diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-12-16 14:02:56 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-12-16 14:57:17 +0100 |
commit | ac3d85c5e79f494282348f385f246b19377f3095 (patch) | |
tree | ecec026ea50fe69c5c00ba2cd0f8e02db80d7531 | |
parent | 4175a579bb4b3cd35fb0a23fbbfe20edb41c34a6 (diff) | |
download | gnutls-ac3d85c5e79f494282348f385f246b19377f3095.tar.gz |
pkcs7: use the PK_PKIX1_RSA_OID when writing RSA signature OIDs for PKCS#7 structures
That is because there are implementations which cannot cope with the
normal RSA signature OIDs. Relates #59
-rw-r--r-- | lib/x509/crq.c | 2 | ||||
-rw-r--r-- | lib/x509/mpi.c | 10 | ||||
-rw-r--r-- | lib/x509/pkcs7.c | 7 | ||||
-rw-r--r-- | lib/x509/sign.c | 4 | ||||
-rw-r--r-- | lib/x509/x509_int.h | 2 |
5 files changed, 18 insertions, 7 deletions
diff --git a/lib/x509/crq.c b/lib/x509/crq.c index 81daee88fc..825b1b2a4a 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -2574,7 +2574,7 @@ gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key, result = _gnutls_x509_write_sig_params(crq->crq, "signatureAlgorithm", gnutls_privkey_get_pk_algorithm - (key, NULL), dig); + (key, NULL), dig, 0); if (result < 0) { gnutls_assert(); return result; diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index 536e599e8f..064296bfb5 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -172,11 +172,14 @@ _gnutls_x509_crq_get_mpis(gnutls_x509_crq_t cert, /* * This function writes and encodes the parameters for DSS or RSA keys. * This is the "signatureAlgorithm" fields. + * + * If @legacy is non-zero then the legacy value for PKCS#7 signatures + * will be written for RSA signatures. */ int _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name, gnutls_pk_algorithm_t pk_algorithm, - gnutls_digest_algorithm_t dig) + gnutls_digest_algorithm_t dig, unsigned legacy) { int result; char name[128]; @@ -185,7 +188,10 @@ _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name, _gnutls_str_cpy(name, sizeof(name), dst_name); _gnutls_str_cat(name, sizeof(name), ".algorithm"); - oid = gnutls_sign_get_oid(gnutls_pk_to_sign(pk_algorithm, dig)); + if (legacy && pk_algorithm == GNUTLS_PK_RSA) + oid = PK_PKIX1_RSA_OID; + else + oid = gnutls_sign_get_oid(gnutls_pk_to_sign(pk_algorithm, dig)); if (oid == NULL) { gnutls_assert(); _gnutls_debug_log diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index a443cb6b9d..0a4e3f2f65 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -2051,7 +2051,12 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7, /* write the signature algorithm */ pk = gnutls_x509_crt_get_pk_algorithm(signer, NULL); - ret = _gnutls_x509_write_sig_params(pkcs7->signed_data, "signerInfos.?LAST.signatureAlgorithm", pk, dig); + /* RFC5652 is silent on what the values would be and initially I assumed that + * typical signature algorithms should be set. However RFC2315 (PKCS#7) mentions + * that a generic RSA OID should be used. We switch to this "unexpected" value + * because some implementations cannot cope with the "expected" signature values. + */ + ret = _gnutls_x509_write_sig_params(pkcs7->signed_data, "signerInfos.?LAST.signatureAlgorithm", pk, dig, 1); if (ret < 0) { gnutls_assert(); goto cleanup; diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 3b9ceb6c19..4444110247 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -119,7 +119,7 @@ _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, result = _gnutls_x509_write_sig_params(src, name, gnutls_privkey_get_pk_algorithm - (issuer_key, NULL), dig); + (issuer_key, NULL), dig, 0); if (result < 0) { gnutls_assert(); return result; @@ -162,7 +162,7 @@ _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, result = _gnutls_x509_write_sig_params(src, "signatureAlgorithm", gnutls_privkey_get_pk_algorithm - (issuer_key, NULL), dig); + (issuer_key, NULL), dig, 0); if (result < 0) { gnutls_assert(); return result; diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index e8272c79a4..83e03d689f 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -320,7 +320,7 @@ int _gnutls_x509_write_uint32(ASN1_TYPE node, const char *value, int _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name, gnutls_pk_algorithm_t pk_algorithm, - gnutls_digest_algorithm_t); + gnutls_digest_algorithm_t, unsigned legacy); /* pkcs12.h */ #include <gnutls/pkcs12.h> |