From: Dan Streetman Date: Sat, 8 Mar 2025 21:47:45 +0000 (-0500) Subject: keyutil: add parameter to specify hash algorithm used for PKCS#1 signature X-Git-Tag: v258-rc1~341^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=103fa98f8431eed799824e501abd88f4b9702380;p=thirdparty%2Fsystemd.git keyutil: add parameter to specify hash algorithm used for PKCS#1 signature --- diff --git a/man/systemd-keyutil.xml b/man/systemd-keyutil.xml index a1e0bca43d8..aaf760b948b 100644 --- a/man/systemd-keyutil.xml +++ b/man/systemd-keyutil.xml @@ -72,7 +72,9 @@ in a PKCS#7 signature using the certificate given with and writes it to the file specified with in PKCS#7 format (p7s). If is provided it is included in the p7s, - otherwise a "detached" signature is created. + otherwise a "detached" signature is created. The option, which + defaults to SHA256, specifies what hash algorithm was used to generate the + signature. @@ -119,6 +121,17 @@ + + + + Hash algorithm used to generate the PKCS#1 signature for the pkcs7 + command. This should be a valid openssl digest algorithm; use openssl list + -digest-algorithms to see a list of valid algorithms on your system. Defaults to + SHA256. + + + + diff --git a/src/keyutil/keyutil.c b/src/keyutil/keyutil.c index 396bd1db1eb..d94d2153c2a 100644 --- a/src/keyutil/keyutil.c +++ b/src/keyutil/keyutil.c @@ -26,6 +26,7 @@ static char *arg_certificate_source = NULL; static CertificateSourceType arg_certificate_source_type = OPENSSL_CERTIFICATE_SOURCE_FILE; static char *arg_signature = NULL; static char *arg_content = NULL; +static char *arg_hash_algorithm = NULL; static char *arg_output = NULL; STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep); @@ -66,6 +67,8 @@ static int help(int argc, char *argv[], void *userdata) { " from an OpenSSL provider\n" " --content=PATH Raw data content to embed in PKCS#7 signature\n" " --signature=PATH PKCS#1 signature to embed in PKCS#7 signature\n" + " --hash-algorithm=ALGORITHM\n" + " Hash algorithm used to create the PKCS#1 signature\n" " --output=PATH Where to write the PKCS#7 signature\n" "\nSee the %2$s for details.\n", program_invocation_short_name, @@ -87,6 +90,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_CERTIFICATE_SOURCE, ARG_SIGNATURE, ARG_CONTENT, + ARG_HASH_ALGORITHM, ARG_OUTPUT, }; @@ -99,6 +103,7 @@ static int parse_argv(int argc, char *argv[]) { { "certificate-source", required_argument, NULL, ARG_CERTIFICATE_SOURCE }, { "signature", required_argument, NULL, ARG_SIGNATURE }, { "content", required_argument, NULL, ARG_CONTENT }, + { "hash-algorithm", required_argument, NULL, ARG_HASH_ALGORITHM }, { "output", required_argument, NULL, ARG_OUTPUT }, {} }; @@ -164,6 +169,10 @@ static int parse_argv(int argc, char *argv[]) { break; + case ARG_HASH_ALGORITHM: + arg_hash_algorithm = optarg; + break; + case ARG_OUTPUT: r = parse_path_argument(optarg, /*suppress_root=*/ false, &arg_output); if (r < 0) @@ -355,7 +364,7 @@ static int verb_pkcs7(int argc, char *argv[], void *userdata) { _cleanup_(PKCS7_freep) PKCS7 *pkcs7 = NULL; PKCS7_SIGNER_INFO *signer_info; - r = pkcs7_new(certificate, /* private_key= */ NULL, /* hash_algorithm= */ NULL, &pkcs7, &signer_info); + r = pkcs7_new(certificate, /* private_key= */ NULL, arg_hash_algorithm, &pkcs7, &signer_info); if (r < 0) return log_error_errno(r, "Failed to allocate PKCS#7 context: %m");