Dear OpenSSL developers, I made an application which tests various digest and public key algorithms for timestamp generation, and I needed to make some changes to OpenSSL codebase.
Here is a small contribution which allows to select the digest algorithm used during signature generation. This patch applies on top of current master (c1669e1). Feel free to give me any feedback on this. A small script is also attached to test this feature, which I executed from apps/ directory. Regards, Jean-Louis.
From daf44de2f6ccc548e8c8aa1324970cdc0fc07ac2 Mon Sep 17 00:00:00 2001
From: Jean-Louis Thekekara <jean-louis.thekek...@openwide.fr>
Date: Mon, 5 Jan 2015 17:29:06 +0100
Subject: [PATCH] ts: Add digest algorithm selection during response
The previous default digest (sha1) has been kept, but another
alternative would be to leave rsign_md = NULL when not defined by the user.
It would trigger the following code in PKCS7_add_signature() :
if (dgst == NULL)
{
int def_nid;
if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0)
goto err;
dgst = EVP_get_digestbynid(def_nid);
With a RSA key, it is currently sha256.
---
apps/ts.c | 36 +++++++++++++++++++++++++++++-------
crypto/ts/ts.h | 1 +
crypto/ts/ts_rsp_sign.c | 2 +-
3 files changed, 31 insertions(+), 8 deletions(-)
diff --git a/apps/ts.c b/apps/ts.c
index ace13bd..17a3db8 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -98,11 +98,11 @@ static int reply_command(CONF *conf, char *section, char *engine,
char *queryfile, char *passin, char *inkey,
char *signer, char *chain, const char *policy,
char *in, int token_in, char *out, int token_out,
- int text);
+ int text, const EVP_MD *rsign_md);
static TS_RESP *read_PKCS7(BIO *in_bio);
static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
char *queryfile, char *passin, char *inkey,
- char *signer, char *chain, const char *policy);
+ char *signer, char *chain, const char *policy, const EVP_MD *rsign_md);
static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data);
static ASN1_INTEGER *next_serial(const char *serialfile);
static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
@@ -133,6 +133,7 @@ int MAIN(int argc, char **argv)
char *data = NULL;
char *digest = NULL;
const EVP_MD *md = NULL;
+ const EVP_MD *rsign_md = NULL;
char *rnd = NULL;
char *policy = NULL;
int no_nonce = 0;
@@ -290,6 +291,17 @@ int MAIN(int argc, char **argv)
if (argc-- < 1) goto usage;
engine = *++argv;
}
+ else if (strcmp(*argv, "-rmd") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ rsign_md = EVP_get_digestbyname(*++argv);
+ if (!rsign_md)
+ {
+ BIO_printf(bio_err, "Invalid digest : %s.\n", *--argv);
+ ++argv;
+ goto usage;
+ }
+ }
else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL)
{
/* empty. */
@@ -349,7 +361,7 @@ int MAIN(int argc, char **argv)
ret = !reply_command(conf, section, engine, queryfile,
password, inkey, signer, chain, policy,
- in, token_in, out, token_out, text);
+ in, token_in, out, token_out, text, rsign_md);
break;
case CMD_VERIFY:
ret = !(((queryfile && !data && !digest)
@@ -375,7 +387,7 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "or\n"
"ts -reply [-config configfile] [-section tsa_section] "
"[-queryfile request.tsq] [-passin password] "
- "[-signer tsa_cert.pem] [-inkey private_key.pem] "
+ "[-signer tsa_cert.pem] [-rmd digest_algo_used_for_response] [-inkey private_key.pem] "
"[-chain certs_file.pem] [-policy object_id] "
"[-in response.tsr] [-token_in] "
"[-out response.tsr] [-token_out] [-text] [-engine id]\n");
@@ -675,7 +687,7 @@ static int reply_command(CONF *conf, char *section, char *engine,
char *queryfile, char *passin, char *inkey,
char *signer, char *chain, const char *policy,
char *in, int token_in,
- char *out, int token_out, int text)
+ char *out, int token_out, int text, const EVP_MD *rsign_md)
{
int ret = 0;
TS_RESP *response = NULL;
@@ -705,7 +717,7 @@ static int reply_command(CONF *conf, char *section, char *engine,
{
response = create_response(conf, section, engine, queryfile,
passin, inkey, signer, chain,
- policy);
+ policy, rsign_md);
if (response)
BIO_printf(bio_err, "Response has been generated.\n");
else
@@ -800,7 +812,7 @@ static TS_RESP *read_PKCS7(BIO *in_bio)
static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
char *queryfile, char *passin, char *inkey,
- char *signer, char *chain, const char *policy)
+ char *signer, char *chain, const char *policy, const EVP_MD *rsign_md)
{
int ret = 0;
TS_RESP *response = NULL;
@@ -859,6 +871,16 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
/* Setting the ESS cert id chain flag if requested. */
if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx)) goto end;
+ /* Setting the digest algorithm used during the signature process */
+ if (rsign_md)
+ {
+ resp_ctx->rsign_md = rsign_md;
+ }
+ else
+ {
+ resp_ctx->rsign_md = EVP_sha1(); /* Keep the former default behaviour */
+ }
+
/* Creating the response. */
if (!(response = TS_RESP_create_response(resp_ctx, query_bio)))
goto end;
diff --git a/crypto/ts/ts.h b/crypto/ts/ts.h
index b5fe7ae..64ccda4 100644
--- a/crypto/ts/ts.h
+++ b/crypto/ts/ts.h
@@ -511,6 +511,7 @@ typedef struct TS_resp_ctx
unsigned clock_precision_digits; /* fraction of seconds in
time stamp token. */
unsigned flags; /* Optional info, see values above. */
+ const EVP_MD *rsign_md; /* Digest used during signature process */
/* Callback functions. */
TS_serial_cb serial_cb;
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index 3c48352..4150ea0 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -743,7 +743,7 @@ static int TS_RESP_sign(TS_RESP_CTX *ctx)
/* Add a new signer info. */
if (!(si = PKCS7_add_signature(p7, ctx->signer_cert,
- ctx->signer_key, EVP_sha1())))
+ ctx->signer_key, ctx->rsign_md)))
{
TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
goto err;
--
1.7.10.4
test.sh
Description: application/shellscript
openssl-demoTS.cnf
Description: Binary data
_______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
