pki: Query private key for supported signature schemes

diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index d1ea5c65ebb448bcb3e294e318516546e3b70098..4cbe06c9e724c64d1e55fc56991a6fdf428402fb 100644 (file)
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -228,6 +228,11 @@ static int acert()
                goto end;
        }
        scheme = get_signature_scheme(private, digest, pss);
+       if (!scheme)
+       {
+               error = "no signature scheme found";
+               goto end;
+       }
 
        ac = lib->creds->create(lib->creds,
                                                        CRED_CERTIFICATE, CERT_X509_AC,

diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 1ccbca89f51e5935367e1d652d3681a00de25934..b117fa1713490a159e47c5837d8c41217fb36952 100644 (file)
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -536,6 +536,11 @@ static int issue()
                                                                                chunk_from_chars(ASN1_SEQUENCE, 0));
        }
        scheme = get_signature_scheme(private, digest, pss);
+       if (!scheme)
+       {
+               error = "no signature scheme found";
+               goto end;
+       }
 
        cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                        BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,

diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index cfddbc455403f13c8478ec740f5a83e276ce1c99..8f5380a4a88dafa52fd770de94a02aec0a332b5f 100644 (file)
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -168,6 +168,11 @@ static int req()
                goto end;
        }
        scheme = get_signature_scheme(private, digest, pss);
+       if (!scheme)
+       {
+               error = "no signature scheme found";
+               goto end;
+       }
 
        cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
                                                          BUILD_SIGNING_KEY, private,

diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 6f7adef0f8c4c0f38a7b1691b50458c07e00ea00..a08ee993166c262f701162c427b89fa79f76efe8 100644 (file)
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -378,6 +378,11 @@ static int self()
                rng->destroy(rng);
        }
        scheme = get_signature_scheme(private, digest, pss);
+       if (!scheme)
+       {
+               error = "no signature scheme found";
+               goto end;
+       }
 
        cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                                BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,

diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index ca208a5cf833354aebc4371dd8090bbc310a7608..a399d21be0c5584e055b246280f73034890777a7 100644 (file)
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -399,6 +399,12 @@ static int sign_crl()
        chunk_increment(crl_serial);
 
        scheme = get_signature_scheme(private, digest, pss);
+       if (!scheme)
+       {
+               error = "no signature scheme found";
+               goto error;
+       }
+
        enumerator = enumerator_create_filter(list->create_enumerator(list),
                                                                                  filter, NULL, NULL);
        crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,

diff --git a/src/pki/pki.c b/src/pki/pki.c
index ec60f7d4211959fac396ed39a6992e369ee04f59..e647cea69e4ddcd9e446512ad54d7bd2711f6c2d 100644 (file)
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2017 Tobias Brunner
+ * Copyright (C) 2012-2018 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -264,7 +264,30 @@ static hash_algorithm_t get_default_digest(private_key_t *private)
 signature_params_t *get_signature_scheme(private_key_t *private,
                                                                                 hash_algorithm_t digest, bool pss)
 {
-       signature_params_t *scheme;
+       signature_params_t *scheme, *selected = NULL;
+       enumerator_t *enumerator;
+
+       if (private->supported_signature_schemes)
+       {
+               enumerator = private->supported_signature_schemes(private);
+               while (enumerator->enumerate(enumerator, &scheme))
+               {
+                       if (private->get_type(private) == KEY_RSA &&
+                               pss != (scheme->scheme == SIGN_RSA_EMSA_PSS))
+                       {
+                               continue;
+                       }
+                       if (digest == HASH_UNKNOWN ||
+                               digest == hasher_from_signature_scheme(scheme->scheme,
+                                                                                                          scheme->params))
+                       {
+                               selected = signature_params_clone(scheme);
+                               break;
+                       }
+               }
+               enumerator->destroy(enumerator);
+               return selected;
+       }
 
        if (digest == HASH_UNKNOWN)
        {

diff --git a/src/pki/pki.h b/src/pki/pki.h
index 3f0793cfd90b5259eae69ac0e74a1557f7585881..3976c33b79eacf3ba00208ba0aa9244c9d6158f8 100644 (file)
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -65,7 +65,8 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc);
  * @param digest       hash algorithm (if HASH_UNKNOWN a default is determined
  *                                     based on the key)
  * @param pss          use PSS padding for RSA keys
- * @return                     allocated signature scheme and parameters
+ * @return                     allocated signature scheme and parameters (NULL if none
+ *                                     found)
  */
 signature_params_t *get_signature_scheme(private_key_t *private,
                                                                                 hash_algorithm_t digest, bool pss);