diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-26 14:43:15 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-08-04 09:38:27 +0200 |
commit | 7bfbbb9294c460b841ed6051727be2beb46028f4 (patch) | |
tree | de8b7fd20802c43a1f9e323835365fcc10f315f1 | |
parent | c4ca8205b49289366b1d1722e79a45bd4dcb66e1 (diff) | |
download | gnutls-7bfbbb9294c460b841ed6051727be2beb46028f4.tar.gz |
certtool: allow specifying RSA-PSS parameters for key generation
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | src/certtool-args.def | 11 | ||||
-rw-r--r-- | src/certtool.c | 33 |
2 files changed, 30 insertions, 14 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index 2d045d1123..fcb895e829 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -181,7 +181,9 @@ flag = { name = generate-privkey; value = p; descrip = "Generate a private key"; - doc = ""; + doc = "When generating RSA-PSS private keys, the --hash option will +restrict the allowed hash for the key; in the same keys the --salt-size +option is also acceptable."; }; flag = { @@ -564,6 +566,13 @@ flag = { }; flag = { + name = salt-size; + arg-type = number; + descrip = "Specify the RSA-PSS key default salt size"; + doc = "Typical keys shouldn't set or restrict this option."; +}; + +flag = { name = inder; descrip = "Use DER format for input certificates, private keys, and DH parameters "; disabled; diff --git a/src/certtool.c b/src/certtool.c index c92095a497..e4421c2dd1 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -135,6 +135,8 @@ generate_private_key_int(common_info_st * cinfo) int ret, key_type, bits; unsigned provable = cinfo->provable; unsigned flags = 0; + gnutls_keygen_data_st kdata[8]; + unsigned kdata_size = 0; key_type = req_key_type; @@ -188,12 +190,15 @@ generate_private_key_int(common_info_st * cinfo) } } - if (cinfo->seed_size > 0) { - gnutls_keygen_data_st data; + if (HAVE_OPT(SALT_SIZE)) { + kdata[kdata_size].type = GNUTLS_KEYGEN_RSA_PSS_SALT_SIZE; + kdata[kdata_size++].size = OPT_VALUE_SALT_SIZE; + } - data.type = GNUTLS_KEYGEN_SEED; - data.data = (void*)cinfo->seed; - data.size = cinfo->seed_size; + if (cinfo->seed_size > 0) { + kdata[kdata_size].type = GNUTLS_KEYGEN_SEED; + kdata[kdata_size].data = (void*)cinfo->seed; + kdata[kdata_size++].size = cinfo->seed_size; if (GNUTLS_PK_IS_RSA(key_type)) { if ((bits == 3072 && cinfo->seed_size != 32) || (bits == 2048 && cinfo->seed_size != 28)) { @@ -205,17 +210,19 @@ generate_private_key_int(common_info_st * cinfo) } } - ret = gnutls_x509_privkey_generate2(key, key_type, bits, GNUTLS_PRIVKEY_FLAG_PROVABLE, &data, 1); - } else { - gnutls_keygen_data_st data; + flags |= GNUTLS_PRIVKEY_FLAG_PROVABLE; + } - data.type = GNUTLS_KEYGEN_DIGEST; - data.size = default_dig; + if (default_dig) { + kdata[kdata_size].type = GNUTLS_KEYGEN_RSA_PSS_DIGEST; + kdata[kdata_size++].size = default_dig; - if (provable) - flags |= GNUTLS_PRIVKEY_FLAG_PROVABLE; - ret = gnutls_x509_privkey_generate2(key, key_type, bits, flags, &data, 1); } + + if (provable) + flags |= GNUTLS_PRIVKEY_FLAG_PROVABLE; + + ret = gnutls_x509_privkey_generate2(key, key_type, bits, flags, kdata, kdata_size); if (ret < 0) { fprintf(stderr, "privkey_generate: %s\n", gnutls_strerror(ret)); |