From 1ff3fe265d92d205e62aad099fea7d85be2137c9 Mon Sep 17 00:00:00 2001
From: Venky <118746296+venkyg-sec@users.noreply.github.com>
Date: Fri, 1 Dec 2023 00:25:59 -0500
Subject: [PATCH] Allowing specifying signing algorithm for depot signer (#221)

* Allowing specifying signing algorithm for depot signer

* gofmt

* Update depot/signer.go

Co-authored-by: Jesse Peterson <jessepeterson@users.noreply.github.com>

---------

Co-authored-by: Jesse Peterson <jessepeterson@users.noreply.github.com>
---
 depot/signer.go             | 18 +++++++++++++++++-
 server/service_bolt_test.go |  6 ++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/depot/signer.go b/depot/signer.go
index 2784447..6fe0109 100644
--- a/depot/signer.go
+++ b/depot/signer.go
@@ -18,6 +18,7 @@ type Signer struct {
 	allowRenewalDays int
 	validityDays     int
 	serverAttrs      bool
+	signatureAlgo    x509.SignatureAlgorithm
 }
 
 // Option customizes Signer
@@ -29,6 +30,7 @@ func NewSigner(depot Depot, opts ...Option) *Signer {
 		depot:            depot,
 		allowRenewalDays: 14,
 		validityDays:     365,
+		signatureAlgo:    0,
 	}
 	for _, opt := range opts {
 		opt(s)
@@ -36,6 +38,15 @@ func NewSigner(depot Depot, opts ...Option) *Signer {
 	return s
 }
 
+// WithSignatureAlgorithm sets the signature algorithm to be used to sign certificates.
+// When set to a non-zero value, this would take preference over the default behaviour of
+// matching the signing algorithm from the x509 CSR.
+func WithSignatureAlgorithm(a x509.SignatureAlgorithm) Option {
+	return func(s *Signer) {
+		s.signatureAlgo = a
+	}
+}
+
 // WithCAPass specifies the password to use with an encrypted CA key
 func WithCAPass(pass string) Option {
 	return func(s *Signer) {
@@ -78,6 +89,11 @@ func (s *Signer) SignCSR(m *scep.CSRReqMessage) (*x509.Certificate, error) {
 		return nil, err
 	}
 
+	var signatureAlgo x509.SignatureAlgorithm
+	if s.signatureAlgo != 0 {
+		signatureAlgo = s.signatureAlgo
+	}
+
 	// create cert template
 	tmpl := &x509.Certificate{
 		SerialNumber: serial,
@@ -89,7 +105,7 @@ func (s *Signer) SignCSR(m *scep.CSRReqMessage) (*x509.Certificate, error) {
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageClientAuth,
 		},
-		SignatureAlgorithm: m.CSR.SignatureAlgorithm,
+		SignatureAlgorithm: signatureAlgo,
 		DNSNames:           m.CSR.DNSNames,
 		EmailAddresses:     m.CSR.EmailAddresses,
 		IPAddresses:        m.CSR.IPAddresses,
diff --git a/server/service_bolt_test.go b/server/service_bolt_test.go
index 3c5f46c..74df9f0 100644
--- a/server/service_bolt_test.go
+++ b/server/service_bolt_test.go
@@ -131,6 +131,12 @@ func TestCaCert(t *testing.T) {
 			t.Error("no established chain between issued cert and CA")
 		}
 
+		if csr.SignatureAlgorithm != respCert.SignatureAlgorithm {
+			t.Fatal(fmt.Errorf("cert signature algo %s different from csr signature algo %s",
+				csr.SignatureAlgorithm.String(),
+				respCert.SignatureAlgorithm.String()))
+		}
+
 		// verify unique certificate serials
 		for _, ser := range serCollector {
 			if respCert.SerialNumber.Cmp(ser) == 0 {