Merge pull request #30 from toddgaunt-gs/feature/add-hash-algo-support

Add support for adding certificate signature algorithms to requests
globalsign · Jul 25, 2023 · a791565 · a791565
2 parents ecd095e + 1007486
commit a791565
Show file tree

Hide file tree

Showing 8 changed files with 45 additions and 0 deletions.
diff --git a/client_int_test.go b/client_int_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration
 
 /*

diff --git a/client_relogin_test.go b/client_relogin_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration
 
 /*

diff --git a/cmd/hvclient/flags.go b/cmd/hvclient/flags.go
@@ -86,6 +86,12 @@ var (
 
 var fEKUs = flag.String("ekus", "", "extended key usages")
 
+// Signature flags.
+var (
+	fSigAlg  = flag.String("sigalg", "", `signature algorithm to use (e.g. "" to use policy default or specify one of, "RSA", "RSA-PSS", or, "ECDSA")`)
+	fSigHash = flag.String("sighash", "", `signature hash algorithm to use (e.g. "" to use policy default or specify one of, "SHA-256", "SHA-384", or "SHA-512")`)
+)
+
 // Time window flags.
 var (
 	fFrom  = flag.String("from", "", "start of the time window in layout "+defaultTimeLayout+" (default: 30 days ago)")

diff --git a/cmd/hvclient/help.go b/cmd/hvclient/help.go
@@ -113,6 +113,12 @@ Certificate request options:
     -ekus=<string>                Comma-separated list of extended key usage
                                   OIDs, e.g. "1.3.6.1.5.5.7.3.2"
 
+    -sigalg=<string>              An algorithm name to be used for the certificate
+                                  signature e.g. "RSA", "RSA-PSS", or "ECDSA"
+
+    -sighash=<string>             An algorithm name to be used for the certificate
+                                  signature hash e.g. "SHA-256", "SHA-384", or "SHA-512"
+
     -template=<file>              Read values from the specified JSON-encoded
                                   file. Options specified at the command line
                                   override or append to the values in this

diff --git a/cmd/hvclient/request_builders.go b/cmd/hvclient/request_builders.go
@@ -37,6 +37,8 @@ type requestValues struct {
 	subject    subjectValues
 	san        sanValues
 	ekus       string
+	sigAlg     string
+	sigHash    string
 	publickey  string
 	privatekey string
 	csr        string
@@ -138,6 +140,15 @@ func buildRequest(reqinfo *requestValues) (*hvclient.Request, error) {
 		return nil, err
 	}
 
+	// Only add the signature hash algorithm if specified, otherwise we don't
+	// want to bother sending out an object.
+	if reqinfo.sigAlg != "" || reqinfo.sigHash != "" {
+		request.Signature = &hvclient.Signature{
+			Algorithm:     reqinfo.sigAlg,
+			HashAlgorithm: reqinfo.sigHash,
+		}
+	}
+
 	if request.PublicKey, request.PrivateKey, request.CSR, err = getKeys(
 		reqinfo.publickey,
 		reqinfo.privatekey,

diff --git a/cmd/hvclient/request_cert.go b/cmd/hvclient/request_cert.go
@@ -61,6 +61,8 @@ func requestCert(clnt *hvclient.Client) error {
 				uris:     *fURIs,
 			},
 			ekus:       *fEKUs,
+			sigAlg:     *fSigAlg,
+			sigHash:    *fSigHash,
 			publickey:  *fPublicKey,
 			privatekey: *fPrivateKey,
 			csr:        *fCSR,

diff --git a/request.go b/request.go
@@ -68,6 +68,7 @@ type Request struct {
 	QualifiedStatements *QualifiedStatements
 	MSExtension         *MSExtension
 	CustomExtensions    []OIDAndString
+	Signature           *Signature
 	CSR                 *x509.CertificateRequest
 	PrivateKey          interface{}
 	PublicKey           interface{}
@@ -154,6 +155,12 @@ type MSExtension struct {
 	MinorVersion int
 }
 
+// Signature contains the names of the algorithms used to sign the certificate.
+type Signature struct {
+	Algorithm     string `json:"algorithm,omitempty"`
+	HashAlgorithm string `json:"hash_algorithm,omitempty"`
+}
+
 // jsonRequest is used internally for JSON marshalling/unmarshalling.
 type jsonRequest struct {
 	Validity            *Validity            `json:"validity,omitempty"`
@@ -164,6 +171,7 @@ type jsonRequest struct {
 	QualifiedStatements *QualifiedStatements `json:"qualified_statements,omitempty"`
 	MSExtension         *MSExtension         `json:"ms_extension_template,omitempty"`
 	CustomExtensions    json.RawMessage      `json:"custom_extensions,omitempty"`
+	Signature           *Signature           `json:"signature,omitempty"`
 	PublicKey           string               `json:"public_key,omitempty"`
 	PublicKeySignature  string               `json:"public_key_signature,omitempty"`
 }
@@ -384,6 +392,7 @@ func (r Request) MarshalJSON() ([]byte, error) {
 		QualifiedStatements: r.QualifiedStatements,
 		MSExtension:         r.MSExtension,
 		CustomExtensions:    raw,
+		Signature:           r.Signature,
 		PublicKey:           publicKey,
 		PublicKeySignature:  publicKeySig,
 	})
@@ -448,6 +457,7 @@ func (r *Request) UnmarshalJSON(b []byte) error {
 		QualifiedStatements: jsonreq.QualifiedStatements,
 		MSExtension:         jsonreq.MSExtension,
 		CustomExtensions:    exts,
+		Signature:           jsonreq.Signature,
 	}
 
 	return nil

diff --git a/request_test.go b/request_test.go
@@ -186,6 +186,10 @@ const testRequestFullJSON = `{
     "custom_extensions": {
         "2.5.29.99.1": "NIL",
         "2.5.29.99.2": "SOME TEXT"
+    },
+    "signature": {
+        "algorithm": "RSA",
+        "hash_algorithm": "SHA-256"
     }
 }`
 
@@ -289,6 +293,10 @@ var testRequestFullRequest = hvclient.Request{
 			Value: "SOME TEXT",
 		},
 	},
+	Signature: &hvclient.Signature{
+		Algorithm:     "RSA",
+		HashAlgorithm: "SHA-256",
+	},
 }
 
 func TestRequestMarshalJSON(t *testing.T) {