SIGNER_DIGEST);
		goto err;
		}
		if (!TS_RESP_CTX_set_signer_digest(ctx, sign_md))
		goto err;

		ret = 1;
		err:
		return ret;
		}

		int TS_CONF_set_def_policy(CONF conf, const char section,
		const char policy, TS_RESP_CTX ctx)
		{

crypto/ts/ts_lcl.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -183,6 +183,7 @@ struct ESS_signing_cert {
		struct TS_resp_ctx {
		X509 *signer_cert;
		EVP_PKEY *signer_key;
		const EVP_MD *signer_md;
		STACK_OF(X509) certs; / Certs to include in signed data. */
		STACK_OF(ASN1_OBJECT) policies; / Acceptable policies. */
		ASN1_OBJECT default_policy; / It may appear in policies, too. */