[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Fri Nov 20 13:53:33 UTC 2015


The branch master has been updated
       via  2cc7acd273bc39f1360aed52400d18bb65b88a95 (commit)
       via  e20b47275109aafc559446d731e6baad4a1f55d1 (commit)
      from  fa49924659f21454fba3d70b4f60ce76ee6059f8 (commit)


- Log -----------------------------------------------------------------
commit 2cc7acd273bc39f1360aed52400d18bb65b88a95
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Nov 19 15:50:15 2015 +0000

    Use better defaults for TSA.
    
    Use SHA256 for TSA and setted permitted digests to a sensible value.
    
    Based on PR#4141
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit e20b47275109aafc559446d731e6baad4a1f55d1
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Sep 11 16:58:57 2015 +0100

    Add support for signer_digest option in TS.
    
    Based on PR#2145
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/openssl-vms.cnf    |  3 ++-
 apps/openssl.cnf        |  4 ++--
 apps/ts.c               | 30 +++++++++++++++++++-----------
 crypto/ts/ts_conf.c     | 25 +++++++++++++++++++++++++
 crypto/ts/ts_lcl.h      |  1 +
 crypto/ts/ts_rsp_sign.c | 10 +++++++++-
 doc/apps/ts.pod         | 11 +++++++++++
 include/openssl/ts.h    |  5 +++++
 test/CAtsa.cnf          | 10 +++++-----
 9 files changed, 79 insertions(+), 20 deletions(-)

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index c0ded4a..51a296b 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -335,11 +335,12 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir.cacert.pem]	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha1			# Signing digest to use. (Optional)
 
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 41c2a37..53c4bef 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -335,11 +335,11 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir/cacert.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-
+signer_digest  = sha256			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
diff --git a/apps/ts.c b/apps/ts.c
index b58703a..ac91323 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -95,14 +95,14 @@ static ASN1_INTEGER *create_nonce(int bits);
 /* Reply related functions. */
 static int reply_command(CONF *conf, char *section, char *engine,
                          char *queryfile, char *passin, char *inkey,
-                         char *signer, char *chain, const char *policy,
-                         char *in, int token_in, char *out, int token_out,
-                         int text);
+                         const EVP_MD *md, char *signer, char *chain,
+                         const char *policy, char *in, int token_in,
+                         char *out, int token_out, int text);
 static TS_RESP *read_PKCS7(BIO *in_bio);
 static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
                                 char *queryfile, char *passin,
-                                char *inkey, char *signer, char *chain,
-                                const char *policy);
+                                char *inkey, const EVP_MD *md, char *signer,
+                                char *chain, const char *policy);
 static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data);
 static ASN1_INTEGER *next_serial(const char *serialfile);
 static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
@@ -342,7 +342,7 @@ int ts_main(int argc, char **argv)
                 goto opthelp;
         }
         ret = !reply_command(conf, section, engine, queryfile,
-                             password, inkey, signer, chain, policy,
+                             password, inkey, md, signer, chain, policy,
                              in, token_in, out, token_out, text);
         break;
     case OPT_VERIFY:
@@ -583,8 +583,8 @@ static ASN1_INTEGER *create_nonce(int bits)
 
 static int reply_command(CONF *conf, char *section, char *engine,
                          char *queryfile, char *passin, char *inkey,
-                         char *signer, char *chain, const char *policy,
-                         char *in, int token_in,
+                         const EVP_MD *md, char *signer, char *chain,
+                         const char *policy, char *in, int token_in,
                          char *out, int token_out, int text)
 {
     int ret = 0;
@@ -605,7 +605,7 @@ static int reply_command(CONF *conf, char *section, char *engine,
         }
     } else {
         response = create_response(conf, section, engine, queryfile,
-                                   passin, inkey, signer, chain, policy);
+                                   passin, inkey, md, signer, chain, policy);
         if (response)
             BIO_printf(bio_err, "Response has been generated.\n");
         else
@@ -691,8 +691,8 @@ static TS_RESP *read_PKCS7(BIO *in_bio)
 
 static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
                                 char *queryfile, char *passin,
-                                char *inkey, char *signer, char *chain,
-                                const char *policy)
+                                char *inkey, const EVP_MD *md, char *signer,
+                                char *chain, const char *policy)
 {
     int ret = 0;
     TS_RESP *response = NULL;
@@ -717,6 +717,14 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
         goto end;
     if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
         goto end;
+
+    if (md) {
+        if (!TS_RESP_CTX_set_signer_digest(resp_ctx, md))
+            goto end;
+    } else if (!TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx)) {
+            goto end;
+    }
+
     if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
         goto end;
     if (!TS_CONF_set_policies(conf, section, resp_ctx))
diff --git a/crypto/ts/ts_conf.c b/crypto/ts/ts_conf.c
index 27b3ff6..1aa1ab6 100644
--- a/crypto/ts/ts_conf.c
+++ b/crypto/ts/ts_conf.c
@@ -75,6 +75,7 @@
 #define ENV_SIGNER_CERT                 "signer_cert"
 #define ENV_CERTS                       "certs"
 #define ENV_SIGNER_KEY                  "signer_key"
+#define ENV_SIGNER_DIGEST               "signer_digest"
 #define ENV_DEFAULT_POLICY              "default_policy"
 #define ENV_OTHER_POLICIES              "other_policies"
 #define ENV_DIGESTS                     "digests"
@@ -304,6 +305,30 @@ int TS_CONF_set_signer_key(CONF *conf, const char *section,
     return ret;
 }
 
