diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-09-07 09:21:16 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-09-08 08:55:38 +0200 |
| commit | 982e96633c2b76853cf8c129cdcac1a066f7139d (patch) | |
| tree | 0bfe5fb165ce55ffe3a2fe98ef3fac8ab9eaa972 | |
| parent | d4f53725183006498aca205c35aea0dbf1e7ad1d (diff) | |
| download | gnutls-982e96633c2b76853cf8c129cdcac1a066f7139d.tar.gz | |
gnutls_x509_crq_sign: no longer sign with SHA1
Modify the behavior of the functions to sign with an appropriate
to the public key hash algorithm. That although it modifies the
semantics of the functions, it allows them to be useful even after
SHA1 is considered insecure.
In addition to that, the functions which accept a hash algorithm, will
accept a null hash, which instructs the function to select a
reasonable choice.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/x509/crq.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/lib/x509/crq.c b/lib/x509/crq.c index b73096a307..96e0a3265b 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -876,6 +876,9 @@ gnutls_x509_crq_set_challenge_password(gnutls_x509_crq_t crq, * This must be the last step in a certificate request generation * since all the previously set parameters are now signed. * + * After GnuTLS 3.6.1 the value of @dig may be %GNUTLS_DIG_UNKNOWN, + * and in that case, a suitable but reasonable for the key algorithm will be selected. + * * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code. * %GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all * information in the certificate request (e.g., the version using @@ -935,7 +938,7 @@ gnutls_x509_crq_sign2(gnutls_x509_crq_t crq, gnutls_x509_privkey_t key, */ int gnutls_x509_crq_sign(gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) { - return gnutls_x509_crq_sign2(crq, key, GNUTLS_DIG_SHA1, 0); + return gnutls_x509_crq_sign2(crq, key, 0, 0); } /** @@ -2541,6 +2544,9 @@ gnutls_x509_crq_get_key_id(gnutls_x509_crq_t crq, unsigned int flags, * This must be the last step in a certificate request generation * since all the previously set parameters are now signed. * + * After GnuTLS 3.6.1 the value of @dig may be %GNUTLS_DIG_UNKNOWN, + * and in that case, a suitable but reasonable for the key algorithm will be selected. + * * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code. * %GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all * information in the certificate request (e.g., the version using @@ -2575,6 +2581,27 @@ gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key, } } + if (dig == 0) { + /* attempt to find a reasonable choice */ + gnutls_pubkey_t pubkey; + int ret; + + ret = gnutls_pubkey_init(&pubkey); + if (ret < 0) + return gnutls_assert_val(ret); + + ret = gnutls_pubkey_import_privkey(pubkey, key, 0, 0); + if (ret < 0) { + gnutls_pubkey_deinit(pubkey); + return gnutls_assert_val(ret); + } + ret = gnutls_pubkey_get_preferred_hash_algorithm(pubkey, &dig, NULL); + gnutls_pubkey_deinit(pubkey); + + if (ret < 0) + return gnutls_assert_val(ret); + } + result = _gnutls_privkey_get_spki_params(key, ¶ms); if (result < 0) { gnutls_assert(); |