pki: Query private key for supported signature schemes
authorTobias Brunner <tobias@strongswan.org>
Fri, 12 Oct 2018 09:35:09 +0000 (11:35 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 26 Oct 2018 07:03:26 +0000 (09:03 +0200)
src/pki/commands/acert.c
src/pki/commands/issue.c
src/pki/commands/req.c
src/pki/commands/self.c
src/pki/commands/signcrl.c
src/pki/pki.c
src/pki/pki.h

index d1ea5c6..4cbe06c 100644 (file)
@@ -228,6 +228,11 @@ static int acert()
                goto end;
        }
        scheme = get_signature_scheme(private, digest, pss);
+       if (!scheme)
+       {
+               error = "no signature scheme found";
+               goto end;
+       }
 
        ac = lib->creds->create(lib->creds,
                                                        CRED_CERTIFICATE, CERT_X509_AC,
index 1ccbca8..b117fa1 100644 (file)
@@ -536,6 +536,11 @@ static int issue()
                                                                                chunk_from_chars(ASN1_SEQUENCE, 0));
        }
        scheme = get_signature_scheme(private, digest, pss);
+       if (!scheme)
+       {
+               error = "no signature scheme found";
+               goto end;
+       }
 
        cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                        BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
index cfddbc4..8f5380a 100644 (file)
@@ -168,6 +168,11 @@ static int req()
                goto end;
        }
        scheme = get_signature_scheme(private, digest, pss);
+       if (!scheme)
+       {
+               error = "no signature scheme found";
+               goto end;
+       }
 
        cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
                                                          BUILD_SIGNING_KEY, private,
index 6f7adef..a08ee99 100644 (file)
@@ -378,6 +378,11 @@ static int self()
                rng->destroy(rng);
        }
        scheme = get_signature_scheme(private, digest, pss);
+       if (!scheme)
+       {
+               error = "no signature scheme found";
+               goto end;
+       }
 
        cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                                BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
index ca208a5..a399d21 100644 (file)
@@ -399,6 +399,12 @@ static int sign_crl()
        chunk_increment(crl_serial);
 
        scheme = get_signature_scheme(private, digest, pss);
+       if (!scheme)
+       {
+               error = "no signature scheme found";
+               goto error;
+       }
+
        enumerator = enumerator_create_filter(list->create_enumerator(list),
                                                                                  filter, NULL, NULL);
        crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
index ec60f7d..e647cea 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2017 Tobias Brunner
+ * Copyright (C) 2012-2018 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -264,7 +264,30 @@ static hash_algorithm_t get_default_digest(private_key_t *private)
 signature_params_t *get_signature_scheme(private_key_t *private,
                                                                                 hash_algorithm_t digest, bool pss)
 {
-       signature_params_t *scheme;
+       signature_params_t *scheme, *selected = NULL;
+       enumerator_t *enumerator;
+
+       if (private->supported_signature_schemes)
+       {
+               enumerator = private->supported_signature_schemes(private);
+               while (enumerator->enumerate(enumerator, &scheme))
+               {
+                       if (private->get_type(private) == KEY_RSA &&
+                               pss != (scheme->scheme == SIGN_RSA_EMSA_PSS))
+                       {
+                               continue;
+                       }
+                       if (digest == HASH_UNKNOWN ||
+                               digest == hasher_from_signature_scheme(scheme->scheme,
+                                                                                                          scheme->params))
+                       {
+                               selected = signature_params_clone(scheme);
+                               break;
+                       }
+               }
+               enumerator->destroy(enumerator);
+               return selected;
+       }
 
        if (digest == HASH_UNKNOWN)
        {
index 3f0793c..3976c33 100644 (file)
@@ -65,7 +65,8 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc);
  * @param digest       hash algorithm (if HASH_UNKNOWN a default is determined
  *                                     based on the key)
  * @param pss          use PSS padding for RSA keys
- * @return                     allocated signature scheme and parameters
+ * @return                     allocated signature scheme and parameters (NULL if none
+ *                                     found)
  */
 signature_params_t *get_signature_scheme(private_key_t *private,
                                                                                 hash_algorithm_t digest, bool pss);