Improve programs/cert_write with a way to set the signature digest This is useful for generating SHA-1 and MD5 certificates for test purposes. I guess RSA-PSS could be added too, but I don't need that now. Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

commit: 99a96b1c2228ff21d9cd4503cfe23a877e6d01d9 [log] [tgz]
author: Nicholas Wilson <nicholas.wilson@realvnc.com> Thu Sep 10 18:28:01 2015 +0100
committer: Dave Rodgman <dave.rodgman@arm.com> Tue Aug 30 10:08:43 2022 +0100
tree: e54dba1b5ec56a7a39206c280dd6b3a04d1e0355
parent: 8e5bdfbbcf86e1867b5af22f5f7d23461fa54022 [diff] [blame]
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index da0a624..e0d88b2 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c

@@ -85,6 +85,7 @@
 #define DFL_SELFSIGN            0
 #define DFL_IS_CA               0
 #define DFL_MAX_PATHLEN         -1
+#define DFL_SIG_ALG             MBEDTLS_MD_SHA256
 #define DFL_KEY_USAGE           0
 #define DFL_EXT_KEY_USAGE       0
 #define DFL_NS_CERT_TYPE        0
@@ -134,6 +135,7 @@
     "    basic_constraints=%%d    default: 1\n"             \
     "                            Possible values: 0, 1\n"   \
     "                            (Considered for v3 only)\n"\
+    "    sig_alg=%%s              default: SHA-256\n"       \
     "    key_usage=%%s            default: (empty)\n"       \
     "                            Comma-separated-list of values:\n"     \
     "                            digital_signature\n"     \
@@ -189,6 +191,7 @@
     int basic_constraints;      /* add basic constraints ext to CRT     */
     int version;                /* CRT version                          */
     mbedtls_md_type_t md;       /* Hash used for signing                */
+    mbedtls_md_type_t sig_alg;  /* MD to use generating signature       */
     unsigned char key_usage;    /* key usage flags                      */
     mbedtls_asn1_sequence *ext_key_usage; /* extended key usages        */
     unsigned char ns_cert_type; /* NS cert type                         */
@@ -284,6 +287,7 @@
     opt.selfsign            = DFL_SELFSIGN;
     opt.is_ca               = DFL_IS_CA;
     opt.max_pathlen         = DFL_MAX_PATHLEN;
+    opt.sig_alg             = DFL_SIG_ALG;
     opt.key_usage           = DFL_KEY_USAGE;
     opt.ext_key_usage       = DFL_EXT_KEY_USAGE;
     opt.ns_cert_type        = DFL_NS_CERT_TYPE;
@@ -413,6 +417,17 @@
                 goto usage;
             }
         }
+        else if( strcmp( p, "sig_alg") == 0 )
+        {
+            if( strcmp( q, "SHA-1" ) == 0 )
+                opt.sig_alg = MBEDTLS_MD_SHA1;
+            else if( strcmp( q, "SHA-256" ) == 0 )
+                opt.sig_alg = MBEDTLS_MD_SHA256;
+            else if( strcmp( q, "MD5" ) == 0 )
+                opt.sig_alg = MBEDTLS_MD_MD5;
+            else
+                goto usage;
+        }
         else if( strcmp( p, "key_usage" ) == 0 )
         {
             while( q != NULL )
@@ -732,6 +747,8 @@
         mbedtls_printf( " ok\n" );
     }
 
+    mbedtls_x509write_crt_set_md_alg( &crt, opt.sig_alg );
+
 #if defined(MBEDTLS_SHA1_C)
     if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
         opt.subject_identifier != 0 )
commit	99a96b1c2228ff21d9cd4503cfe23a877e6d01d9	[log] [tgz]
author	Nicholas Wilson <nicholas.wilson@realvnc.com>	Thu Sep 10 18:28:01 2015 +0100
committer	Dave Rodgman <dave.rodgman@arm.com>	Tue Aug 30 10:08:43 2022 +0100
tree	e54dba1b5ec56a7a39206c280dd6b3a04d1e0355
parent	8e5bdfbbcf86e1867b5af22f5f7d23461fa54022 [diff] [blame]