From: Tobias Brunner Date: Fri, 12 Oct 2018 09:35:09 +0000 (+0200) Subject: pki: Query private key for supported signature schemes X-Git-Tag: 5.7.2dr1~9^2~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dd4bd21c5a22;p=thirdparty%2Fstrongswan.git pki: Query private key for supported signature schemes --- diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c index d1ea5c65eb..4cbe06c9e7 100644 --- a/src/pki/commands/acert.c +++ b/src/pki/commands/acert.c @@ -228,6 +228,11 @@ static int acert() goto end; } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } ac = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 1ccbca89f5..b117fa1713 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -536,6 +536,11 @@ static int issue() chunk_from_chars(ASN1_SEQUENCE, 0)); } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index cfddbc4554..8f5380a4a8 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -168,6 +168,11 @@ static int req() goto end; } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, BUILD_SIGNING_KEY, private, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index 6f7adef0f8..a08ee99316 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -378,6 +378,11 @@ static int self() rng->destroy(rng); } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public, diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index ca208a5cf8..a399d21be0 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -399,6 +399,12 @@ static int sign_crl() chunk_increment(crl_serial); scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto error; + } + enumerator = enumerator_create_filter(list->create_enumerator(list), filter, NULL, NULL); crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, diff --git a/src/pki/pki.c b/src/pki/pki.c index ec60f7d421..e647cea69e 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2017 Tobias Brunner + * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -264,7 +264,30 @@ static hash_algorithm_t get_default_digest(private_key_t *private) signature_params_t *get_signature_scheme(private_key_t *private, hash_algorithm_t digest, bool pss) { - signature_params_t *scheme; + signature_params_t *scheme, *selected = NULL; + enumerator_t *enumerator; + + if (private->supported_signature_schemes) + { + enumerator = private->supported_signature_schemes(private); + while (enumerator->enumerate(enumerator, &scheme)) + { + if (private->get_type(private) == KEY_RSA && + pss != (scheme->scheme == SIGN_RSA_EMSA_PSS)) + { + continue; + } + if (digest == HASH_UNKNOWN || + digest == hasher_from_signature_scheme(scheme->scheme, + scheme->params)) + { + selected = signature_params_clone(scheme); + break; + } + } + enumerator->destroy(enumerator); + return selected; + } if (digest == HASH_UNKNOWN) { diff --git a/src/pki/pki.h b/src/pki/pki.h index 3f0793cfd9..3976c33b79 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -65,7 +65,8 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc); * @param digest hash algorithm (if HASH_UNKNOWN a default is determined * based on the key) * @param pss use PSS padding for RSA keys - * @return allocated signature scheme and parameters + * @return allocated signature scheme and parameters (NULL if none + * found) */ signature_params_t *get_signature_scheme(private_key_t *private, hash_algorithm_t digest, bool pss);