scepclient: Options added to specify digest/signature algorithms.

Also changed the defaults to DES/MD5 as that's what should be used
if GetCACaps is not used to learn the issuers capabilities.

2 files changed, 92 insertions, 27 deletions

diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8
index c2068f6cd..1bcc4ef44 100644
--- a/src/scepclient/scepclient.8
+++ b/src/scepclient/scepclient.8
@@ -145,14 +145,24 @@ If \fIpw\fP is \fB%prompt\fP', the password gets prompted for on the command lin
 \- In manual mode, this password can be used to later revoke the corresponding certificate.
 .RE
 .PP
-.B \-a, \-\-algorithm \fIalgo\fP
+.B \-a, \-\-algorithm [\fItype\fP=]\fIalgo\fP
 .RS 4
-Change symmetric algorithm to use for encryption of certificate Request.
-The default is \fB3des\-cbc\fP.
+Change the algorithms to be used when generating and transporting (PKCS#7)
+certificate requests (PKCS#10).
 .PP
-Supported values for \fIalgo\fP:
+Supported values for \fItype\fP:
+.IP "\fBenc\fP" 12
+symmetric encryption algorithm in PKCS#7
+.IP "\fBdgst\fP" 12
+hash algorithm for message digest in PKCS#7
+.IP "\fBsig\fP" 12
+hash algorithm for the signature in PKCS#10
+.PP
+If \fItype\fP is not specified \fBenc\fP is assumed.
+.PP
+Supported values for \fIalgo\fP (\fBenc\fP):
 .IP "\fBdes\fP" 12
-DES-CBC encryption (key size = 56 bit).
+DES-CBC encryption (key size = 56 bit). Default.
 .IP "\fB3des\fP" 12
 Triple DES-EDE-CBC encryption (key size = 168 bit).
 .IP "\fBaes128\fP" 12
@@ -167,6 +177,10 @@ Camellia-CBC encryption (key size = 128 bit).
 Camelllia-CBC encryption (key size = 192 bit).
 .IP "\fBcamellia256\fP" 12
 Camellia-CBC encryption (key size = 256 bit).
+.PP
+Supported values for \fIalgo\fP (\fBdgst\fP or \fBsig\fP):
+.PP
+\fBmd5\fP (default), \fBsha1\fP, \fBsha256\fP, \fBsha384\fP, \fBsha512\fP
 .RE
 .PP
 .B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 59a4ee64d..2df6d7a5f 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -317,13 +317,14 @@ static void usage(const char *message)
 		" --version (-v)                    show version and exit\n"
 		" --quiet (-q)                      do not write log output to stderr\n"
 		" --in (-i) <type>[=<filename>]     use <filename> of <type> for input \n"
-		"                                   <type> = pkcs1 | cacert-enc |  cacert-sig\n"
+		"                                   <type> = pkcs1 | cacert-enc | cacert-sig\n"
 		"                                   - if no pkcs1 input is defined, a \n"
 		"                                     RSA key will be generated\n"
 		"                                   - if no filename is given, default is used\n"
 		" --out (-o) <type>[=<filename>]    write output of <type> to <filename>\n"
 		"                                   multiple outputs are allowed\n"
-		"                                   <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n"
+		"                                   <type> = pkcs1 | pkcs10 | pkcs7 | cert-self |\n"
+		"                                            cert | cacert\n"
 		"                                   - type cacert defines filename prefix of\n"
 		"                                     received CA certificate(s)\n"
 		"                                   - if no filename is given, default is used\n"
@@ -344,15 +345,21 @@ static void usage(const char *message)
 		" --subjectAltName (-s) <t>=<v>     include subjectAltName in certificate request\n"
 		"                                   <t> =  email | dns | ip \n"
 		" --password (-p) <pw>              challenge password\n"
-		"                                   - if pw is '%%prompt', password gets prompted for\n"
-		" --algorithm (-a) <algo>           use specified algorithm for PKCS#7 encryption\n"
-		"                                   <algo> = des | 3des (default) | aes128| aes192 | \n"
-		"                                   aes256 | camellia128 | camellia192 | camellia256\n"
+		"                                   - use '%%prompt' as pw for a password prompt\n"
+		" --algorithm (-a) [<type>=]<algo>  algorithm to be used for PKCS#7 encryption,\n"
+		"                                   PKCS#7 digest or PKCS#10 signature\n"
+		"                                   <type> = enc | dgst | sig\n"
+		"                                   - if no type is given enc is assumed\n"
+		"                                   <algo> = des (default) | 3des | aes128 |\n"
+		"                                            aes192 | aes256 | camellia128 |\n"
+		"                                            camellia192 | camellia256\n"
+		"                                   <algo> = md5 (default) | sha1 | sha256 |\n"
+		"                                            sha384 | sha512\n"
 		"\n"
 		"Options for enrollment (cert):\n"
 		" --url (-u) <url>                  url of the SCEP server\n"
 		" --method (-m) post | get          http request type\n"
-		" --interval (-t) <seconds>         manual mode poll interval in seconds (default 20s)\n"
+		" --interval (-t) <seconds>         poll interval in seconds (default 20s)\n"
 		" --maxpolltime (-x) <seconds>      max poll time in seconds when in manual mode\n"
 		"                                   (default: unlimited)\n"
 		"\n"
@@ -424,15 +431,15 @@ int main(int argc, char **argv)
 	/* challenge password */
 	char challenge_password_buffer[MAX_PASSWORD_LENGTH];
 
