spkac: allow digests other than MD5 to be used for signing

Fixes #15683 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #15687)
openssl · Jun 15, 2021 · e1a77f9 · e1a77f9
1 parent 42e97dd
commit e1a77f9
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/apps/spkac.c b/apps/spkac.c
@@ -24,7 +24,7 @@ typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT,
     OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC,
-    OPT_SPKSECT, OPT_KEYFORM,
+    OPT_SPKSECT, OPT_KEYFORM, OPT_DIGEST,
     OPT_PROV_ENUM
 } OPTION_CHOICE;
 
@@ -46,6 +46,7 @@ const OPTIONS spkac_options[] = {
     {"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"},
 
     OPT_SECTION("Output"),
+    {"digest", OPT_DIGEST, 's', "Sign new SPKAC with the specified digest (default: MD5)" },
     {"out", OPT_OUT, '>', "Output file"},
     {"noout", OPT_NOOUT, '-', "Don't print SPKAC"},
     {"pubkey", OPT_PUBKEY, '-', "Output public key"},
@@ -66,6 +67,8 @@ int spkac_main(int argc, char **argv)
     char *infile = NULL, *outfile = NULL, *passinarg = NULL, *passin = NULL;
     char *spkstr = NULL, *prog;
     const char *spkac = "SPKAC", *spksect = "default";
+    const char *digest = "MD5";
+    EVP_MD *md = NULL;
     int i, ret = 1, verify = 0, noout = 0, pubkey = 0;
     int keyformat = FORMAT_UNDEF;
     OPTION_CHOICE o;
@@ -116,6 +119,9 @@ int spkac_main(int argc, char **argv)
         case OPT_SPKSECT:
             spksect = opt_arg();
             break;
+        case OPT_DIGEST:
+            digest = opt_arg();
+            break;
         case OPT_ENGINE:
             e = setup_engine(opt_arg(), 0);
             break;
@@ -137,6 +143,9 @@ int spkac_main(int argc, char **argv)
     }
 
     if (keyfile != NULL) {
+        if (!opt_md(digest, &md))
+            goto end;
+
         pkey = load_key(strcmp(keyfile, "-") ? keyfile : NULL,
                         keyformat, 1, passin, e, "private key");
         if (pkey == NULL)
@@ -151,7 +160,7 @@ int spkac_main(int argc, char **argv)
             BIO_printf(bio_err, "Error setting public key\n");
             goto end;
         }
-        i = NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
+        i = NETSCAPE_SPKI_sign(spki, pkey, md);
         if (i <= 0) {
             BIO_printf(bio_err, "Error signing SPKAC\n");
             goto end;
@@ -213,6 +222,7 @@ int spkac_main(int argc, char **argv)
     ret = 0;
 
  end:
+    EVP_MD_free(md);
     NCONF_free(conf);
     NETSCAPE_SPKI_free(spki);
     BIO_free_all(out);