Hi, everyone.
"openssl ts -reply ..." command always uses SHA-1 for signing.
This patch can specify the messege digest algorithm for signing;
> openssl ts -reply -queryfile req.bin -config tsa.cnf -sha256 > resp.bin
Please merge it.
--- apps/ts.c.orig 2014-01-06 22:47:42.000000000 +0900
+++ apps/ts.c 2014-03-24 22:04:44.744166300 +0900
@@ -97,12 +97,13 @@
static int reply_command(CONF *conf, char *section, char *engine,
char *queryfile, char *passin, char *inkey,
char *signer, char *chain, const char *policy,
- char *in, int token_in, char *out, int token_out,
- int text);
+ const EVP_MD *md, char *in, int token_in,
+ char *out, int token_out, int text);
static TS_RESP *read_PKCS7(BIO *in_bio);
static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
char *queryfile, char *passin, char *inkey,
- char *signer, char *chain, const char *policy);
+ char *signer, char *chain, const char *policy,
+ const EVP_MD *md);
static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data);
static ASN1_INTEGER *next_serial(const char *serialfile);
static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
@@ -349,7 +350,7 @@
ret = !reply_command(conf, section, engine, queryfile,
password, inkey, signer, chain, policy,
- in, token_in, out, token_out, text);
+ md, in, token_in, out, token_out, text);
break;
case CMD_VERIFY:
ret = !(((queryfile && !data && !digest)
@@ -377,6 +378,7 @@
"[-queryfile request.tsq] [-passin password] "
"[-signer tsa_cert.pem] [-inkey private_key.pem] "
"[-chain certs_file.pem] [-policy object_id] "
+ "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
"[-in response.tsr] [-token_in] "
"[-out response.tsr] [-token_out] [-text] [-engine id]\n");
BIO_printf(bio_err, "or\n"
@@ -673,7 +675,7 @@
static int reply_command(CONF *conf, char *section, char *engine,
char *queryfile, char *passin, char *inkey,
char *signer, char *chain, const char *policy,
- char *in, int token_in,
+ const EVP_MD *md, char *in, int token_in,
char *out, int token_out, int text)
{
int ret = 0;
@@ -684,6 +686,9 @@
BIO *signer_bio = NULL;
BIO *out_bio = NULL;
+ /* Setting default message digest. */
+ if (!md && !(md = EVP_get_digestbyname("sha1"))) goto end;
+
/* Build response object either from response or query. */
if (in != NULL)
{
@@ -704,7 +709,7 @@
{
response = create_response(conf, section, engine, queryfile,
passin, inkey, signer, chain,
- policy);
+ policy, md);
if (response)
BIO_printf(bio_err, "Response has been generated.\n");
else
@@ -799,7 +804,8 @@
static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
char *queryfile, char *passin, char *inkey,
- char *signer, char *chain, const char *policy)
+ char *signer, char *chain, const char *policy,
+ const EVP_MD *md)
{
int ret = 0;
TS_RESP *response = NULL;
@@ -858,6 +864,9 @@
/* Setting the ESS cert id chain flag if requested. */
if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx)) goto end;
+ /* Setting the messege digest algorithm for signing. */
+ resp_ctx->md=md;
+
/* Creating the response. */
if (!(response = TS_RESP_create_response(resp_ctx, query_bio)))
goto end;
--- crypto/ts/ts.h.orig 2014-01-06 22:47:42.000000000 +0900
+++ crypto/ts/ts.h 2014-03-23 23:40:47.743527800 +0900
@@ -526,6 +526,9 @@
TS_REQ *request;
TS_RESP *response;
TS_TST_INFO *tst_info;
+
+ /* Message digest algorithm for signing. */
+ const EVP_MD *md;
} TS_RESP_CTX;
DECLARE_STACK_OF(EVP_MD)
--- crypto/ts/ts_rsp_sign.c.orig 2014-01-06 22:47:42.000000000 +0900
+++ crypto/ts/ts_rsp_sign.c 2014-03-23 23:45:14.353694900 +0900
@@ -749,7 +749,7 @@
/* Add a new signer info. */
if (!(si = PKCS7_add_signature(p7, ctx->signer_cert,
- ctx->signer_key, EVP_sha1())))
+ ctx->signer_key, ctx->md)))
{
TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
goto err;
