static int acert()
{
cred_encoding_type_t form = CERT_ASN1_DER;
- hash_algorithm_t digest = HASH_SHA256;
+ hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
error = "loading issuer private key failed";
goto end;
}
+ if (digest == HASH_UNKNOWN)
+ {
+ digest = get_default_digest(private);
+ }
if (!private->belongs_to(private, public))
{
error = "issuer private key does not match issuer certificate";
{"not-before", 'F', 1, "date/time the validity of the AC starts"},
{"not-after", 'T', 1, "date/time the validity of the AC ends"},
{"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
- {"digest", 'g', 1, "digest for signature creation, default: sha256"},
+ {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
static int issue()
{
cred_encoding_type_t form = CERT_ASN1_DER;
- hash_algorithm_t digest = HASH_SHA256;
+ hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
error = "loading CA private key failed";
goto end;
}
+ if (digest == HASH_UNKNOWN)
+ {
+ digest = get_default_digest(private);
+ }
if (!private->belongs_to(private, public))
{
error = "CA private key does not match CA certificate";
{"crl", 'u', 1, "CRL distribution point URI to include"},
{"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
- {"digest", 'g', 1, "digest for signature creation, default: sha256"},
+ {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
{
cred_encoding_type_t form = CERT_ASN1_DER;
key_type_t type = KEY_RSA;
- hash_algorithm_t digest = HASH_SHA256;
+ hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *cert = NULL;
private_key_t *private = NULL;
char *file = NULL, *dn = NULL, *error = NULL;
error = "parsing private key failed";
goto end;
}
+ if (digest == HASH_UNKNOWN)
+ {
+ digest = get_default_digest(private);
+ }
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
BUILD_SIGNING_KEY, private,
BUILD_SUBJECT, id,
{"dn", 'd', 1, "subject distinguished name"},
{"san", 'a', 1, "subjectAltName to include in cert request"},
{"password",'p', 1, "challengePassword to include in cert request"},
- {"digest", 'g', 1, "digest for signature creation, default: sha256"},
+ {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"outform", 'f', 1, "encoding of generated request, default: der"},
}
});
{
cred_encoding_type_t form = CERT_ASN1_DER;
key_type_t type = KEY_RSA;
- hash_algorithm_t digest = HASH_SHA256;
+ hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *cert = NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
error = "loading private key failed";
goto end;
}
+ if (digest == HASH_UNKNOWN)
+ {
+ digest = get_default_digest(private);
+ }
public = private->get_public_key(private);
if (!public)
{
{"policy-any", 'A', 1, "inhibitAnyPolicy constraint"},
{"flag", 'e', 1, "include extendedKeyUsage flag"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
- {"digest", 'g', 1, "digest for signature creation, default: sha256"},
+ {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
certificate_t *ca = NULL, *crl = NULL;
crl_t *lastcrl = NULL;
x509_t *x509;
- hash_algorithm_t digest = HASH_SHA256;
+ hash_algorithm_t digest = HASH_UNKNOWN;
char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
char *basecrl = NULL;
char serial[512], *keyid = NULL;
error = "loading CA private key failed";
goto error;
}
+ if (digest == HASH_UNKNOWN)
+ {
+ digest = get_default_digest(private);
+ }
if (!private->belongs_to(private, public))
{
error = "CA private key does not match CA certificate";
{"serial", 's', 1, "hex encoded certificate serial number to revoke"},
{"reason", 'r', 1, "reason for certificate revocation"},
{"date", 'd', 1, "revocation date as unix timestamp, default: now"},
- {"digest", 'g', 1, "digest for signature creation, default: sha256"},
+ {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"outform", 'f', 1, "encoding of generated crl, default: der"},
}
});
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha256\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
+determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha256\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
+determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha256\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
+determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha256\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
+determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha256\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
+determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
#endif
}
+/*
+ * Described in header
+ */
+hash_algorithm_t get_default_digest(private_key_t *private)
+{
+ enumerator_t *enumerator;
+ signature_scheme_t scheme;
+ hash_algorithm_t alg = HASH_UNKNOWN;
+
+ enumerator = signature_schemes_for_key(private->get_type(private),
+ private->get_keysize(private));
+ if (enumerator->enumerate(enumerator, &scheme))
+ {
+ alg = hasher_from_signature_scheme(scheme);
+ }
+ enumerator->destroy(enumerator);
+
+ /* default to SHA-256 */
+ return alg == HASH_UNKNOWN ? HASH_SHA256 : alg;
+}
+
/**
* Callback credential set pki uses
*/
*/
void set_file_mode(FILE *stream, cred_encoding_type_t enc);
+/**
+ * Select default digest for signatures with the given key
+ *
+ * @param private private key
+ * @return hash algorithm
+ */
+hash_algorithm_t get_default_digest(private_key_t *private);
+
#endif /** PKI_H_ @}*/
projects / strongswan.git / commitdiff