Allow to specify the CSR's digest algorithm

4 years ago · bea33179d7
7 changed files with 62 additions and 14 deletions
--- a/acme_common/src/crypto/openssl_certificate.rs
+++ b/acme_common/src/crypto/openssl_certificate.rs
@ -19,12 +19,32 @@ const CRT_SERIAL_NB_BITS: i32 = 32;
 const CRT_NB_DAYS_VALIDITY: u32 = 7;
 const INVALID_EXT_MSG: &str = "Invalid acmeIdentifier extension.";

+fn get_digest(digest: HashFunction, key_pair: &KeyPair) -> MessageDigest {
+    #[cfg(not(any(ed25519, ed448)))]
+    let digest = digest.native_digest();
+    let _ = key_pair;
+    #[cfg(any(ed25519, ed448))]
+    let digest = match key_pair.key_type {
+        #[cfg(ed25519)]
+        KeyType::Ed25519 => MessageDigest::null(),
+        #[cfg(ed448)]
+        KeyType::Ed448 => MessageDigest::null(),
+        _ => digest.native_digest(),
+    };
+    digest
+}
+
 pub struct Csr {
    inner_csr: X509Req,
 }

 impl Csr {
-    pub fn new(key_pair: &KeyPair, domains: &[String], ips: &[String]) -> Result<Self, Error> {
+    pub fn new(
+        key_pair: &KeyPair,
+        digest: HashFunction,
+        domains: &[String],
+        ips: &[String],
+    ) -> Result<Self, Error> {
        let mut builder = X509ReqBuilder::new()?;
        builder.set_pubkey(&key_pair.inner_key)?;
        let ctx = builder.x509v3_context(None);
@ -39,7 +59,8 @@ impl Csr {
        let mut ext_stack = Stack::new()?;
        ext_stack.push(san)?;
        builder.add_extensions(&ext_stack)?;
-        builder.sign(&key_pair.inner_key, MessageDigest::sha256())?;
+        let digest = get_digest(digest, key_pair);
+        builder.sign(&key_pair.inner_key, digest)?;
        Ok(Csr {
            inner_csr: builder.build(),
        })
@ -50,6 +71,11 @@ impl Csr {
        let csr = b64_encode(&csr);
        Ok(csr)
    }
+
+    pub fn to_pem(&self) -> Result<String, Error> {
+        let csr = self.inner_csr.to_pem()?;
+        Ok(String::from_utf8(csr)?)
+    }
 }

 pub struct X509Certificate {
@ -74,16 +100,7 @@ impl X509Certificate {
        digest: HashFunction,
    ) -> Result<(KeyPair, Self), Error> {
        let key_pair = gen_keypair(key_type)?;
-        #[cfg(not(any(ed25519, ed448)))]
-        let digest = digest.native_digest();
-        #[cfg(any(ed25519, ed448))]
-        let digest = match key_pair.key_type {
-            #[cfg(ed25519)]
-            KeyType::Ed25519 => MessageDigest::null(),
-            #[cfg(ed448)]
-            KeyType::Ed448 => MessageDigest::null(),
-            _ => digest.native_digest(),
-        };
+        let digest = get_digest(digest, &key_pair);
        let inner_cert = gen_certificate(domain, &key_pair, &digest, acme_ext)?;
        let cert = X509Certificate { inner_cert };
        Ok((key_pair, cert))
--- a/acmed/src/acme_proto.rs
+++ b/acmed/src/acme_proto.rs
@ -171,8 +171,15 @@ pub fn request_certificate(
        .filter(|e| e.id_type == IdentifierType::Ip)
        .map(|e| e.value.to_owned())
        .collect();
+    let csr = Csr::new(
+        &key_pair,
+        cert.csr_digest,
+        domains.as_slice(),
+        ips.as_slice(),
+    )?;
+    cert.trace(&format!("New CSR:\n{}", csr.to_pem()?));
    let csr = json!({
-        "csr": Csr::new(&key_pair, domains.as_slice(), ips.as_slice())?.to_der_base64()?,
+        "csr": csr.to_der_base64()?,
    });
    let csr = csr.to_string();
    let data_builder = set_data_builder!(account, csr.as_bytes());
--- a/acmed/src/certificate.rs
+++ b/acmed/src/certificate.rs
@ -3,7 +3,7 @@ use crate::acme_proto::Challenge;
 use crate::hooks::{self, ChallengeHookData, Hook, HookEnvData, HookType, PostOperationHookData};
 use crate::identifier::{Identifier, IdentifierType};
 use crate::storage::{certificate_files_exists, get_certificate};
-use acme_common::crypto::X509Certificate;
+use acme_common::crypto::{HashFunction, X509Certificate};
 use acme_common::error::Error;
 use log::{debug, info, trace, warn};
 use std::collections::{HashMap, HashSet};
@ -47,6 +47,7 @@ pub struct Certificate {
    pub account: Account,
    pub identifiers: Vec<Identifier>,
    pub algo: Algorithm,
+    pub csr_digest: HashFunction,
    pub kp_reuse: bool,
    pub endpoint_name: String,
    pub hooks: Vec<Hook>,
--- a/acmed/src/config.rs
+++ b/acmed/src/config.rs
@ -2,6 +2,7 @@ use crate::certificate::Algorithm;
 use crate::duration::parse_duration;
 use crate::hooks;
 use crate::identifier::IdentifierType;
+use acme_common::crypto::HashFunction;
 use acme_common::error::Error;
 use glob::glob;
 use log::info;
@ -298,6 +299,7 @@ pub struct Certificate {
    pub endpoint: String,
    pub identifiers: Vec<Identifier>,
    pub algorithm: Option<String>,
+    pub csr_digest: Option<String>,
    pub kp_reuse: Option<bool>,
    pub directory: Option<String>,
    pub name: Option<String>,
@ -328,6 +330,13 @@ impl Certificate {
        Algorithm::from_str(algo)
    }

