allow setting signature algorithm

lib/hx509/ca.c

@@ -61,7 +61,7 @@ struct hx509_ca_tbs {
     CRLDistributionPoints crldp;
     heim_bit_string subjectUniqueID;
     heim_bit_string issuerUniqueID;
-
+    AlgorithmIdentifier *sigalg;
 };
 
 /**
@@ -109,6 +109,10 @@ hx509_ca_tbs_free(hx509_ca_tbs *tbs)
     der_free_bit_string(&(*tbs)->subjectUniqueID);
     der_free_bit_string(&(*tbs)->issuerUniqueID);
     hx509_name_free(&(*tbs)->subject);
+    if ((*tbs)->sigalg) {
+	free_AlgorithmIdentifier((*tbs)->sigalg);
+	free((*tbs)->sigalg);
+    }
 
     memset(*tbs, 0, sizeof(**tbs));
     free(*tbs);
@@ -904,6 +908,39 @@ hx509_ca_tbs_subject_expand(hx509_context context,
     return hx509_name_expand(context, tbs->subject, env);
 }
 
+/**
+ * Set signature algorithm on the to be signed certificate
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param sigalg signature algorithm to use
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_signature_algorithm(hx509_context context,
+				     hx509_ca_tbs tbs,
+				     const AlgorithmIdentifier *sigalg)
+{
+    int ret;
+
+    tbs->sigalg = calloc(1, sizeof(*tbs->sigalg));
+    if (tbs->sigalg == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
+	return ENOMEM;
+    }
+    ret = copy_AlgorithmIdentifier(sigalg, tbs->sigalg);
+    if (ret) {
+	free(tbs->sigalg);
+	tbs->sigalg = NULL;
+	return ret;
+    }
+    return 0;
+}
+
 /*
  *
  */
@@ -998,7 +1035,9 @@ ca_sign(hx509_context context,
     time_t notAfter;
     unsigned key_usage;
 
-    sigalg = _hx509_crypto_default_sig_alg;
+    sigalg = tbs->sigalg;
+    if (sigalg == NULL)
+	sigalg = _hx509_crypto_default_sig_alg;
 
     memset(&c, 0, sizeof(c));
 

lib/hx509/hxtool-commands.in

@@ -634,6 +634,11 @@ command = {
 		type = "string"
 		help = "Lifetime of certificate"
 	}
+	option = {
+		long = "signature-algorithm"
+		type = "string"
+		help = "Signature algorithm to use"
+	}
 	option = {
 		long = "serial-number"
 		type = "string"

lib/hx509/hxtool.c

@@ -1928,6 +1928,17 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     if (ret)
 	hx509_err(context, 1, ret, "hx509_ca_tbs_init");
 
+    if (opt->signature_algorithm_string) {
+	const AlgorithmIdentifier *sigalg;
+	if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha1") == 0)
+	    sigalg = hx509_signature_rsa_with_sha1();
+	else if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha256") == 0)
+	    sigalg = hx509_signature_rsa_with_sha256();
+	else
+	    errx(1, "unsupported sigature algorith");
+	hx509_ca_tbs_set_signature_algorithm(context, tbs, sigalg);
+    }
+
     if (opt->template_certificate_string) {
 	hx509_cert template;
 	hx509_certs tcerts;

lib/hx509/test_ca.in

@@ -421,4 +421,32 @@ ${hxtool} verify --missing-revoke \
 	cert:FILE:cert-ee.pem \
 	anchor:FILE:cert-ca.pem > /dev/null || exit 1
 
+echo "+++++++++++ test sigalg"
+
+echo "issue cert with sha256"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+          --signature-algorithm=rsa-with-sha256 \
+	  --subject="cn=foo" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
+echo "issue cert with sha1"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+          --signature-algorithm=rsa-with-sha1 \
+	  --subject="cn=foo" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
 exit 0