summaryrefslogtreecommitdiff
path: root/src/certtool.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/certtool.c')
-rw-r--r--src/certtool.c67
1 files changed, 50 insertions, 17 deletions
diff --git a/src/certtool.c b/src/certtool.c
index 11dc27a6fd..6623b86385 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -92,9 +92,11 @@ static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt_t crt, common_info_st *
FILE *outfile;
static const char *outfile_name = NULL; /* to delete on exit */
+#define REQ_KEY_TYPE_DEFAULT GNUTLS_PK_RSA
+
FILE *infile;
static unsigned int incert_format, outcert_format;
-static unsigned int req_key_type = GNUTLS_PK_RSA;
+static unsigned int req_key_type = REQ_KEY_TYPE_DEFAULT;
gnutls_certificate_print_formats_t full_format = GNUTLS_CRT_PRINT_FULL;
/* non interactive operation if set
@@ -128,6 +130,21 @@ int main(int argc, char **argv)
return 0;
}
+#define SET_SPKI_PARAMS(spki, cinfo) \
+ do { \
+ unsigned _salt_size; \
+ if (!cinfo->hash) { \
+ fprintf(stderr, "You must provide the hash algorithm and optionally the salt size for RSA-PSS\n"); \
+ app_exit(1); \
+ } \
+ if (HAVE_OPT(SALT_SIZE)) { \
+ _salt_size = OPT_VALUE_SALT_SIZE; \
+ } else { \
+ _salt_size = gnutls_hash_get_len(cinfo->hash); \
+ } \
+ gnutls_x509_spki_set_rsa_pss_params(spki, cinfo->hash, _salt_size); \
+ } while(0)
+
static gnutls_x509_privkey_t
generate_private_key_int(common_info_st * cinfo)
{
@@ -220,20 +237,8 @@ generate_private_key_int(common_info_st * cinfo)
}
if (key_type == GNUTLS_PK_RSA_PSS && (cinfo->hash || HAVE_OPT(SALT_SIZE))) {
- unsigned salt_size;
-
- if (!cinfo->hash) {
- fprintf(stderr, "You must provide the hash algorithm and optionally the salt size for RSA-PSS\n");
- app_exit(1);
- }
-
- if (HAVE_OPT(SALT_SIZE)) {
- salt_size = OPT_VALUE_SALT_SIZE;
- } else {
- salt_size = gnutls_hash_get_len(cinfo->hash);
- }
- gnutls_x509_spki_set_rsa_pss_params(spki, cinfo->hash, salt_size);
+ SET_SPKI_PARAMS(spki, cinfo);
kdata[kdata_size].type = GNUTLS_KEYGEN_SPKI;
kdata[kdata_size].data = (void*)spki;
@@ -308,6 +313,7 @@ generate_certificate(gnutls_privkey_t * ret_key,
common_info_st * cinfo)
{
gnutls_x509_crt_t crt;
+ gnutls_x509_spki_t spki;
gnutls_privkey_t key = NULL;
gnutls_pubkey_t pubkey;
size_t size;
@@ -715,11 +721,17 @@ generate_certificate(gnutls_privkey_t * ret_key,
app_exit(1);
}
+ if ((HAVE_OPT(KEY_TYPE) || req_key_type != REQ_KEY_TYPE_DEFAULT) && req_key_type != pk) {
+ if (pk != GNUTLS_PK_RSA || req_key_type != GNUTLS_PK_RSA_PSS) {
+ fprintf(stderr, "cannot set certificate type (%s) incompatible with the key (%s)\n",
+ gnutls_pk_get_name(req_key_type), gnutls_pk_get_name(pk));
+ app_exit(1);
+ }
+ }
+
/* Set algorithm parameter restriction in CAs.
*/
if (pk == GNUTLS_PK_RSA_PSS && ca_status && key) {
- gnutls_x509_spki_t spki;
-
result = gnutls_x509_spki_init(&spki);
if (result < 0) {
fprintf(stderr, "spki_init: %s\n",
@@ -738,6 +750,25 @@ generate_certificate(gnutls_privkey_t * ret_key,
}
gnutls_x509_spki_deinit(spki);
+
+ } else if (pk == GNUTLS_PK_RSA && req_key_type == GNUTLS_PK_RSA_PSS) {
+ result = gnutls_x509_spki_init(&spki);
+ if (result < 0) {
+ fprintf(stderr, "spki_init: %s\n",
+ gnutls_strerror(result));
+ app_exit(1);
+ }
+
+ SET_SPKI_PARAMS(spki, cinfo);
+
+ result = gnutls_x509_crt_set_spki(crt, spki, 0);
+ if (result < 0) {
+ fprintf(stderr, "error setting RSA-PSS SPKI information: %s\n",
+ gnutls_strerror(result));
+ app_exit(1);
+ }
+
+ gnutls_x509_spki_deinit(spki);
}
*ret_key = key;
@@ -1235,7 +1266,9 @@ static void cmd_parser(int argc, char **argv)
outcert_format = GNUTLS_X509_FMT_PEM;
/* legacy options */
- if (HAVE_OPT(DSA)) {
+ if (HAVE_OPT(RSA)) {
+ req_key_type = GNUTLS_PK_RSA;
+ } else if (HAVE_OPT(DSA)) {
req_key_type = GNUTLS_PK_DSA;
} else if (HAVE_OPT(ECC)) {
req_key_type = GNUTLS_PK_ECDSA;
View Lorry Controller Status