From eff685891bb74340fef349265e3c591e227c231b Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Feb 11 2010 22:36:36 +0000
Subject: - start working on making the preferred ciphers and hashes configurable


---

diff --git a/src/Makefile.am b/src/Makefile.am
index 0bfaccf..7a09948 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -43,6 +43,7 @@ libcm_a_SOURCES = \
 	pin.h \
 	prefs.c \
 	prefs.h \
+	prefs-int.h \
 	store-files.c \
 	store-gen.c \
 	store.h \
diff --git a/src/csrgen-n.c b/src/csrgen-n.c
index e240c1b..821ad5f 100644
--- a/src/csrgen-n.c
+++ b/src/csrgen-n.c
@@ -285,7 +285,7 @@ cm_csrgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 		_exit(2);
 	}
 	/* Sign the request using the private key. */
-	sigoid = SECOID_FindOIDByTag(cm_prefs_nss_sig_alg());
+	sigoid = SECOID_FindOIDByTag(cm_prefs_nss_sig_alg(pubkey));
 	memset(&sreq, 0, sizeof(sreq));
 	sreq.data = ereq;
 	if (SECOID_SetAlgorithmID(arena, &sreq.signatureAlgorithm,
diff --git a/src/prefs-int.h b/src/prefs-int.h
new file mode 100644
index 0000000..fafdfed
--- /dev/null
+++ b/src/prefs-int.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef cmprefsint_h
+#define cmprefsint_h
+
+enum cm_prefs_cipher {
+	cm_prefs_aes128,
+	cm_prefs_aes256,
+};
+
+enum cm_prefs_digest {
+	cm_prefs_sha256,
+	cm_prefs_sha384,
+	cm_prefs_sha512,
+	cm_prefs_sha1,
+};
+
+enum cm_prefs_cipher cm_prefs_preferred_cipher(void);
+enum cm_prefs_digest cm_prefs_preferred_digest(void);
+
+#endif
diff --git a/src/prefs-o.c b/src/prefs-o.c
index bb7ccc8..d597d66 100644
--- a/src/prefs-o.c
+++ b/src/prefs-o.c
@@ -17,19 +17,44 @@
 
 #include "config.h"
 
+#include <keythi.h>
+
 #include <openssl/evp.h>
 
 #include "prefs.h"
+#include "prefs-int.h"
 #include "prefs-o.h"
 
 const EVP_MD *
 cm_prefs_ossl_hash(void)
 {
+	switch (cm_prefs_preferred_digest()) {
+	case cm_prefs_sha1:
+		return EVP_sha1();
+		break;
+	case cm_prefs_sha256:
+		return EVP_sha256();
+		break;
+	case cm_prefs_sha384:
+		return EVP_sha384();
+		break;
+	case cm_prefs_sha512:
+		return EVP_sha512();
+		break;
+	}
 	return EVP_sha256();
 }
 
 const EVP_CIPHER *
 cm_prefs_ossl_cipher(void)
 {
+	switch (cm_prefs_preferred_cipher()) {
+	case cm_prefs_aes128:
+		return EVP_aes_128_cbc();
+		break;
+	case cm_prefs_aes256:
+		return EVP_aes_256_cbc();
+		break;
+	}
 	return EVP_aes_128_cbc();
 }
diff --git a/src/prefs.c b/src/prefs.c
index 55924be..7d09542 100644
--- a/src/prefs.c
+++ b/src/prefs.c
@@ -18,12 +18,66 @@
 #include "config.h"
 
 #include <nss.h>
+#include <nss.h>
+#include <keythi.h>
 #include <secoidt.h>
 
 #include "prefs.h"
+#include "prefs-int.h"
+
+enum cm_prefs_cipher
+cm_prefs_preferred_cipher(void)
+{
+	return cm_prefs_aes128;
+}
+
+enum cm_prefs_digest
+cm_prefs_preferred_digest(void)
+{
+	return cm_prefs_sha256;
+}
 
 unsigned int
-cm_prefs_nss_sig_alg(void)
+cm_prefs_nss_sig_alg(SECKEYPublicKey *pkey)
 {
-	return SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+	switch (pkey->keyType) {
+	case nullKey:
+		switch (cm_prefs_preferred_digest()) {
+		case cm_prefs_sha1:
+			return SEC_OID_SHA1;
+			break;
+		case cm_prefs_sha256:
+			return SEC_OID_SHA256;
+			break;
+		case cm_prefs_sha384:
+			return SEC_OID_SHA384;
+			break;
+		case cm_prefs_sha512:
+			return SEC_OID_SHA512;
+			break;
+		}
+		return SEC_OID_SHA256;
+		break;
+		break;
+	case rsaKey:
+		switch (cm_prefs_preferred_digest()) {
+		case cm_prefs_sha1:
+			return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+			break;
+		case cm_prefs_sha256:
+			return SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+			break;
+		case cm_prefs_sha384:
+			return SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
+			break;
+		case cm_prefs_sha512:
+			return SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
+			break;
+		}
+		return SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+		break;
+	default:
+		return SEC_OID_UNKNOWN;
+		break;
+	}
 }
diff --git a/src/prefs.h b/src/prefs.h
index 355d6d4..d53410c 100644
--- a/src/prefs.h
+++ b/src/prefs.h
@@ -18,6 +18,6 @@
 #ifndef cmprefs_h
 #define cmprefs_h
 
-unsigned int cm_prefs_nss_sig_alg(void);
+unsigned int cm_prefs_nss_sig_alg(SECKEYPublicKey *pkey);
 
 #endif
diff --git a/src/submit-sn.c b/src/submit-sn.c
index ff58483..7358390 100644
--- a/src/submit-sn.c
+++ b/src/submit-sn.c
@@ -62,6 +62,7 @@ cm_submit_sn_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 	SECStatus error;
 	SECItem *esdata = NULL, *ecert = NULL;
 	SECKEYPrivateKey *privkey;
+	SECKEYPublicKey *pubkey;
 	CERTCertificate *ucert = NULL;
 	CERTCertExtension **extensions;
 	CERTCertificateRequest *req = NULL, sreq;
@@ -118,7 +119,12 @@ cm_submit_sn_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 	} else {
 		data = &sdata;
 	}
-	sigoid = SECOID_FindOIDByTag(cm_prefs_nss_sig_alg());
+	pubkey = SECKEY_ConvertToPublicKey(privkey);
+	if (pubkey == NULL) {
+		cm_log(1, "Unable to convert private key to public key.\n");
+		_exit(1);
+	}
+	sigoid = SECOID_FindOIDByTag(cm_prefs_nss_sig_alg(pubkey));
 	if (sigoid == NULL) {
 		cm_log(1, "Internal error resolving signature OID.\n");
 		_exit(1);