+    pub fn get_csr_digest(&self) -> Result<HashFunction, Error> {
+        match &self.csr_digest {
+            Some(d) => d.parse(),
+            None => Ok(crate::DEFAULT_CSR_DIGEST),
+        }
+    }
+
    pub fn get_identifiers(&self) -> Result<Vec<crate::identifier::Identifier>, Error> {
        let mut ret = vec![];
        for id in self.identifiers.iter() {
--- a/acmed/src/main.rs
+++ b/acmed/src/main.rs
@ -1,4 +1,5 @@
 use crate::main_event_loop::MainEventLoop;
+use acme_common::crypto::HashFunction;
 use acme_common::logs::{set_log_system, DEFAULT_LOG_LEVEL};
 use acme_common::{clean_pid_file, crypto, init_server};
 use clap::{App, Arg};
@ -26,6 +27,7 @@ pub const DEFAULT_CERT_DIR: &str = "/etc/acmed/certs";
 pub const DEFAULT_CERT_FORMAT: &str = "{{name}}_{{algo}}.{{file_type}}.{{ext}}";
 pub const DEFAULT_SLEEP_TIME: u64 = 3600;
 pub const DEFAULT_POOL_TIME: u64 = 5000;
+pub const DEFAULT_CSR_DIGEST: HashFunction = HashFunction::Sha256;
 pub const DEFAULT_CERT_FILE_MODE: u32 = 0o644;
 pub const DEFAULT_CERT_RENEW_DELAY: u64 = 1_814_400; // 1_814_400 is 3 weeks (3 * 7 * 24 * 60 * 60)
 pub const DEFAULT_PK_FILE_MODE: u32 = 0o600;
--- a/acmed/src/main_event_loop.rs
+++ b/acmed/src/main_event_loop.rs
@ -48,6 +48,7 @@ impl MainEventLoop {
                account: crt.get_account(&cnf)?,
                identifiers: crt.get_identifiers()?,
                algo: crt.get_algorithm()?,
+                csr_digest: crt.get_csr_digest()?,
                kp_reuse: crt.get_kp_reuse(),
                endpoint_name: endpoint_name.clone(),
                hooks: crt.get_hooks(&cnf)?,
--- a/man/en/acmed.toml.5
+++ b/man/en/acmed.toml.5
@ -239,6 +239,17 @@ ecdsa_p256
 .It
 ecdsa_p384
 .El
+.It Ic csr_digest Ar string
+Name of the certificate's signing request digest algorithm. Possible values are :
+.Bl -dash -compact
+.It
+sha256
+.Aq default
+.It
+sha384
+.It
+sha512
+.El
 .It Ic kp_reuse Ar boolean
 Set whether or not the private key should be reused when renewing the certificate. Default is false.
 .It Ic directory Ar string