diff options
-rw-r--r-- | src/certtool-args.def | 10 | ||||
-rw-r--r-- | src/certtool.c | 20 | ||||
-rwxr-xr-x | tests/cert-tests/certtool-rsa-pss | 2 |
3 files changed, 23 insertions, 9 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index 4e1a9ea729..437ecbef74 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -464,10 +464,12 @@ flag = { }; flag = { - name = rsa-pss-sign; - descrip = "Sign certificate with RSA-PSS"; - doc = "This option can be combined with --generate-certificate, to sign the certificate with the RSA-PSS padding scheme. -That is required when the signer does not have a certificate which is marked for RSA-PSS use only."; + name = sign-params; + arg-type = string; + descrip = "Sign a certificate with a specific signature algorithm"; + doc = "This option can be combined with --generate-certificate, to sign the certificate with +a specific signature algorithm variant. The only option supported is +'RSA-PSS', and should be specified when the signer does not have a certificate which is marked for RSA-PSS use only."; }; flag = { diff --git a/src/certtool.c b/src/certtool.c index 27604b32b6..a6aca6f116 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -988,7 +988,7 @@ static void generate_proxy_certificate(common_info_st * cinfo) fprintf(stdlog, "\n\nSigning certificate...\n"); if (cinfo->rsa_pss_sign) - flags = GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS; + flags |= GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS; result = gnutls_x509_crt_privkey_sign(crt, eecrt, eekey, get_dig(eecrt), @@ -1082,7 +1082,7 @@ static void update_signed_certificate(common_info_st * cinfo) fprintf(stderr, "\n\nSigning certificate...\n"); if (cinfo->rsa_pss_sign) - flags = GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS; + flags |= GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS; result = gnutls_x509_crt_privkey_sign(crt, ca_crt, ca_key, @@ -1105,6 +1105,18 @@ static void update_signed_certificate(common_info_st * cinfo) gnutls_x509_crt_deinit(crt); } +static +void sign_params_to_flags(common_info_st *cinfo, const char *params) +{ + if (strcasecmp(params, "rsa-pss") == 0) { + cinfo->rsa_pss_sign = 1; + return; + } + + fprintf(stderr, "Unknown signature parameters: %s\n", params); + app_exit(1); +} + static void cmd_parser(int argc, char **argv) { int ret, privkey_op = 0; @@ -1332,8 +1344,8 @@ static void cmd_parser(int argc, char **argv) cinfo.password = ""; } - if (HAVE_OPT(RSA_PSS_SIGN)) - cinfo.rsa_pss_sign = 1; + if (HAVE_OPT(SIGN_PARAMS)) + sign_params_to_flags(&cinfo, OPT_ARG(SIGN_PARAMS)); if (HAVE_OPT(GENERATE_SELF_SIGNED)) generate_self_signed(&cinfo); diff --git a/tests/cert-tests/certtool-rsa-pss b/tests/cert-tests/certtool-rsa-pss index 230fc34a0d..174e11f3e5 100755 --- a/tests/cert-tests/certtool-rsa-pss +++ b/tests/cert-tests/certtool-rsa-pss @@ -98,7 +98,7 @@ if test "${rc}" != "0"; then fi # Create an RSA certificate from an RSA key, and sign it with RSA-PSS -${VALGRIND} "${CERTTOOL}" --generate-certificate --rsa --rsa-pss-sign \ +${VALGRIND} "${CERTTOOL}" --generate-certificate --rsa --sign-params rsa-pss \ --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \ --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ |