diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2017-04-21 16:56:34 +0200 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2017-04-25 23:12:34 +0200 |
| commit | 786dd2c22c71081492e209d93beee3ff4fe66357 (patch) | |
| tree | e51ecaa26605856fe4b3bc49fbae576f85566855 /crypto/x509/x509_set.c | |
| parent | Tapify libtestutil a bit better (diff) | |
| download | openssl-786dd2c22c71081492e209d93beee3ff4fe66357.tar.xz openssl-786dd2c22c71081492e209d93beee3ff4fe66357.zip | |
Add support for custom signature parameters
Many signature types define the digest and public key type by a single OID
such as ecdsa_with_sha256.
Some types (RSA-PSS for example) use a single OID to indicate the signature
scheme and additional parameters are encoded in the AlgorithmIdentifier.
Add an X509_SIG_INFO structure to contain details about the signature type:
specifically the digest algorithm, public key algorithm, security bits and
various flags. This supports both existing algorithms and more complex
types.
Add accessors for the structure and a special case that retrieves signature
information from a certificate.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3301)
Diffstat (limited to 'crypto/x509/x509_set.c')
| -rw-r--r-- | crypto/x509/x509_set.c | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index e46174a463..08b71ff582 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -13,7 +13,10 @@ #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> +#include <openssl/x509v3.h> +#include "internal/asn1_int.h" #include "internal/x509_int.h" +#include "x509_lcl.h" int X509_set_version(X509 *x, long version) { @@ -157,3 +160,77 @@ const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x) { return &x->cert_info.signature; } + +int X509_SIG_INFO_get(const X509_SIG_INFO *siginf, int *mdnid, int *pknid, + int *secbits, uint32_t *flags) +{ + if (mdnid != NULL) + *mdnid = siginf->mdnid; + if (pknid != NULL) + *pknid = siginf->pknid; + if (secbits != NULL) + *secbits = siginf->secbits; + if (flags != NULL) + *flags = siginf->flags; + return (siginf->flags & X509_SIG_INFO_VALID) != 0; +} + +void X509_SIG_INFO_set(X509_SIG_INFO *siginf, int mdnid, int pknid, + int secbits, uint32_t flags) +{ + siginf->mdnid = mdnid; + siginf->pknid = pknid; + siginf->secbits = secbits; + siginf->flags = flags; +} + +int X509_get_signature_info(X509 *x, int *mdnid, int *pknid, int *secbits, + uint32_t *flags) +{ + X509_check_purpose(x, -1, -1); + return X509_SIG_INFO_get(&x->siginf, mdnid, pknid, secbits, flags); +} + +static void x509_sig_info_init(X509_SIG_INFO *siginf, const X509_ALGOR *alg, + const ASN1_STRING *sig) +{ + int pknid, mdnid; + const EVP_MD *md; + + siginf->mdnid = NID_undef; + siginf->pknid = NID_undef; + siginf->secbits = -1; + siginf->flags = 0; + if (!OBJ_find_sigid_algs(OBJ_obj2nid(alg->algorithm), &mdnid, &pknid) + || pknid == NID_undef) + return; + siginf->pknid = pknid; + if (mdnid == NID_undef) { + /* If we have one, use a custom handler for this algorithm */ + const EVP_PKEY_ASN1_METHOD *ameth = EVP_PKEY_asn1_find(NULL, pknid); + if (ameth == NULL || ameth->siginf_set == NULL + || ameth->siginf_set(siginf, alg, sig) == 0) + return; + siginf->flags |= X509_SIG_INFO_VALID; + return; + } + siginf->flags |= X509_SIG_INFO_VALID; + siginf->mdnid = mdnid; + md = EVP_get_digestbynid(mdnid); + if (md == NULL) + return; + /* Security bits: half number of bits in digest */ + siginf->secbits = EVP_MD_size(md) * 4; + switch (mdnid) { + case NID_sha1: + case NID_sha256: + case NID_sha384: + case NID_sha512: + siginf->flags |= X509_SIG_INFO_TLS; + } +} + +void x509_init_sig_info(X509 *x) +{ + x509_sig_info_init(&x->siginf, &x->sig_alg, &x->signature); +} |