diff options
| author | Julien Rische <jrische@redhat.com> | 2023-06-21 18:27:11 +0200 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2023-07-24 13:04:19 -0400 |
| commit | 9913e5c92c4e5cb76d6ae58386f744766d2e6454 (patch) | |
| tree | 0ef62dad278da446bc4baa6d5db70caef7ddf569 | |
| parent | 4b9d7f7c107f01a61600fddcd8cde3812d0366a2 (diff) | |
| download | krb5-9913e5c92c4e5cb76d6ae58386f744766d2e6454.zip krb5-9913e5c92c4e5cb76d6ae58386f744766d2e6454.tar.gz krb5-9913e5c92c4e5cb76d6ae58386f744766d2e6454.tar.bz2 | |
Add ecdsa-with-sha512/256 to supportedCMSTypes
Elliptic curve certificates are already supported for PKINIT
pre-authentication, but their associated signature types aren't
advertized. Add ecdsa-with-sha512 and ecdsa-with-sha256 OIDs to the
supportedCMSTypes list sent by the client.
[ghudson@mit.edu: edited commit message]
ticket: 9100 (new)
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_constants.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c index 10f8688..905e90d 100644 --- a/src/plugins/preauth/pkinit/pkinit_constants.c +++ b/src/plugins/preauth/pkinit/pkinit_constants.c @@ -64,14 +64,52 @@ static char sha512WithRSAEncr_oid[9] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d }; +/* RFC 3279 ecdsa-with-SHA1: iso(1) member-body(2) us(840) ansi-X9-62(10045) + * signatures(4) 1 */ +static char ecdsaWithSha1_oid[] = { + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01 +}; + +/* RFC 5758 ecdsa-with-SHA256: iso(1) member-body(2) us(840) ansi-X9-62(10045) + * signatures(4) ecdsa-with-SHA2(3) 2 */ +static char ecdsaWithSha256_oid[] = { + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02 +}; + +/* RFC 5758 ecdsa-with-SHA384: iso(1) member-body(2) us(840) ansi-X9-62(10045) + * signatures(4) ecdsa-with-SHA2(3) 3 */ +static char ecdsaWithSha384_oid[] = { + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03 +}; + +/* RFC 5758 ecdsa-with-SHA512: iso(1) member-body(2) us(840) ansi-X9-62(10045) + * signatures(4) ecdsa-with-SHA2(3) 4 */ +static char ecdsaWithSha512_oid[] = { + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04 +}; + const krb5_data sha256WithRSAEncr_id = { KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid }; const krb5_data sha512WithRSAEncr_id = { KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid }; +const krb5_data ecdsaWithSha1_id = { + KV5M_DATA, sizeof(ecdsaWithSha1_oid), ecdsaWithSha1_oid +}; +const krb5_data ecdsaWithSha256_id = { + KV5M_DATA, sizeof(ecdsaWithSha256_oid), ecdsaWithSha256_oid +}; +const krb5_data ecdsaWithSha384_id = { + KV5M_DATA, sizeof(ecdsaWithSha384_oid), ecdsaWithSha384_oid +}; +const krb5_data ecdsaWithSha512_id = { + KV5M_DATA, sizeof(ecdsaWithSha512_oid), ecdsaWithSha512_oid +}; krb5_data const * const supported_cms_algs[] = { + &ecdsaWithSha512_id, + &ecdsaWithSha256_id, &sha512WithRSAEncr_id, &sha256WithRSAEncr_id, NULL |