diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-04-15 14:32:55 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-04-20 17:12:44 +0200 |
commit | d3ee878e02d9804787179993de513d27b3e53f80 (patch) | |
tree | f7a984199cc1382d8261501f479de0b3eb318361 /src | |
parent | c951c13f3814e02fc2df7ce8b2408337d3770660 (diff) | |
download | gnutls-d3ee878e02d9804787179993de513d27b3e53f80.tar.gz |
certtool: generate RSA-PSS certificates from RSA keys
When generating certificates it was not possible to generate
an RSA-PSS certificate from an RSA key (common scenario). This
fixes the certificate generation to include such a method.
Ironically there was a test for this scenario but the test
was limited to checking that the combination of certtool parameters
succeeded; modified the test to check the textual expression of
the certificate for the RSA-PSS indicators.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/certtool-args.def | 4 | ||||
-rw-r--r-- | src/certtool.c | 52 |
2 files changed, 40 insertions, 16 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index 27ca2c8ed4..35741a21c8 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -200,7 +200,9 @@ flag = { arg-type = string; descrip = "Specify the key type to use on key generation"; doc = "This option can be combined with --generate-privkey, to specify -the key type to be generated. Valid options are, 'rsa', 'rsa-pss', 'dsa', 'ecdsa', and 'ed25519'."; +the key type to be generated. Valid options are, 'rsa', 'rsa-pss', 'dsa', 'ecdsa', and 'ed25519'. +When combined with certificate generation it can be used to specify an +RSA-PSS certificate when an RSA key is given."; }; flag = { diff --git a/src/certtool.c b/src/certtool.c index 11dc27a6fd..4d2b7c6a98 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -128,6 +128,21 @@ int main(int argc, char **argv) return 0; } +#define SET_SPKI_PARAMS(spki, cinfo) \ + do { \ + unsigned _salt_size; \ + if (!cinfo->hash) { \ + fprintf(stderr, "You must provide the hash algorithm and optionally the salt size for RSA-PSS\n"); \ + app_exit(1); \ + } \ + if (HAVE_OPT(SALT_SIZE)) { \ + _salt_size = OPT_VALUE_SALT_SIZE; \ + } else { \ + _salt_size = gnutls_hash_get_len(cinfo->hash); \ + } \ + gnutls_x509_spki_set_rsa_pss_params(spki, cinfo->hash, _salt_size); \ + } while(0) + static gnutls_x509_privkey_t generate_private_key_int(common_info_st * cinfo) { @@ -220,20 +235,8 @@ generate_private_key_int(common_info_st * cinfo) } if (key_type == GNUTLS_PK_RSA_PSS && (cinfo->hash || HAVE_OPT(SALT_SIZE))) { - unsigned salt_size; - - if (!cinfo->hash) { - fprintf(stderr, "You must provide the hash algorithm and optionally the salt size for RSA-PSS\n"); - app_exit(1); - } - - if (HAVE_OPT(SALT_SIZE)) { - salt_size = OPT_VALUE_SALT_SIZE; - } else { - salt_size = gnutls_hash_get_len(cinfo->hash); - } - gnutls_x509_spki_set_rsa_pss_params(spki, cinfo->hash, salt_size); + SET_SPKI_PARAMS(spki, cinfo); kdata[kdata_size].type = GNUTLS_KEYGEN_SPKI; kdata[kdata_size].data = (void*)spki; @@ -308,6 +311,7 @@ generate_certificate(gnutls_privkey_t * ret_key, common_info_st * cinfo) { gnutls_x509_crt_t crt; + gnutls_x509_spki_t spki; gnutls_privkey_t key = NULL; gnutls_pubkey_t pubkey; size_t size; @@ -715,11 +719,10 @@ generate_certificate(gnutls_privkey_t * ret_key, app_exit(1); } + /* Set algorithm parameter restriction in CAs. */ if (pk == GNUTLS_PK_RSA_PSS && ca_status && key) { - gnutls_x509_spki_t spki; - result = gnutls_x509_spki_init(&spki); if (result < 0) { fprintf(stderr, "spki_init: %s\n", @@ -738,6 +741,25 @@ generate_certificate(gnutls_privkey_t * ret_key, } gnutls_x509_spki_deinit(spki); + + } else if (pk == GNUTLS_PK_RSA && req_key_type == GNUTLS_PK_RSA_PSS) { + result = gnutls_x509_spki_init(&spki); + if (result < 0) { + fprintf(stderr, "spki_init: %s\n", + gnutls_strerror(result)); + app_exit(1); + } + + SET_SPKI_PARAMS(spki, cinfo); + + result = gnutls_x509_crt_set_spki(crt, spki, 0); + if (result < 0) { + fprintf(stderr, "error setting RSA-PSS SPKI information: %s\n", + gnutls_strerror(result)); + app_exit(1); + } + + gnutls_x509_spki_deinit(spki); } *ret_key = key; |