Allowing specifying signing algorithm for depot signer

micromdm · Sep 7, 2023 · 094bfa1 · 094bfa1
1 parent 9f27f76
commit 094bfa1
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/depot/signer.go b/depot/signer.go
@@ -18,8 +18,10 @@ type Signer struct {
 	allowRenewalDays int
 	validityDays     int
 	serverAttrs      bool
+	signatureAlgo    x509.SignatureAlgorithm
 }
 
+
 // Option customizes Signer
 type Option func(*Signer)
 
@@ -29,13 +31,23 @@ func NewSigner(depot Depot, opts ...Option) *Signer {
 		depot:            depot,
 		allowRenewalDays: 14,
 		validityDays:     365,
+		signatureAlgo:	  0,
 	}
 	for _, opt := range opts {
 		opt(s)
 	}
 	return s
 }
 
+// WithSignatureAlgorithm sets the signature algorithm to be used to sign certificates.
+// When set to a non-zero value, this would take preference over the default behaviour of
+// matching the signing algorithm from the x509 CSR.
+func WithSignatureAlgorithm(a x509.SignatureAlgorithm) Option {
+	return func(s *Signer) {
+		s.signatureAlgo = a
+	}
+}
+
 // WithCAPass specifies the password to use with an encrypted CA key
 func WithCAPass(pass string) Option {
 	return func(s *Signer) {
@@ -78,6 +90,11 @@ func (s *Signer) SignCSR(m *scep.CSRReqMessage) (*x509.Certificate, error) {
 		return nil, err
 	}
 
+	signatureAlgo := m.CSR.SignatureAlgorithm
+	if s.signatureAlgo != 0 {
+		signatureAlgo = s.signatureAlgo
+	}
+
 	// create cert template
 	tmpl := &x509.Certificate{
 		SerialNumber: serial,
@@ -89,7 +106,7 @@ func (s *Signer) SignCSR(m *scep.CSRReqMessage) (*x509.Certificate, error) {
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageClientAuth,
 		},
-		SignatureAlgorithm: m.CSR.SignatureAlgorithm,
+		SignatureAlgorithm: signatureAlgo,
 		DNSNames:           m.CSR.DNSNames,
 		EmailAddresses:     m.CSR.EmailAddresses,
 		IPAddresses:        m.CSR.IPAddresses,

diff --git a/server/service_bolt_test.go b/server/service_bolt_test.go
@@ -131,6 +131,12 @@ func TestCaCert(t *testing.T) {
 			t.Error("no established chain between issued cert and CA")
 		}
 
+		if csr.SignatureAlgorithm != respCert.SignatureAlgorithm {
+			t.Fatal(fmt.Errorf("cert signature algo %s different from csr signature algo %s",
+				csr.SignatureAlgorithm.String(),
+				respCert.SignatureAlgorithm.String()))
+		}
+
 		// verify unique certificate serials
 		for _, ser := range serCollector {
 			if respCert.SerialNumber.Cmp(ser) == 0 {