diff -urN openssl-1.0.0d/apps/openssl.cnf openssl-1.0.0d-work/apps/openssl.cnf --- openssl-1.0.0d/apps/openssl.cnf 2009-04-04 20:09:43.000000000 +0200 +++ openssl-1.0.0d-work/apps/openssl.cnf 2011-04-15 16:05:04.000000000 +0200 @@ -335,7 +335,7 @@ certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) - +signing_digest = sha1 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) diff -urN openssl-1.0.0d/apps/ts.c openssl-1.0.0d-work/apps/ts.c --- openssl-1.0.0d/apps/ts.c 2009-10-18 16:42:26.000000000 +0200 +++ openssl-1.0.0d-work/apps/ts.c 2011-04-15 16:17:49.000000000 +0200 @@ -96,13 +96,14 @@ /* Reply related functions. */ static int reply_command(CONF *conf, char *section, char *engine, char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy, - char *in, int token_in, char *out, int token_out, - int text); + const char *md, char *signer, char *chain, + const char *policy, char *in, int token_in, char *out, + int token_out, int text); static TS_RESP *read_PKCS7(BIO *in_bio); static TS_RESP *create_response(CONF *conf, const char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy); + char *queryfile, char *passin, char *inkey, + const char *md, char *signer, char *chain, + const char *policy); static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data); static ASN1_INTEGER *next_serial(const char *serialfile); static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial); @@ -133,6 +134,7 @@ char *data = NULL; char *digest = NULL; const EVP_MD *md = NULL; + char *sign_digest = NULL; char *rnd = NULL; char *policy = NULL; int no_nonce = 0; @@ -292,7 +294,7 @@ } else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) { - /* empty. */ + sign_digest = *argv + 1; } else goto usage; @@ -348,8 +350,9 @@ } ret = !reply_command(conf, section, engine, queryfile, - password, inkey, signer, chain, policy, - in, token_in, out, token_out, text); + password, inkey, sign_digest, signer, + chain, policy, in, token_in, out, + token_out, text); break; case CMD_VERIFY: ret = !(((queryfile && !data && !digest) @@ -367,7 +370,7 @@ usage: BIO_printf(bio_err, "usage:\n" "ts -query [-rand file%cfile%c...] [-config configfile] " - "[-data file_to_hash] [-digest digest_bytes]" + "[-data file_to_hash] [-digest digest_bytes] " "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] " "[-policy object_id] [-no_nonce] [-cert] " "[-in request.tsq] [-out request.tsq] [-text]\n", @@ -376,6 +379,7 @@ "ts -reply [-config configfile] [-section tsa_section] " "[-queryfile request.tsq] [-passin password] " "[-signer tsa_cert.pem] [-inkey private_key.pem] " + "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] " "[-chain certs_file.pem] [-policy object_id] " "[-in response.tsr] [-token_in] " "[-out response.tsr] [-token_out] [-text] [-engine id]\n"); @@ -671,9 +675,9 @@ */ static int reply_command(CONF *conf, char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy, - char *in, int token_in, + char *queryfile, char *passin, char *inkey, + const char *md, char *signer, char *chain, + const char *policy, char *in, int token_in, char *out, int token_out, int text) { int ret = 0; @@ -703,7 +707,7 @@ else { response = create_response(conf, section, engine, queryfile, - passin, inkey, signer, chain, + passin, inkey, md, signer, chain, policy); if (response) BIO_printf(bio_err, "Response has been generated.\n"); @@ -798,8 +802,9 @@ } static TS_RESP *create_response(CONF *conf, const char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy) + char *queryfile, char *passin, char *inkey, + const char *md, char *signer, char *chain, + const char *policy) { int ret = 0; TS_RESP *response = NULL; @@ -833,6 +838,10 @@ if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx)) goto end; + /* Setting signing digest */ + if (!TS_CONF_set_signing_digest(conf, section, md, resp_ctx)) + goto end; + /* Setting default policy OID. */ if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx)) goto end; diff -urN openssl-1.0.0d/crypto/ts/ts_conf.c openssl-1.0.0d-work/crypto/ts/ts_conf.c --- openssl-1.0.0d/crypto/ts/ts_conf.c 2008-12-20 18:04:39.000000000 +0100 +++ openssl-1.0.0d-work/crypto/ts/ts_conf.c 2011-04-15 16:18:42.000000000 +0200 @@ -75,6 +75,7 @@ #define ENV_SIGNER_CERT "signer_cert" #define ENV_CERTS "certs" #define ENV_SIGNER_KEY "signer_key" +#define ENV_SIGNING_DIGEST "signing_digest" #define ENV_DEFAULT_POLICY "default_policy" #define ENV_OTHER_POLICIES "other_policies" #define ENV_DIGESTS "digests" @@ -299,6 +300,31 @@ return ret; } +int TS_CONF_set_signing_digest(CONF *conf, const char *section, + const char *md, TS_RESP_CTX *ctx) + { + int ret = 0; + const EVP_MD *sign_md = NULL; + if (!md) + md = NCONF_get_string(conf, section, ENV_SIGNING_DIGEST); + if (!md) + { + TS_CONF_lookup_fail(section, ENV_SIGNING_DIGEST); + goto err; + } + if (!