+/*
+ * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
#include "squid.h"
#include "ssl/gadgets.h"
};
Ssl::CertificateProperties::CertificateProperties():
- setValidAfter(false),
- setValidBefore(false),
- setCommonName(false),
- signAlgorithm(Ssl::algSignEnd)
+ setValidAfter(false),
+ setValidBefore(false),
+ setCommonName(false),
+ signAlgorithm(Ssl::algSignEnd),
+ signHash(NULL)
{}
std::string & Ssl::CertificateProperties::dbKey() const
certKey.append(certSignAlgorithm(signAlgorithm));
}
+ if (signHash != NULL) {
+ certKey.append("+SignHash=", 10);
+ certKey.append(EVP_MD_name(signHash));
+ }
+
return certKey;
}
if ((ext = X509_get_ext(cert.get(), p)) != NULL) {
ASN1_BIT_STRING *keyusage = (ASN1_BIT_STRING *)X509V3_EXT_d2i(ext);
ASN1_BIT_STRING_set_bit(keyusage, KeyEncipherment, 1);
- X509_EXTENSION_set_data( ext, (ASN1_OCTET_STRING*)keyusage );
+
+ //Build the ASN1_OCTET_STRING
+ const X509V3_EXT_METHOD *method = X509V3_EXT_get(ext);
+ assert(method && method->it);
+ unsigned char *ext_der = NULL;
+ int ext_len = ASN1_item_i2d((ASN1_VALUE *)keyusage,
+ &ext_der,
+ (const ASN1_ITEM *)ASN1_ITEM_ptr(method->it));
+
+ ASN1_OCTET_STRING *ext_oct = M_ASN1_OCTET_STRING_new();
+ ext_oct->data = ext_der;
+ ext_oct->length = ext_len;
+ X509_EXTENSION_set_data(ext, ext_oct);
+
+ M_ASN1_OCTET_STRING_free(ext_oct);
ASN1_BIT_STRING_free(keyusage);
}
}
if (!ret)
return false;
+ const EVP_MD *hash = properties.signHash ? properties.signHash : EVP_get_digestbyname(SQUID_SSL_SIGN_HASH_IF_NONE);
+ assert(hash);
/*Now sign the request */
if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get())
- ret = X509_sign(cert.get(), properties.signWithPkey.get(), EVP_sha1());
+ ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash);
else //else sign with self key (self signed request)
- ret = X509_sign(cert.get(), pkey.get(), EVP_sha1());
+ ret = X509_sign(cert.get(), pkey.get(), hash);
if (!ret)
return false;