diff options
| author | Petr Písař <petr.pisar@atlas.cz> | 2012-07-26 16:18:44 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-08-02 01:21:34 +0200 |
| commit | 7a7921a3d127a7d0b75fa2c8376e1fd683ef9e12 (patch) | |
| tree | eb42641412ddbf60fe4f2f34f9e328b15c25a2d5 | |
| parent | 4e3dde7d1324efc0f7db722e2f78fc9b5572a060 (diff) | |
| download | gnutls-7a7921a3d127a7d0b75fa2c8376e1fd683ef9e12.tar.gz | |
Respect certtool --hash when signing request and CRL
The certtool hard-codes the digest algorithm despite '--hash' option exists.
This patch allows user to choose the algorithm when signing certificate
request or certificate revocation list.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| -rw-r--r-- | src/certtool.c | 39 |
1 files changed, 24 insertions, 15 deletions
diff --git a/src/certtool.c b/src/certtool.c index 59d6155d9a..7cc88d5997 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -49,8 +49,6 @@ #include "certtool-args.h" #include "certtool-common.h" -#define SIGN_HASH GNUTLS_DIG_SHA256 - static void privkey_info_int (common_info_st*, gnutls_x509_privkey_t key); static void print_crl_info (gnutls_x509_crl_t crl, FILE * out); void pkcs7_info (void); @@ -727,12 +725,32 @@ generate_crl (gnutls_x509_crt_t ca_crt, common_info_st * cinfo) } static gnutls_digest_algorithm_t +get_dig_for_pub (gnutls_pubkey_t pubkey) +{ + gnutls_digest_algorithm_t dig; + int result; + unsigned int mand; + + result = gnutls_pubkey_get_preferred_hash_algorithm (pubkey, &dig, &mand); + if (result < 0) + { + error (EXIT_FAILURE, 0, "crt_get_preferred_hash_algorithm: %s", + gnutls_strerror (result)); + } + + /* if algorithm allows alternatives */ + if (mand == 0 && default_dig != GNUTLS_DIG_UNKNOWN) + dig = default_dig; + + return dig; +} + +static gnutls_digest_algorithm_t get_dig (gnutls_x509_crt_t crt) { gnutls_digest_algorithm_t dig; gnutls_pubkey_t pubkey; int result; - unsigned int mand; gnutls_pubkey_init(&pubkey); @@ -743,19 +761,10 @@ get_dig (gnutls_x509_crt_t crt) gnutls_strerror (result)); } - result = gnutls_pubkey_get_preferred_hash_algorithm (pubkey, &dig, &mand); - if (result < 0) - { - error (EXIT_FAILURE, 0, "crt_get_preferred_hash_algorithm: %s", - gnutls_strerror (result)); - } + dig = get_dig_for_pub (pubkey); gnutls_pubkey_deinit(pubkey); - /* if algorithm allows alternatives */ - if (mand == 0 && default_dig != GNUTLS_DIG_UNKNOWN) - dig = default_dig; - return dig; } @@ -899,7 +908,7 @@ generate_signed_crl (common_info_st * cinfo) crl = generate_crl (ca_crt, cinfo); fprintf (stderr, "\n"); - result = gnutls_x509_crl_privkey_sign(crl, ca_crt, ca_key, SIGN_HASH, 0); + result = gnutls_x509_crl_privkey_sign(crl, ca_crt, ca_key, get_dig (ca_crt), 0); if (result < 0) error (EXIT_FAILURE, 0, "crl_privkey_sign: %s", gnutls_strerror (result)); @@ -1973,7 +1982,7 @@ generate_request (common_info_st * cinfo) if (ret < 0) error (EXIT_FAILURE, 0, "set_key: %s", gnutls_strerror (ret)); - ret = gnutls_x509_crq_privkey_sign (crq, pkey, SIGN_HASH, 0); + ret = gnutls_x509_crq_privkey_sign (crq, pkey, get_dig_for_pub (pubkey), 0); if (ret < 0) error (EXIT_FAILURE, 0, "sign: %s", gnutls_strerror (ret)); |