(sign_md = (EVP_MD *) EVP_get_digestbyname(md))) + { + TS_CONF_invalid(section, ENV_SIGNING_DIGEST); + goto err; + } + if (!TS_RESP_CTX_set_signing_digest(ctx, sign_md)) + goto err; + + ret = 1; + err: + return ret; + } + int TS_CONF_set_def_policy(CONF *conf, const char *section, const char *policy, TS_RESP_CTX *ctx) { diff -urN openssl-1.0.0d/crypto/ts/ts.h openssl-1.0.0d-work/crypto/ts/ts.h --- openssl-1.0.0d/crypto/ts/ts.h 2008-11-12 04:58:06.000000000 +0100 +++ openssl-1.0.0d-work/crypto/ts/ts.h 2011-04-15 16:21:08.000000000 +0200 @@ -504,6 +504,7 @@ { X509 *signer_cert; EVP_PKEY *signer_key; + const EVP_MD *signing_digest; STACK_OF(X509) *certs; /* Certs to include in signed data. */ STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ @@ -545,6 +546,10 @@ int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key); /* This parameter must be set. */ +int TS_RESP_CTX_set_signing_digest(TS_RESP_CTX *ctx, + const EVP_MD *signing_digest); + +/* This parameter must be set. */ int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy); /* No additional certs are included in the response by default. */ @@ -744,6 +749,8 @@ TS_RESP_CTX *ctx); int TS_CONF_set_signer_key(CONF *conf, const char *section, const char *key, const char *pass, TS_RESP_CTX *ctx); +int TS_CONF_set_signing_digest(CONF *conf, const char *section, + const char *md, TS_RESP_CTX *ctx); int TS_CONF_set_def_policy(CONF *conf, const char *section, const char *policy, TS_RESP_CTX *ctx); int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx); diff -urN openssl-1.0.0d/crypto/ts/ts_rsp_sign.c openssl-1.0.0d-work/crypto/ts/ts_rsp_sign.c --- openssl-1.0.0d/crypto/ts/ts_rsp_sign.c 2006-03-19 22:09:48.000000000 +0100 +++ openssl-1.0.0d-work/crypto/ts/ts_rsp_sign.c 2011-04-15 16:31:10.000000000 +0200 @@ -221,6 +221,14 @@ return 1; } +int TS_RESP_CTX_set_signing_digest(TS_RESP_CTX *ctx, + const EVP_MD *signing_digest) + { + if (signing_digest == NULL) return 0; + ctx->signing_digest = signing_digest; + return 1; + } + int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy) { if (ctx->default_policy) ASN1_OBJECT_free(ctx->default_policy); @@ -749,7 +757,7 @@ /* Add a new signer info. */ if (!(si = PKCS7_add_signature(p7, ctx->signer_cert, - ctx->signer_key, EVP_sha1()))) + ctx->signer_key, ctx->signing_digest))) { TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR); goto err; diff -urN openssl-1.0.0d/doc/apps/ts.pod openssl-1.0.0d-work/doc/apps/ts.pod --- openssl-1.0.0d/doc/apps/ts.pod 2009-04-10 13:25:54.000000000 +0200 +++ openssl-1.0.0d-work/doc/apps/ts.pod 2011-04-15 16:01:14.000000000 +0200 @@ -28,6 +28,7 @@ [B<-passin> password_src] [B<-signer> tsa_cert.pem] [B<-inkey> private.pem] +[B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>] [B<-chain> certs_file.pem] [B<-policy> object_id] [B<-in> response.tsr] @@ -215,6 +216,11 @@ The signer private key of the TSA in PEM format. Overrides the B config file option. (Optional) +=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...> + +Signing digest to use. Overrides the B config file +option. (Optional) + =item B<-chain> certs_file.pem The collection of certificates in PEM format that will all @@ -396,6 +402,12 @@ The private key of the TSA in PEM format. The same as the B<-inkey> command line option. (Optional) +=item B + +Signing digest to use. The same as the +B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...> +command line option. (Optional) + =item B The default policy to use when the request does not mandate any diff -urN openssl-1.0.0d/test/CAtsa.cnf openssl-1.0.0d-work/test/CAtsa.cnf --- openssl-1.0.0d/test/CAtsa.cnf 2010-01-25 01:22:52.000000000 +0100 +++ openssl-1.0.0d-work/test/CAtsa.cnf 2011-04-15 16:14:11.000000000 +0200 @@ -132,7 +132,7 @@ certs = $dir/tsaca.pem # Certificate chain to include in reply # (optional) signer_key = $dir/tsa_key1.pem # The TSA private key (optional) - +signing_digest = sha1 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) @@ -156,7 +156,7 @@ certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply # (optional) signer_key = $dir/tsa_key2.pem # The TSA private key (optional) - +signing_digest = sha1 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)