Add support for RSA3072 and RSA4096.

src/cms_common.c

@@ -1783,11 +1783,12 @@ generate_auth_info(cms_context *cms, SECItem *der, char *url)
 
 int
 generate_keys(cms_context *cms, PK11SlotInfo *slot,
-		SECKEYPrivateKey **privkey, SECKEYPublicKey **pubkey)
+		SECKEYPrivateKey **privkey, SECKEYPublicKey **pubkey,
+		int key_bits, unsigned long exponent)
 {
 	PK11RSAGenParams rsaparams = {
-		.keySizeInBits = 2048,
-		.pe = 0x010001,
+		.keySizeInBits = key_bits,
+		.pe = exponent,
 	};
 
 	SECStatus rv;

src/cms_common.h

@@ -222,7 +222,8 @@ extern int generate_signature(cms_context *ctx);
 extern int unlock_nss_token(cms_context *ctx);
 extern int find_certificate(cms_context *ctx, int needs_private_key);
 extern int generate_keys(cms_context *cms, PK11SlotInfo *slot,
-		SECKEYPrivateKey **privkey, SECKEYPublicKey **pubkey);
+		SECKEYPrivateKey **privkey, SECKEYPublicKey **pubkey,
+		int key_bits, unsigned long exponent);
 extern int is_issuer_of(CERTCertificate *c0, CERTCertificate *c1);
 
 typedef int (find_cert_match_t)(CERTCertificate *cert, void *cbdata);

src/efikeygen.c

@@ -141,7 +141,8 @@ bundle_signature(cms_context *cms, SECItem *sigder, SECItem *data,
 		errx(1, "could not encode certificate: %s",
 			PORT_ErrorToString(PORT_GetError()));
 
-	sigder->data[sigder->len - 261] = DER_BIT_STRING;
+	//Note: offset is signature size + 5 bytes for DER encoding
+	sigder->data[sigder->len - (signature->len + 5)] = DER_BIT_STRING;
 
 	return 0;
 }
@@ -688,6 +689,31 @@ long verbosity(void)
 	return verbose;
 }
 
+struct algorithm {
+	char name[16];
+	int key_bits;
+	unsigned long exponent;
+};
+
+struct algorithm algorithms[] = {
+	{.name = "rsa2048",
+	 .key_bits = 2048,
+	 .exponent = 0x010001ul,
+	},
+	{.name = "rsa3072",
+	 .key_bits = 3072,
+	 .exponent = 0x010001ul,
+	},
+	{.name = "rsa4096",
+	 .key_bits = 4096,
+	 .exponent = 0x010001ul,
+	},
+	{.name = "",
+	 .key_bits = 0,
+	 .exponent = 0,
+	}
+};
+
 int main(int argc, char *argv[])
 {
 	int is_ca = 0;
@@ -716,6 +742,10 @@ int main(int argc, char *argv[])
 	PRStatus prstatus;
 	void *frees[50] = { NULL, };
 	int nfrees = 0;
+	int key_bits = 2048;
+	unsigned long exponent = 0x010001ul;
+	char *orig_algo = "rsa2048";
+	char *algo = orig_algo;
 
 	cms_context *cms = NULL;
 
@@ -758,6 +788,12 @@ int main(int argc, char *argv[])
 		 .descrip = "Generate a self-signed certificate" },
 
 		/* stuff about the generated key */
+		{.longName = "algorithm",
+		 .shortName = 'a',
+		 .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
+		 .arg = &algo,
+		 .descrip = "Algorithm for keys",
+		 .argDescrip = "<algorithm>" },
 		{.longName = "kek",
 		 .shortName = 'K',
 		 .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR|POPT_ARGFLAG_DOC_HIDDEN,
@@ -915,6 +951,7 @@ int main(int argc, char *argv[])
 
 	while ((rc = poptGetNextOpt(optCon)) > 0) {
 		switch (rc) {
+		case 'a': frees[nfrees++] = algo; break;
 		case 'c': frees[nfrees++] = cn; break;
 		case 'D': frees[nfrees++] = db_path; break;
 		case 'd': frees[nfrees++] = dbdir; break;
@@ -941,6 +978,14 @@ int main(int argc, char *argv[])
 
 	poptFreeContext(optCon);
 
+	if (strcmp(algo, "help") == 0) {
+		printf("Supported algorithms:");
+		for (int i = 0; algorithms[i].name[0] != '\0'; i++)
+			printf(" %s", algorithms[i].name);
+		printf("\n");
+		exit(0);
+	}
+
 	/*
 	 * Scenarios that are okay (x == valid combination)
 	 *
@@ -969,6 +1014,16 @@ int main(int argc, char *argv[])
 	if (!is_self_signed && !signer)
 		errx(1, "signing certificate is required");
 
+	for (int i=0; true; i++) {
+		if (strcmp(algorithms[i].name, "") == 0)
+			errx(1, "invalid algorithm: \"%s\"", algo);
+		if (strcmp(algorithms[i].name, algo) == 0) {
+			key_bits = algorithms[i].key_bits;
+			exponent = algorithms[i].exponent;
+			break;
+		}
+	}
+
 	cms->tokenname = tokenname;
 	cms->certname = signer;
 
@@ -1022,7 +1077,8 @@ int main(int argc, char *argv[])
 			nsserr(1, "could not find NSS slot for token \"%s\"",
 				cms->tokenname);
 
-		rc = generate_keys(cms, slot, &privkey, &pubkey);
+		rc = generate_keys(cms, slot, &privkey, &pubkey, key_bits,
+				   exponent);
 	}
 	if (rc < 0)
 		exit(1);