switch to sha256 for cert requests and fix for ec csr
This commit is contained in:
+34
-27
@@ -66,9 +66,11 @@ unsigned const char chuid_tmpl[] = {
|
|||||||
};
|
};
|
||||||
#define CHUID_GUID_OFFS 35
|
#define CHUID_GUID_OFFS 35
|
||||||
|
|
||||||
unsigned const char sha1oid[] = {
|
unsigned const char sha256oid[] = {
|
||||||
0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14
|
0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
|
||||||
|
0x02, 0x01, 0x05, 0x00, 0x04, 0x20
|
||||||
};
|
};
|
||||||
|
#define DIGEST_LEN 32
|
||||||
|
|
||||||
#define KEY_LEN 24
|
#define KEY_LEN 24
|
||||||
|
|
||||||
@@ -825,13 +827,13 @@ static bool request_certificate(SCARDHANDLE *card, enum enum_key_format key_form
|
|||||||
FILE *output_file;
|
FILE *output_file;
|
||||||
EVP_PKEY *public_key = NULL;
|
EVP_PKEY *public_key = NULL;
|
||||||
bool ret = true;
|
bool ret = true;
|
||||||
unsigned char digest[35];
|
unsigned char digest[DIGEST_LEN + sizeof(sha256oid)];
|
||||||
unsigned int digest_len = 20;
|
unsigned int digest_len = DIGEST_LEN;
|
||||||
unsigned char algorithm;
|
unsigned char algorithm;
|
||||||
int key = 0;
|
int key = 0;
|
||||||
ASN1_STRING *sig = NULL;
|
ASN1_STRING *sig = NULL;
|
||||||
unsigned char signinput[256];
|
unsigned char signinput[256];
|
||||||
int len;
|
int len = 0;
|
||||||
|
|
||||||
sscanf(slot, "%x", &key);
|
sscanf(slot, "%x", &key);
|
||||||
|
|
||||||
@@ -898,18 +900,13 @@ static bool request_certificate(SCARDHANDLE *card, enum enum_key_format key_form
|
|||||||
goto request_out;
|
goto request_out;
|
||||||
}
|
}
|
||||||
|
|
||||||
algor = (X509_ALGOR*)sk_X509_ALGOR_new_null();
|
|
||||||
algor->parameter = (ASN1_TYPE*)sk_ASN1_TYPE_new_null();
|
|
||||||
algor->algorithm=OBJ_nid2obj(NID_sha1WithRSAEncryption);
|
|
||||||
algor->parameter->type = V_ASN1_NULL;
|
|
||||||
|
|
||||||
req->sig_alg = algor;
|
|
||||||
|
|
||||||
memset(digest, 0, sizeof(digest));
|
memset(digest, 0, sizeof(digest));
|
||||||
memcpy(digest, sha1oid, sizeof(sha1oid));
|
memcpy(digest, sha256oid, sizeof(sha256oid));
|
||||||
/* XXX: this should probably use X509_REQ_digest() but that's buggy */
|
/* XXX: this should probably use X509_REQ_digest() but that's buggy */
|
||||||
if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ_INFO), EVP_sha1(), req->req_info,
|
if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ_INFO), EVP_sha256(), req->req_info,
|
||||||
digest + 15, &digest_len)) {
|
digest + sizeof(sha256oid), &digest_len)) {
|
||||||
fprintf(stderr, "Failed doing digest of request.\n");
|
fprintf(stderr, "Failed doing digest of request.\n");
|
||||||
ret = false;
|
ret = false;
|
||||||
goto request_out;
|
goto request_out;
|
||||||
@@ -920,21 +917,31 @@ static bool request_certificate(SCARDHANDLE *card, enum enum_key_format key_form
|
|||||||
dump_hex(digest, sizeof(digest));
|
dump_hex(digest, sizeof(digest));
|
||||||
fprintf(stderr, "\n");
|
fprintf(stderr, "\n");
|
||||||
}
|
}
|
||||||
if(algorithm == 0x6) {
|
|
||||||
len = 128;
|
algor = (X509_ALGOR*)sk_X509_ALGOR_new_null();
|
||||||
} else if(algorithm == 0x7) {
|
algor->parameter = (ASN1_TYPE*)sk_ASN1_TYPE_new_null();
|
||||||
len = 256;
|
algor->parameter->type = V_ASN1_NULL;
|
||||||
} else if(algorithm == 0x11) {
|
switch(algorithm) {
|
||||||
len = 20;
|
case 0x6:
|
||||||
memcpy(signinput, digest + 15, 20);
|
len = 128;
|
||||||
} else {
|
case 0x7:
|
||||||
fprintf(stderr, "Unsupported algorithm %x.\n", algorithm);
|
if(len == 0) {
|
||||||
ret = false;
|
len = 256;
|
||||||
goto request_out;
|
}
|
||||||
}
|
RSA_padding_add_PKCS1_type_1(signinput, len, digest, sizeof(digest));
|
||||||
if(algorithm == 6 || algorithm == 7) {
|
algor->algorithm = OBJ_nid2obj(NID_sha256WithRSAEncryption);
|
||||||
RSA_padding_add_PKCS1_type_1(signinput, len, digest, sizeof(digest));
|
break;
|
||||||
|
case 0x11:
|
||||||
|
algor->algorithm = OBJ_nid2obj(NID_ecdsa_with_SHA256);
|
||||||
|
len = DIGEST_LEN;
|
||||||
|
memcpy(signinput, digest + sizeof(sha256oid), DIGEST_LEN);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
fprintf(stderr, "Unsupported algorithm %x.\n", algorithm);
|
||||||
|
ret = false;
|
||||||
|
goto request_out;
|
||||||
}
|
}
|
||||||
|
req->sig_alg = algor;
|
||||||
{
|
{
|
||||||
unsigned char indata[1024];
|
unsigned char indata[1024];
|
||||||
unsigned char *dataptr = indata;
|
unsigned char *dataptr = indata;
|
||||||
|
|||||||
Reference in New Issue
Block a user