-	/* symmetric encryption algorithm used by pkcs7, default is 3DES */
-	encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_3DES;
+	/* symmetric encryption algorithm used by pkcs7, default is DES */
+	encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES;
 	size_t pkcs7_key_size = 0;
 
-	/* digest algorithm used by pkcs7, default is SHA-1 */
-	hash_algorithm_t pkcs7_digest_alg = HASH_SHA1;
+	/* digest algorithm used by pkcs7, default is MD5 */
+	hash_algorithm_t pkcs7_digest_alg = HASH_MD5;
 
-	/* signature algorithm used by pkcs10, default is SHA-1 */
-	hash_algorithm_t pkcs10_signature_alg = HASH_SHA1;
+	/* signature algorithm used by pkcs10, default is MD5 */
+	hash_algorithm_t pkcs10_signature_alg = HASH_MD5;
 
 	/* URL of the SCEP-Server */
 	char *scep_url = NULL;
@@ -783,21 +790,65 @@ int main(int argc, char **argv)
 				max_poll_time = atoi(optarg);
 				continue;
 
-			case 'a':       /*--algorithm */
+			case 'a':       /*--algorithm [<type>=]algo */
 			{
 				const proposal_token_t *token;
+				char *type = optarg;
+				char *algo = strstr(optarg, "=");
 
-				token = proposal_get_token(optarg, strlen(optarg));
-				if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
+				if (algo)
 				{
-					usage("invalid algorithm specified");
+					*algo = '\0';
+					algo++;
 				}
-				pkcs7_symmetric_cipher = token->algorithm;
-				pkcs7_key_size = token->keysize;
-				if (encryption_algorithm_to_oid(token->algorithm,
-												token->keysize) == OID_UNKNOWN)
+				else
+				{
+					type = "enc";
+					algo = optarg;
+				}
+
+				if (strcaseeq("enc", type))
+				{
+					token = proposal_get_token(algo, strlen(algo));
+					if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
+					{
+						usage("invalid algorithm specified");
+					}
+					pkcs7_symmetric_cipher = token->algorithm;
+					pkcs7_key_size = token->keysize;
+					if (encryption_algorithm_to_oid(token->algorithm,
+								token->keysize) == OID_UNKNOWN)
+					{
+						usage("unsupported encryption algorithm specified");
+					}
+				}
+				else if (strcaseeq("dgst", type) ||
+						 strcaseeq("sig", type))
+				{
+					hash_algorithm_t hash;
+
+					token = proposal_get_token(algo, strlen(algo));
+					if (token == NULL || token->type != INTEGRITY_ALGORITHM)
+					{
+						usage("invalid algorithm specified");
+					}
+					hash = hasher_algorithm_from_integrity(token->algorithm);
+					if (hash == OID_UNKNOWN)
+					{
+						usage("invalid algorithm specified");
+					}
+					if (strcaseeq("dgst", type))
+					{
+						pkcs7_digest_alg = hash;
+					}
+					else
+					{
+						pkcs10_signature_alg = hash;
+					}
+				}
+				else
 				{
-					usage("unsupported encryption algorithm specified");
+					usage("invalid --algorithm type");
 				}
 				continue;
 			}