morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

keyutil: add parameter to specify hash algorithm used for PKCS#1 signature

Browse Source
This commit is contained in:
Dan Streetman
2025-03-08 16:47:45 -05:00
parent 768a297c42
commit 103fa98f84
2 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
man/systemd-keyutil.xml
View File

@@ -72,7 +72,9 @@
<option>--signature=</option> in a PKCS#7 signature using the certificate given with
<option>--certificate=</option> and writes it to the file specified with <option>--output=</option>
in PKCS#7 format (p7s). If <option>--content=</option> is provided it is included in the p7s,
otherwise a "detached" signature is created.</para>
otherwise a "detached" signature is created. The <option>--hash-algorithm=</option> option, which
defaults to <literal>SHA256</literal>, specifies what hash algorithm was used to generate the
signature.</para>
<xi:include href="version-info.xml" xpointer="v258"/></listitem>
</varlistentry>
@@ -119,6 +121,17 @@
<xi:include href="version-info.xml" xpointer="v258"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--hash-algorithm=<replaceable>ALGORITHM</replaceable></option></term>
<listitem><para>Hash algorithm used to generate the PKCS#1 signature for the <command>pkcs7</command>
command. This should be a valid openssl digest algorithm; use <literal>openssl list
-digest-algorithms</literal> to see a list of valid algorithms on your system. Defaults to
<literal>SHA256</literal>.</para>
<xi:include href="version-info.xml" xpointer="v258"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--output=<replaceable>PATH</replaceable></option></term>

11
src/keyutil/keyutil.c
View File

@@ -26,6 +26,7 @@ static char *arg_certificate_source = NULL;
static CertificateSourceType arg_certificate_source_type = OPENSSL_CERTIFICATE_SOURCE_FILE;
static char *arg_signature = NULL;
static char *arg_content = NULL;
static char *arg_hash_algorithm = NULL;
static char *arg_output = NULL;
STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep);
@@ -66,6 +67,8 @@ static int help(int argc, char *argv[], void *userdata) {
" from an OpenSSL provider\n"
" --content=PATH Raw data content to embed in PKCS#7 signature\n"
" --signature=PATH PKCS#1 signature to embed in PKCS#7 signature\n"
" --hash-algorithm=ALGORITHM\n"
" Hash algorithm used to create the PKCS#1 signature\n"
" --output=PATH Where to write the PKCS#7 signature\n"
"\nSee the %2$s for details.\n",
program_invocation_short_name,
@@ -87,6 +90,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_CERTIFICATE_SOURCE,
ARG_SIGNATURE,
ARG_CONTENT,
ARG_HASH_ALGORITHM,
ARG_OUTPUT,
};
@@ -99,6 +103,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "certificate-source", required_argument, NULL, ARG_CERTIFICATE_SOURCE },
{ "signature", required_argument, NULL, ARG_SIGNATURE },
{ "content", required_argument, NULL, ARG_CONTENT },
{ "hash-algorithm", required_argument, NULL, ARG_HASH_ALGORITHM },
{ "output", required_argument, NULL, ARG_OUTPUT },
{}
};
@@ -164,6 +169,10 @@ static int parse_argv(int argc, char *argv[]) {
break;
case ARG_HASH_ALGORITHM:
arg_hash_algorithm = optarg;
break;
case ARG_OUTPUT:
r = parse_path_argument(optarg, /*suppress_root=*/ false, &arg_output);
if (r < 0)
@@ -355,7 +364,7 @@ static int verb_pkcs7(int argc, char *argv[], void *userdata) {
_cleanup_(PKCS7_freep) PKCS7 *pkcs7 = NULL;
PKCS7_SIGNER_INFO *signer_info;
r = pkcs7_new(certificate, /* private_key= */ NULL, /* hash_algorithm= */ NULL, &pkcs7, &signer_info);
r = pkcs7_new(certificate, /* private_key= */ NULL, arg_hash_algorithm, &pkcs7, &signer_info);
if (r < 0)
return log_error_errno(r, "Failed to allocate PKCS#7 context: %m");