From c69c4634ad2296b003d50f3a4180298c6f37d30f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@h5l.org>
Date: Wed, 12 Feb 2014 09:46:02 -0800
Subject: [PATCH] allow setting signature algorithm

---
 lib/hx509/ca.c               | 43 ++++++++++++++++++++++++++++++++++--
 lib/hx509/hxtool-commands.in |  5 +++++
 lib/hx509/hxtool.c           | 11 +++++++++
 lib/hx509/test_ca.in         | 28 +++++++++++++++++++++++
 4 files changed, 85 insertions(+), 2 deletions(-)

diff --git a/lib/hx509/ca.c b/lib/hx509/ca.c
index 9dc52f8c0..46281e6c0 100644
--- a/lib/hx509/ca.c
+++ b/lib/hx509/ca.c
@@ -61,7 +61,7 @@ struct hx509_ca_tbs {
     CRLDistributionPoints crldp;
     heim_bit_string subjectUniqueID;
     heim_bit_string issuerUniqueID;
-
+    AlgorithmIdentifier *sigalg;
 };
 
 /**
@@ -109,6 +109,10 @@ hx509_ca_tbs_free(hx509_ca_tbs *tbs)
     der_free_bit_string(&(*tbs)->subjectUniqueID);
     der_free_bit_string(&(*tbs)->issuerUniqueID);
     hx509_name_free(&(*tbs)->subject);
+    if ((*tbs)->sigalg) {
+	free_AlgorithmIdentifier((*tbs)->sigalg);
+	free((*tbs)->sigalg);
+    }
 
     memset(*tbs, 0, sizeof(**tbs));
     free(*tbs);
@@ -904,6 +908,39 @@ hx509_ca_tbs_subject_expand(hx509_context context,
     return hx509_name_expand(context, tbs->subject, env);
 }
 
+/**
+ * Set signature algorithm on the to be signed certificate
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param sigalg signature algorithm to use
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_signature_algorithm(hx509_context context,
+				     hx509_ca_tbs tbs,
+				     const AlgorithmIdentifier *sigalg)
+{
+    int ret;
+
+    tbs->sigalg = calloc(1, sizeof(*tbs->sigalg));
+    if (tbs->sigalg == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
+	return ENOMEM;
+    }
+    ret = copy_AlgorithmIdentifier(sigalg, tbs->sigalg);
+    if (ret) {
+	free(tbs->sigalg);
+	tbs->sigalg = NULL;
+	return ret;
+    }
+    return 0;
+}
+
 /*
  *
  */
@@ -998,7 +1035,9 @@ ca_sign(hx509_context context,
     time_t notAfter;
     unsigned key_usage;
 
-    sigalg = _hx509_crypto_default_sig_alg;
+    sigalg = tbs->sigalg;
+    if (sigalg == NULL)
+	sigalg = _hx509_crypto_default_sig_alg;
 
     memset(&c, 0, sizeof(c));
 
diff --git a/lib/hx509/hxtool-commands.in b/lib/hx509/hxtool-commands.in
index 64ca23f78..426746dfd 100644
--- a/lib/hx509/hxtool-commands.in
+++ b/lib/hx509/hxtool-commands.in
@@ -634,6 +634,11 @@ command = {
 		type = "string"
 		help = "Lifetime of certificate"
 	}
+	option = {
+		long = "signature-algorithm"
+		type = "string"
+		help = "Signature algorithm to use"
+	}
 	option = {
 		long = "serial-number"
 		type = "string"
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index f4720f63f..27c5e9212 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -1928,6 +1928,17 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     if (ret)
 	hx509_err(context, 1, ret, "hx509_ca_tbs_init");
 
+    if (opt->signature_algorithm_string) {
+	const AlgorithmIdentifier *sigalg;
+	if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha1") == 0)
+	    sigalg = hx509_signature_rsa_with_sha1();
+	else if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha256") == 0)
+	    sigalg = hx509_signature_rsa_with_sha256();
+	else
+	    errx(1, "unsupported sigature algorith");
+	hx509_ca_tbs_set_signature_algorithm(context, tbs, sigalg);
+    }
+
     if (opt->template_certificate_string) {
 	hx509_cert template;
 	hx509_certs tcerts;
diff --git a/lib/hx509/test_ca.in b/lib/hx509/test_ca.in
index 2ca294ea7..0264116bb 100644
--- a/lib/hx509/test_ca.in
+++ b/lib/hx509/test_ca.in
@@ -421,4 +421,32 @@ ${hxtool} verify --missing-revoke \
 	cert:FILE:cert-ee.pem \
 	anchor:FILE:cert-ca.pem > /dev/null || exit 1
 
+echo "+++++++++++ test sigalg"
+
+echo "issue cert with sha256"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+          --signature-algorithm=rsa-with-sha256 \
+	  --subject="cn=foo" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
+echo "issue cert with sha1"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+          --signature-algorithm=rsa-with-sha1 \
+	  --subject="cn=foo" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
 exit 0