aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan')
-rw-r--r--src/libstrongswan/credentials/builder.c1
-rw-r--r--src/libstrongswan/credentials/builder.h2
-rw-r--r--src/libstrongswan/credentials/credential_factory.c3
-rw-r--r--src/libstrongswan/plugins/x509/x509_cert.c54
4 files changed, 55 insertions, 5 deletions
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 601ae94b6..88df476d5 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -36,6 +36,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_NOT_BEFORE_TIME",
"BUILD_NOT_AFTER_TIME",
"BUILD_SERIAL",
+ "BUILD_DIGEST_ALG",
"BUILD_IETF_GROUP_ATTR",
"BUILD_CA_CERT",
"BUILD_CERT",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 678a84429..650d05251 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -80,6 +80,8 @@ enum builder_part_t {
BUILD_NOT_AFTER_TIME,
/** a serial number in binary form, chunk_t */
BUILD_SERIAL,
+ /** digest algorithm to be used for signature, int */
+ BUILD_DIGEST_ALG,
/** a comma-separated list of ietf group attributes, char* */
BUILD_IETF_GROUP_ATTR,
/** a ca certificate, certificate_t* */
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index 3cab10a19..ac1f05beb 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -198,6 +198,9 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
case BUILD_FROM_FD:
builder->add(builder, part, va_arg(args, u_int));
continue;
+ case BUILD_DIGEST_ALG:
+ builder->add(builder, part, va_arg(args, int));
+ continue;
case BUILD_NOT_BEFORE_TIME:
case BUILD_NOT_AFTER_TIME:
builder->add(builder, part, va_arg(args, time_t));
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index c8d0dabc0..218723a74 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1199,6 +1199,8 @@ struct private_builder_t {
certificate_t *sign_cert;
/** private key to sign, if we generate a new cert */
private_key_t *sign_key;
+ /** digest algorithm to be used for signature */
+ hash_algorithm_t digest_alg;
};
/**
@@ -1236,7 +1238,7 @@ static bool generate(private_builder_t *this)
this->cert->notBefore = time(NULL);
}
if (!this->cert->notAfter)
- { /* defaults to 1 years from now on */
+ { /* defaults to 1 year from now */
this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365;
}
this->cert->flags = this->flags;
@@ -1245,16 +1247,54 @@ static bool generate(private_builder_t *this)
switch (this->sign_key->get_type(this->sign_key))
{
case KEY_RSA:
- this->cert->algorithm = OID_SHA1_WITH_RSA;
- scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+ switch (this->digest_alg)
+ {
+ case HASH_MD5:
+ this->cert->algorithm = OID_MD5_WITH_RSA;
+ break;
+ case HASH_SHA1:
+ this->cert->algorithm = OID_SHA1_WITH_RSA;
+ break;
+ case HASH_SHA224:
+ this->cert->algorithm = OID_SHA224_WITH_RSA;
+ break;
+ case HASH_SHA256:
+ this->cert->algorithm = OID_SHA256_WITH_RSA;
+ break;
+ case HASH_SHA384:
+ this->cert->algorithm = OID_SHA384_WITH_RSA;
+ break;
+ case HASH_SHA512:
+ this->cert->algorithm = OID_SHA512_WITH_RSA;
+ break;
+ default:
+ return FALSE;
+ }
break;
case KEY_ECDSA:
- scheme = SIGN_ECDSA_WITH_SHA1_DER;
- this->cert->algorithm = OID_ECDSA_WITH_SHA1;
+ switch (this->digest_alg)
+ {
+ case HASH_SHA1:
+ this->cert->algorithm = OID_ECDSA_WITH_SHA1;
+ break;
+ case HASH_SHA256:
+ this->cert->algorithm = OID_ECDSA_WITH_SHA256;
+ break;
+ case HASH_SHA384:
+ this->cert->algorithm = OID_ECDSA_WITH_SHA384;
+ break;
+ case HASH_SHA512:
+ this->cert->algorithm = OID_ECDSA_WITH_SHA512;
+ break;
+ default:
+ return FALSE;
+ }
break;
default:
return FALSE;
}
+ scheme = signature_scheme_from_oid(this->cert->algorithm);
+
if (!this->cert->public_key->get_encoding(this->cert->public_key,
KEY_PUB_SPKI_ASN1_DER, &key_info))
{
@@ -1395,6 +1435,9 @@ static void add(private_builder_t *this, builder_part_t part, ...)
this->cert->serialNumber = chunk_clone(serial);
break;
}
+ case BUILD_DIGEST_ALG:
+ this->digest_alg = va_arg(args, int);
+ break;
default:
/* abort if unsupported option */
if (this->cert)
@@ -1425,6 +1468,7 @@ builder_t *x509_cert_builder(certificate_type_t type)
this->flags = 0;
this->sign_cert = NULL;
this->sign_key = NULL;
+ this->digest_alg = HASH_SHA1;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-24 12:11:50 +0000