+int TS_CONF_set_signer_digest(CONF *conf, const char *section,
+                              const char *md, TS_RESP_CTX *ctx)
+{
+    int ret = 0;
+    const EVP_MD *sign_md = NULL;
+    if (md == NULL)
+        md = NCONF_get_string(conf, section, ENV_SIGNER_DIGEST);
+    if (md == NULL) {
+        ts_CONF_lookup_fail(section, ENV_SIGNER_DIGEST);
+        goto err;
+    }
+    sign_md = EVP_get_digestbyname(md);
+    if (sign_md == NULL) {
+        ts_CONF_invalid(section, ENV_SIGNER_DIGEST);
+        goto err;
+    }
+    if (!TS_RESP_CTX_set_signer_digest(ctx, sign_md))
+        goto err;
+
+    ret = 1;
+ err:
+    return ret;
+}
+
 int TS_CONF_set_def_policy(CONF *conf, const char *section,
                            const char *policy, TS_RESP_CTX *ctx)
 {
diff --git a/crypto/ts/ts_lcl.h b/crypto/ts/ts_lcl.h
index 7bd23e9..da28ef1 100644
--- a/crypto/ts/ts_lcl.h
+++ b/crypto/ts/ts_lcl.h
@@ -183,6 +183,7 @@ struct ESS_signing_cert {
 struct TS_resp_ctx {
     X509 *signer_cert;
     EVP_PKEY *signer_key;
+    const EVP_MD *signer_md;
     STACK_OF(X509) *certs;      /* Certs to include in signed data. */
     STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */
     ASN1_OBJECT *default_policy; /* It may appear in policies, too. */
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index c7738b8..f84555d 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -169,6 +169,8 @@ TS_RESP_CTX *TS_RESP_CTX_new()
         return NULL;
     }
 
+    ctx->signer_md = EVP_sha256();
+
     ctx->serial_cb = def_serial_cb;
     ctx->time_cb = def_time_cb;
     ctx->extension_cb = def_extension_cb;
@@ -215,6 +217,12 @@ int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key)
     return 1;
 }
 
+int TS_RESP_CTX_set_signer_digest(TS_RESP_CTX *ctx, const EVP_MD *md)
+{
+    ctx->signer_md = md;
+    return 1;
+}
+
 int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy)
 {
     ASN1_OBJECT_free(ctx->default_policy);
@@ -700,7 +708,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
     }
 
     if ((si = PKCS7_add_signature(p7, ctx->signer_cert,
-                                  ctx->signer_key, EVP_sha1())) == NULL) {
+                                  ctx->signer_key, ctx->signer_md)) == NULL) {
         TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
         goto err;
     }
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index e2b555a..82b9e55 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -28,6 +28,7 @@ B<-reply>
 [B<-passin> password_src]
 [B<-signer> tsa_cert.pem]
 [B<-inkey> private.pem]
+[B<-sha1|-sha224|-sha256|-sha384|-sha512>]
 [B<-chain> certs_file.pem]
 [B<-policy> object_id]
 [B<-in> response.tsr]
@@ -215,6 +216,11 @@ variable of the config file. (Optional)
 The signer private key of the TSA in PEM format. Overrides the
 B<signer_key> config file option. (Optional)
 
+=item B<-sha1|-sha224|-sha256|-sha384|-sha512>
+
+Signing digest to use. Overrides the B<signer_digest> config file
+option. (Optional)
+
 =item B<-chain> certs_file.pem
 
 The collection of certificates in PEM format that will all
@@ -396,6 +402,11 @@ option. (Optional)
 The private key of the TSA in PEM format. The same as the B<-inkey>
 command line option. (Optional)
 
+=item B<signer_digest>
+
+Signing digest to use. The same as the
+B<-sha1|-sha224|-sha256|-sha384|-sha512> command line option. (Optional)
+
 =item B<default_policy>
 
 The default policy to use when the request does not mandate any
diff --git a/include/openssl/ts.h b/include/openssl/ts.h
index f74fce7..3d4e4c0 100644
--- a/include/openssl/ts.h
+++ b/include/openssl/ts.h
@@ -371,6 +371,9 @@ int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer);
 /* This parameter must be set. */
 int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key);
 
+int TS_RESP_CTX_set_signer_digest(TS_RESP_CTX *ctx,
+                                  const EVP_MD *signer_digest);
+
 /* This parameter must be set. */
 int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy);
 
@@ -564,6 +567,8 @@ int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
 int TS_CONF_set_signer_key(CONF *conf, const char *section,
                            const char *key, const char *pass,
                            TS_RESP_CTX *ctx);
+int TS_CONF_set_signer_digest(CONF *conf, const char *section,
+                               const char *md, TS_RESP_CTX *ctx);
 int TS_CONF_set_def_policy(CONF *conf, const char *section,
                            const char *policy, TS_RESP_CTX *ctx);
 int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx);
diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
index 9bdc614..ab2f84a 100644
--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -35,7 +35,7 @@ private_key	= $dir/private/cakey.pem# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
 default_days	= 365			# how long to certify for
-default_md	= sha1			# which md to use.
+default_md	= sha256			# which md to use.
 preserve	= no			# keep passed DN ordering
 
 policy		= policy_match
@@ -132,11 +132,11 @@ signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
 certs		= $dir/tsaca.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
-
+signer_digest  = sha256             # Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 ordering		= yes	# Is ordering defined for timestamps?
 				# (optional, default: no)
@@ -156,8 +156,8 @@ signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
 certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
-
+signer_digest  = sha256             # Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)


More information about the openssl-commits mailing list